大米CMS设计缺陷导致CSRF脱裤

2014-11-03T00:00:00
ID SSV:95291
Type seebug
Reporter Root
Modified 2014-11-03T00:00:00

Description

简要描述:

大米CMS设计缺陷导致CSRF脱裤

详细说明:

其实大米cms全局都没有设置CSRF防御...... 文件/Admin/Lib/Action/BackupAction.class.php

public function dobackup() { if(empty($_POST['ids'])) { $this->error('请选择需要备份的数据库表!'); } $filesize = intval($_POST['filesize']); if ($filesize < 512) { $this->error('出错了,请为分卷大小设置一个大于512的整数值!'); } $file ='./Public/Backup/'; $random = mt_rand(1000, 9999); $sql = ''; $p = 1; foreach($_POST['ids'] as $table) { $rs = new Model($table,'',false); $array = $rs->select(); $sql.= "TRUNCATE TABLE `$table`;\n"; foreach($array as $value) { $sql.= $this->insertsql($table, $value); if (strlen($sql) >= $filesize*1000) { $filename = $file.date('Ymd').'_'.$random.'_'.$p.'.sql'; write_file($filename,$sql); $p++; $sql=''; } } } if(!empty($sql)) { $filename = $file.date('Ymd').'_'.$random.'_'.$p.'.sql'; write_file($filename,$sql); } $this->assign("jumpUrl",U("Backup/restore")); $this->success('数据库分卷备份已完成,共分成'.$p.'个sql文件存放!'); } //生成SQL备份语句 public function insertsql($table, $row) { $sql = "INSERT INTO `{$table}` VALUES ("; $values = array(); foreach ($row as $value) { $values[] = "'" . mysql_real_escape_string($value) . "'"; } $sql .= implode(', ', $values) . ");\n"; return $sql; }

备份数据库时没有任何CSRF防御 结合前面的XSS即可达到备份数据库的目的 数据备份的目录为:$file ='./Public/Backup/'; 备份文件名为:$filename = $file.date('Ymd').''.$random.''.$p.'.sql'; $random = mt_rand(1000, 9999); 生成的备份文件名例如:20141031_4683_1.sql 1、通过爆破即可简单获取备份文件名 2、利用window短文件名123456~1.sql即可

漏洞证明:

http://localhost/dami/public/backup/20141031_4683_1.sql

或者

http://localhost/dami/public/backup/201410~1.sql

<img src="https://images.seebug.org/upload/201410/31233154f22e76d75fd0e337ee626bd8b246f783.png" alt="1.png" width="600" onerror="javascript:errimg(this);">