漏洞描述
DOYO 2.3版本留言板SQL注入漏洞影响版本
DOYO 2.3漏洞分析
sourcemessage.phpfunction add(){
if($GLOBALS['G_DY']['vercode']==1){
if(!$this->syArgs("vercode",1)||md5(strtolower($this->syArgs("vercode",1)))!=$_SESSION['doyo_verify'])message("验证码错误");
}
if(!$this->syArgs('tid'))message("请选择栏目");
$tid=$this->syArgs('tid');
$this->type=syDB('classtype')->find(array('tid'=>$tid),null,'molds,classname,msubmit');
if($this->type['msubmit']!=1){
$this->member->p_r($this->type['msubmit']);
}
$isshow = ($this->my['group']['audit']==1) ? 1 : 0;
$user = ($this->my['id']!=0) ? $this->my['user'] : '游客';
$fmolds = ($this->syArgs('fmolds',1)!='') ? $this->syArgs('fmolds',1) : '';
$title = ($this->syArgs('title',1)!='') ? $this->syArgs('title',1) : $this->type['classname'];
$body = ($this->syArgs('body',1)!='') ? $this->syArgs('body',1) : '';
$row1 = array('tid' => $tid,'fmolds' => $fmolds,'faid' => $this->syArgs('faid'),'title' => $title,'addtime' => time(),'orders' => 0,'isshow' => $isshow,'user' => $user,'body' => $body,'reply'=>'');
$row2=$this->fields_args('message',$tid);
$add = syClass('c_message');$newv=$add->syVerifier($row1);
if(false == $newv){
$a=$add->create($row1);$row2=array_merge($row2,array('aid' => $a));
syDB('message_field')->create($row2);
if($this->my['id']!=0){
syDB('member_file')->update(array('hand'=>$this->syArgs('hand'),'uid'=>$this->my['id']),array('hand'=>0,'aid'=>$a,'molds' => 'message'));
}else{
syDB('member_file')->update(array('hand'=>$this->syArgs('hand'),'ip'=>GetIP()),array('hand'=>0,'aid'=>$a,'molds' => 'message'));
}
message('发布成功',$GLOBALS["WWW"]);
}else{message_err($newv);}
}
message 是可以控制的
漏洞复现
index.php?a=type&c=message&faid=1&fmolds=message&tid=23
这里已经报错了
注入成功:
