TCCMS SQL注入漏洞3(盲注鸡肋)

2014-01-09T00:00:00
ID SSV:95063
Type seebug
Reporter Root
Modified 2014-01-09T00:00:00

Description

简要描述:

TCCMS SQL注入漏洞3(盲注)

详细说明:

在删除文章时: app/controller/news.class.php

public function delete() { $_Obj = M($this->objName); $newsObj = M("content"); $msgObj = new Msg(); $id = $_GET['id']; $idAry = $_POST['id'];//注入 $idStr = count($idAry) == 0 ? intval($id) : implode(",", $idAry); $newIdAry = explode(",", $idStr); $idSize = count($newIdAry); if (empty($newIdAry[0]) && empty($id)) { $msgObj->addMsg('error', Config::lang("PLEASECHOOSEDELETEDATA")); } for ($i = 0; $i < $idSize; $i++) { $news = get("news",$newIdAry[$i]); if (Authen::checkIsSelfData($news->uid)) { $newsObj->deleteById($newIdAry[$i]); $_Obj->deleteById($newIdAry[$i]); } else { $msgObj->addMsg('error', Config::lang("CANBEDELNOTSELFNEWS")); } } if (!$msgObj->hasMsg) { $newsObj->delete(); $_Obj->delete(); } header('Location: index.php?ac=news_all&type=user&page='.$_GET["page"]); exit; }

跟进deleteById。system/core/model.class.php:

public function deleteById($id) { $this->db->Delete($this->table, $this->PRI, $id); }

POST的id未过滤。

漏洞证明:

先看看我们的文章:

<img src="https://images.seebug.org/upload/201401/09154853cd227d97a5602da34ff54b3ab1b2d24c.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

然后我们构造错误的语句,来删除:

<img src="https://images.seebug.org/upload/201401/09154912323f468114d11329ca47be19af6c5d19.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

虽然会提示成功删除一个文章,但实际上文章并没有被删除,条件不成立。 构造正确的条件:

<img src="https://images.seebug.org/upload/201401/09155004cc8a16110d6705918bb0c95122c11717.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

文章被成功删除。 数据库记录:

<img src="https://images.seebug.org/upload/201401/09155114d4954758fad00eed16a4c612ee92c613.png" alt="4.png" width="600" onerror="javascript:errimg(this);">