齐博CMS 二次注入3

2014-11-18T00:00:00
ID SSV:94184
Type seebug
Reporter Root
Modified 2014-11-18T00:00:00

Description

简要描述:

奇博地方门户V5.0,二次注入

详细说明:

/news/js.php中

``` if($type=='hot'||$type=='com'||$type=='new'||$type=='lastview'||$type=='like') { if($f_id) { if(is_numeric($f_id)){ $SQL=" fid=$f_id "; }else{ $detail=explode(",",$f_id); $SQL=" fid IN ( ".implode(",",$detail)." ) "; } } else { $SQL=" 1 "; } if($type=='com') { $SQL.=" AND levels=1 "; $ORDER=' list '; $_INDEX=" USE INDEX ( list ) "; } elseif($type=='hot') { $ORDER=' hits '; $_INDEX=" USE INDEX ( hits ) "; } elseif($type=='new') { $ORDER=' list '; $_INDEX=" USE INDEX ( list ) "; } elseif($type=='lastview') { $ORDER=' lastview '; $_INDEX=" USE INDEX ( lastview ) "; } elseif($type=='like') {

    $SQL.=" AND id!='$id' ";
    if(!$keyword)
    {
        extract($db->get_one("SELECT keywords AS keyword FROM {$_pre}content WHERE id='$id'"));
    }
    if($keyword){
        $SQL.=" AND ( ";
        $keyword=urldecode($keyword);   //URLDECODE解码
        $detail=explode(" ",$keyword);
        unset($detail2);
        foreach( $detail AS $key=>$value){
            $detail2[]=" BINARY title LIKE '%$value%' ";
        }
        $str=implode(" OR ",$detail2);
        $SQL.=" $str ) ";
    }else{
        $SQL.=" AND 0 ";
    }

    $_INDEX=" USE INDEX ( list ) ";
    $ORDER=' list ';
}
$SQL=" $_INDEX WHERE $SQL AND yz=1 ORDER BY $ORDER DESC LIMIT $rows";
$which='*';
$_target=$target?'_blank':'_self';
if($path){
    $_path=preg_replace("/(.*)\/([^\/]+)/is","\\1/",$WEBURL);
}
if($icon==1){
    $_icon="·";
}else{
    $_icon=" ";
}
$listdb=listcontent($SQL,$which,$leng);
foreach($listdb AS $key=>$rs)
{
    $show.="$_icon<A target='$_target' HREF='{$_path}bencandy.php?fid=$rs[fid]&id=$rs[id]' title='$rs[full_title]'>$rs[title]</A>

"; } if(!$show){ $show="暂无..."; } ```

起初总是不成功,后来才看到,下面代码$keyword进入explode函数,将空格拆分了,所以使用/**/替换

if($keyword){ $SQL.=" AND ( "; $keyword=urldecode($keyword); $detail=explode(" ",$keyword); unset($detail2); foreach( $detail AS $key=>$value){ $detail2[]=" BINARY title LIKE '%$value%' "; } $str=implode(" OR ",$detail2); $SQL.=" $str ) "; }else{ $SQL.=" AND 0 "; }

漏洞证明:

还是使用,qibo的成功案例网站 http://tongyuxian.com/

<img src="https://images.seebug.org/upload/201411/1607510366b51fb86d9b6d602bedd88387dc714c.jpg" alt="zcc.JPG" width="600" onerror="javascript:errimg(this);">