5up3rh3i'blog［提供有偿web代码安全审计服务］

版权声明：转载时请以超链接形式标明文章原始出处和作者信息及本声明
http://superhei.blogbus.com/logs/3436056.html

Sablog-X Ver 1.1 getip() Vulnerability

getip()过滤不严导致sql/xss等攻击。

sablog\include\common.php
--------code-------------
function getip() {
if (isset($_SERVER)) {
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$realip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
$realip = $_SERVER['HTTP_CLIENT_IP'];
} else {
$realip = $_SERVER['REMOTE_ADDR'];
}
} else {
if (getenv("HTTP_X_FORWARDED_FOR")) {
$realip = getenv( "HTTP_X_FORWARDED_FOR");
} elseif (getenv("HTTP_CLIENT_IP")) {
$realip = getenv("HTTP_CLIENT_IP");
} else {
$realip = getenv("REMOTE_ADDR");
}
}
return $realip;
}
--------code-------------

D:\>Findstr /S /I /N /d:D:\phproot\sablog "getip" *.php
D:\phproot\sablog:
post.php:93: $DB->query("INSERT INTO ".$db_prefix."users VALUES ('', '".$username."', '".md5($password)."', '".$email."', '".$url."', '".time()."', '".getip()."', '0', '')");
post.php:181: if (preg_match("/^$ban_ip/", getip())) {
post.php:320: $DB->query("INSERT INTO ".$db_prefix."comments (articleid, authorid, author, url, email, dateline, content, ipaddress, visible) VALUES ('".$articleid."', '".$userid."', '".$username."', '".$url."', '".$email."', '".time()."', '".$content."', '".getip()."', '".$visible."')");
post.php:379: $query = $DB->query("SELECT searchid, dateline, ('".$options['search_post_space']."'<>'0' AND ".time()."-dateline<".$options['search_post_space'].") AS flood, searchfrom='".$searchfrom."' AND keywords='".$keywords."' AS indexvalid FROM ".$db_prefix."searchindex WHERE ('".$options['search_post_space']."'<>'0' AND ipaddress='".getip()."' AND ".time()."-dateline<".$options['search_post_space'].") ORDER BY flood");
post.php:475: $DB->query("INSERT INTO ".$db_prefix."searchindex (keywords, dateline, sortby, orderby, tatols, ids, searchfrom, ipaddress) VALUES ('".$keywords."', '".time()."', '".$sortby."', '".$orderby."', '".$tatols."', '".$ids."', '".$searchfrom."', '".getip()."')");
trackback.php:80: $query = $DB->query("SELECT trackbackid FROM ".$db_prefix."trackbacks WHERE ipaddress='".getip()."' AND dateline+".$interval.">='".time()."'");
trackback.php:98: $query = $DB->query("SELECT title,ipaddress,articleid FROM ".$db_prefix."trackbacks WHERE ipaddress='".getip()."' OR articleid='".$articleid."'");
trackback.php:101: if ($trackback['title'] == $title && $trackback['ipaddress'] == getip()) {
trackback.php:105: if ($trackback['ipaddress'] == getip() && $trackback['articleid'] == $articleid) {
trackback.php:185: $DB->query("INSERT INTO ".$db_prefix."trackbacks (articleid, title, dateline, excerpt, url, blog_name, ipaddress, visible, point) VALUES('".$articleid."', '".$title."', '".time()."', '".$excerpt."', '".$url."', '".$blog_name."', '".getip()."', '".$visible."', '".$point."')");
include\common.php:168:function getip() {
include\common.php:219:if ($_COOKIE["UserIP"] !== getip()) {
include\common.php:220: setcookie ("UserIP", getip(), time()+(24*3600));
admin\adminfunctions.php:128: $DB->query("INSERT INTO ".$db_prefix."loginlog (username,dateline,ipaddress,result) VALUES ('".addslashes($username)."','".time()."','".getip()."','".$result."')");

admin\adminfunctions.php:137: $DB->query("INSERT INTO ".$db_prefix."adminlog (action,script,dateline,ipaddress,username) VALUES ('".htmlspecialchars(trim($action))."','".htmlspecialchars(trim($script))."','".time()."','".getip()."','".$_SESSION['admin_username']."')");

admin\global.php:70: $DB->unbuffered_query("UPDATE ".$db_prefix."admin SET logincount=logincount+1, logintime='".time()."', loginip='".getip()."' WHERE username='".$username."'");

wap\global.php:228: $DB->query("INSERT INTO ".$db_prefix."loginlog (username,dateline,ipaddress,result) VALUES ('".addslashes($username)."','".time()."','".getip()."','".$result."')");
wap\index.php:329: $query = $DB->query("SELECT searchid, dateline, ('".$options['search_post_space']."'<>'0' AND ".time()."-dateline<".$options['search_post_space'].") AS flood, searchfrom='article' AND keywords='".$keywords."' AS indexvalid FROM ".$db_prefix."searchindex WHERE ('".$options['search_post_space']."'<>'0' AND ipaddress='".getip()."' AND ".time()."-dateline<".$options['search_post_space'].") ORDER BY flood");
wap\index.php:376: $DB->query("INSERT INTO ".$db_prefix."searchindex (keywords, dateline, sortby, orderby, tatols, ids, searchfrom, ipaddress) VALUES ('".$keywords."', '".time()."', 'dateline', 'desc', '".$tatols."', '".$ids."', 'article', '".getip()."')");
wap\index.php:622: $DB->unbuffered_query("UPDATE ".$db_prefix."admin SET logincount=logincount+1, logintime='".time()."', loginip='".getip()."' WHERE username='".$username."'");
wap\index.php:686: if (preg_match("/^$ban_ip/", getip())) {
wap\index.php:762: if (preg_match("/^$ban_ip/", getip())) {
wap\index.php:812: $DB->query("INSERT INTO ".$db_prefix."comments (articleid, authorid, author, url, email, dateline, content, ipaddress, visible) VALUES ('".$articleid."', '".$userid."', '".$username."', '".$url."', '".$email."', '".time()."', '".$content."', '".getip()."', '".$visible."')");