漏洞描述

DOYO 2.3版本留言板SQL注入漏洞
 

影响版本

DOYO 2.3
 
 

漏洞分析

sourcemessage.php

function add(){
        if($GLOBALS['G_DY']['vercode']==1){

        if(!$this->syArgs("vercode",1)||md5(strtolower($this->syArgs("vercode",1)))!=$_SESSION['doyo_verify'])message("验证码错误");
        }
        if(!$this->syArgs('tid'))message("请选择栏目");
        $tid=$this->syArgs('tid');
        $this->type=syDB('classtype')->find(array('tid'=>$tid),null,'molds,classname,msubmit');
        if($this->type['msubmit']!=1){
            $this->member->p_r($this->type['msubmit']);
        }
        $isshow = ($this->my['group']['audit']==1) ? 1 : 0;
        $user = ($this->my['id']!=0) ? $this->my['user'] : '游客';
        $fmolds = ($this->syArgs('fmolds',1)!='') ? $this->syArgs('fmolds',1) : '';
        $title = ($this->syArgs('title',1)!='') ? $this->syArgs('title',1) : $this->type['classname'];
        $body = ($this->syArgs('body',1)!='') ? $this->syArgs('body',1) : '';
        $row1 = array('tid' => $tid,'fmolds' => $fmolds,'faid' => $this->syArgs('faid'),'title' => $title,'addtime' => time(),'orders' => 0,'isshow' => $isshow,'user' => $user,'body' => $body,'reply'=>'');
        $row2=$this->fields_args('message',$tid);
        $add = syClass('c_message');$newv=$add->syVerifier($row1);
        if(false == $newv){
            $a=$add->create($row1);$row2=array_merge($row2,array('aid' => $a));
            syDB('message_field')->create($row2);
            if($this->my['id']!=0){
                syDB('member_file')->update(array('hand'=>$this->syArgs('hand'),'uid'=>$this->my['id']),array('hand'=>0,'aid'=>$a,'molds' => 'message'));
            }else{
                syDB('member_file')->update(array('hand'=>$this->syArgs('hand'),'ip'=>GetIP()),array('hand'=>0,'aid'=>$a,'molds' => 'message'));
            }
            message('发布成功',$GLOBALS["WWW"]);
        }else{message_err($newv);}
    }


     
message 是可以控制的
 
 

漏洞复现

index.php?a=type&c=message&faid=1&fmolds=message&tid=23





这里已经报错了



注入成功: