Comments (9)
tongyifan
commented on July 28, 2024
http://demo.nexusphp.cn/staffbox.php?action=viewpm&pmid=1
from nexusphp.
Rhilip
commented on July 28, 2024
(玩家3和玩家5已经完成注入测试了
from nexusphp.
Rhilip
commented on July 28, 2024
其实改成 filter_input(INPUT_GET, xxx, FILTER_VALIDATE_INT, ['options' => ['default' => 0]]) 会好些,不过还是建议上STMT哦
from nexusphp.
xiaomlove
commented on July 28, 2024
楼上两位会玩,我忽略了 "0 +" 其实是在做类型转换。 @tongyifan 发送者不是本人这个问题是怎么弄出来的?
from nexusphp.
xiaomlove
commented on July 28, 2024
其实改成
filter_input(INPUT_GET, xxx, FILTER_VALIDATE_INT, ['options' => ['default' => 0]])会好些,不过还是建议上STMT哦
这个没法上吧,都是大量的拼好的 sql 语句
from nexusphp.
Rhilip
commented on July 28, 2024
楼上两位会玩,我忽略了 "0 +" 其实是在做类型转换。 @tongyifan 发送者不是本人这个问题是怎么弄出来的?
你把 0+$_GET[] 改了,就留下注入漏洞了。
然后就可以拿到数据库users表的passhash字段,顺利登录你的账号了呗
其实改成
filter_input(INPUT_GET, xxx, FILTER_VALIDATE_INT, ['options' => ['default' => 0]])会好些,不过还是建议上STMT哦这个没法上吧,都是大量的拼好的 sql 语句
OurBits这边,数据库这边90%以上语句都是STMT预处理了。
from nexusphp.
xiaomlove
commented on July 28, 2024
楼上两位会玩,我忽略了 "0 +" 其实是在做类型转换。 @tongyifan 发送者不是本人这个问题是怎么弄出来的?
你把
0+$_GET[]改了,就留下注入漏洞了。然后就可以拿到数据库
users表的passhash字段,顺利登录你的账号了呗
其实改成
filter_input(INPUT_GET, xxx, FILTER_VALIDATE_INT, ['options' => ['default' => 0]])会好些,不过还是建议上STMT哦这个没法上吧,都是大量的拼好的 sql 语句
OurBits这边,数据库这边90%以上语句都是STMT预处理了。
还是不太懂。
1,通过哪个URL什么请求参数得到passhash。
2,这个字段单向加密得到,没什么用吧。登录需要原始密码啊。请大佬指点。
from nexusphp.
Rhilip
commented on July 28, 2024
- 请看你commit history,反正你修改过的地方都有可能有注入风险,我和杯具只利用了其中某一个。
- 对NPHP,只要有passhash和id对应,就可以改cookies变id了。请阅读
user_login()签名方法以及takelogin.php实现。这也是部分站点修改cookie的原因。
不再回答了。
from nexusphp.
xiaomlove
commented on July 28, 2024
感谢 @tongyifan @Rhilip
在保证不报错误的前提下,使用 intval() 恢复了原来 0+ 的强制类型转换。
本人对 NP 不了解,不知道有了 passhash 可以随意伪造用户 ID 的事,经实践确实是可以的。
但不恢复强制类型转换时哪些地方可能造成 passhash 泄露,还是不太清楚。现修改后不会再泄露了吧
from nexusphp.
Related Issues (20)
- Date,bbcode,dimensions size HOT 2
- 临时VIP设置不生效 HOT 1
- 种子页小BUG HOT 2
- 抽中7天VIP后,再手动赋予发布员级别会有小BUG HOT 2
- 有计划做个对接steam的插件吗? HOT 4
- Idea for admin files location HOT 1
- 关于隐私论坛版块引用导致原帖内容暴露的问题 HOT 1
- 建议幸运大抽奖增加勋章作为奖品和增加自定义奖品的选项,增加连抽选项
- Category icons disappear when choosing not to use icons HOT 1
- 安装过程出错,无法创建数据表 HOT 3
- Seed Box建议 HOT 1
- 关于项目的国际化工作|About the internationalization work of the project
- 建议创建新表储存:首页的:最近消息 - [发布] HOT 1
- qq交流群消失 HOT 1
- 在后台设置修改用户等级,设为VIP的话,没有时间限制,直接变成永远VIP HOT 1
- Custom field enable checkbox missing ? HOT 6
- 无法删除用户上传的字幕 HOT 1
- 取消 SMTP 用户名校验 HOT 2
- Security Issue HOT 2
- Spoiler bbcode换行失效 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nexusphp.