### 简要描述: 蝉知CMS注入漏洞一枚,官网演示 ### 详细说明: 1.蝉知的整体防注入还是真心做得很不错的,看了很久,都没找到什么可以利用的点。但是人无完人,程序员也总有疏忽的时候,这个时候,终于被我发现了。首先定位到漏洞system/module/message/model.php文件。 ``` public function getByObject($type, $objectType, $objectID, $pager = null) { $userMessages = $this->cookie->cmts; $userMessages = trim($userMessages, ','); if(empty($userMessages)) $userMessages = '0'; return $this->dao->select('*')->from(TABLE_MESSAGE) ->where('type')->eq($type) ->beginIf(RUN_MODE == 'front' and $type == 'message')->andWhere('public')->eq(1)->fi() ->andWhere('objectType')->eq($objectType) ->andWhere('objectID')->eq($objectID) ->andWhere("(id in ({$userMessages}) or (status = '1'))")//这里是漏洞点 ->orderBy('id_desc') ->page($pager) ->fetchAll(); } ``` 2.可以看出这里蝉知的逻辑是这样的,首先接收一个cookie:cmts,然后把这个cookie经过处理之后传入了sql语句中的in中,从上面的代码可以看出,$userMessage直接进入了in,而没有进行防注入的过滤。这就造成了注入漏洞。我们接着来看哪里调用了该函数。 system/module/message/control.php文件中。 ``` public function index($pageID = 1) { $recPerPage = !empty($this->config->site->messageRec) ?...
### 简要描述: 蝉知CMS注入漏洞一枚,官网演示 ### 详细说明: 1.蝉知的整体防注入还是真心做得很不错的,看了很久,都没找到什么可以利用的点。但是人无完人,程序员也总有疏忽的时候,这个时候,终于被我发现了。首先定位到漏洞system/module/message/model.php文件。 ``` public function getByObject($type, $objectType, $objectID, $pager = null) { $userMessages = $this->cookie->cmts; $userMessages = trim($userMessages, ','); if(empty($userMessages)) $userMessages = '0'; return $this->dao->select('*')->from(TABLE_MESSAGE) ->where('type')->eq($type) ->beginIf(RUN_MODE == 'front' and $type == 'message')->andWhere('public')->eq(1)->fi() ->andWhere('objectType')->eq($objectType) ->andWhere('objectID')->eq($objectID) ->andWhere("(id in ({$userMessages}) or (status = '1'))")//这里是漏洞点 ->orderBy('id_desc') ->page($pager) ->fetchAll(); } ``` 2.可以看出这里蝉知的逻辑是这样的,首先接收一个cookie:cmts,然后把这个cookie经过处理之后传入了sql语句中的in中,从上面的代码可以看出,$userMessage直接进入了in,而没有进行防注入的过滤。这就造成了注入漏洞。我们接着来看哪里调用了该函数。 system/module/message/control.php文件中。 ``` public function index($pageID = 1) { $recPerPage = !empty($this->config->site->messageRec) ? $this->config->site->messageRec : $this->config->message->recPerPage; $this->app->loadClass('pager', $static = true); $pager = new pager($recTotal = 0, $recPerPage, $pageID); $this->view->messages = $this->message->getByObject($type = 'message', $objectType = 'message', $objectID = 0, $pager);//这里第一处调用漏洞函数 $this->view->pager = $pager; $this->view->title = $this->lang->message->list; $this->view->startNumber = ($pageID - 1) * 10; $this->display(); } ``` ``` public function comment($objectType, $objectID, $pageID = 1) { $recPerPage = !empty($this->config->site->commentRec) ? $this->config->site->commentRec : $this->config->message->recPerPage; $this->app->loadClass('pager', $static = true); $pager = new pager($recTotal = 0 , $recPerPage, $pageID); $this->view->objectType = $objectType; $this->view->objectID = $objectID; $this->view->comments = $this->message->getByObject($type = 'comment', $objectType, $objectID, $pager);//这是第二处调用漏洞函数 $this->view->pager = $pager; $this->view->startNumber = ($pageID - 1) * 10; $this->lang->message = $this->lang->comment; $this->display(); } ``` 3.我们构造一个名称为cmts的cookie,值为测试代码所示 然后访问http://localhost/chanzhieps/www/message-index.html [<img src="https://images.seebug.org/upload/201510/12152344c97ade8370a925c0ed35ffabab5dda3c.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/12152344c97ade8370a925c0ed35ffabab5dda3c.png) 4.同样的方法去官网看一下,话说官网demo好卡,你们应该检查一下是不是已经中招了 [<img src="https://images.seebug.org/upload/201510/121525200d8209d8d633a0089f7b3a1212cd9726.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/121525200d8209d8d633a0089f7b3a1212cd9726.png) 亲,你竟然和我一样,用root连接,我是本地,你可是官网demo啊 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201510/121525200d8209d8d633a0089f7b3a1212cd9726.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/121525200d8209d8d633a0089f7b3a1212cd9726.png)