破绽描绘

DOYO 2.3版本留言板SQL注入破绽
 

影响版本

DOYO 2.3
 

破绽剖析

sourcemessage.php

function add(){

        if($GLOBALS['G_DY']['vercode']==1){

        if(!$this->syArgs("vercode",1)||md5(strtolower($this->syArgs("vercode",1)))!=$_SESSION['doyo_verify'])message("考证码错误");

        }

        if(!$this->syArgs('tid'))message("请选择栏目");

        $tid=$this->syArgs('tid');

        $this->type=syDB('classtype')->find(array('tid'=>$tid),null,'molds,classname,msubmit');

        if($this->type['msubmit']!=1){

            $this->member->p_r($this->type['msubmit']);

        }

        $isshow = ($this->my['group']['audit']==1) ? 1 : 0;

        $user = ($this->my['id']!=0) ? $this->my['user'] : '游客';

        $fmolds = ($this->syArgs('fmolds',1)!='') ? $this->syArgs('fmolds',1) : '';

        $title = ($this->syArgs('title',1)!='') ? $this->syArgs('title',1) : $this->type['classname'];

        $body = ($this->syArgs('body',1)!='') ? $this->syArgs('body',1) : '';

        $row1 = array('tid' => $tid,'fmolds' => $fmolds,'faid' => $this->syArgs('faid'),'title' => $title,'addtime' => time(),'orders' => 0,'isshow' => $isshow,'user' => $user,'body' => $body,'reply'=>'');

        $row2=$this->fields_args('message',$tid);

        $add = syClass('c_message');$newv=$add->syVerifier($row1);

        if(false == $newv){

            $a=$add->create($row1);$row2=array_merge($row2,array('aid' => $a));

            syDB('message_field')->create($row2);

            if($this->my['id']!=0){

                syDB('member_file')->update(array('hand'=>$this->syArgs('hand'),'uid'=>$this->my['id']),array('hand'=>0,'aid'=>$a,'molds' => 'message'));

            }else{

                syDB('member_file')->update(array('hand'=>$this->syArgs('hand'),'ip'=>GetIP()),array('hand'=>0,'aid'=>$a,'molds' => 'message'));

            }

            message('发布胜利',$GLOBALS["WWW"]);

        }else{message_err($newv);}

    }

     
message 是能够控制的
 

破绽复现

index.php?a=type&c=message&faid=1&fmolds=message&tid=23

这里曾经报错了

注入胜利：

感谢您的来访，获取更多精彩文章请收藏本站。