|yxcms二次注入漏洞 - VULHUB开源网络安全威胁库

yxcms二次注入漏洞

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： yxcms二次注入漏洞 ### 详细说明： ``` /protected/apps/member/controller/photoController.php $data['account']=$this->mesprefix.$this->auth['account']; $data['sort']=$_POST['sort'];//从这里入口 $data['exsort']=empty($_POST['exsort'])?'':implode(',',$_POST['exsort']); $data['title']=in($_POST['title']); $data['keywords']=in($_POST['keywords']); $data['picture']=$_POST['picture']; $data['description']=in($_POST['description']); $data['content']=in($_POST['content']); $data['method']='photo/content'; $data['tpcontent']=in($_POST['tpcontent']); $data['ispass']=0; $data['recmd']=0; $data['hits']=0; $data['norder']=0; $data['addtime']=time(); // if (empty($data['description'])) { // $data['description']=in(substr(deletehtml($_POST['content']), 0, 250)); //自动提取描述 // } // if(empty($data['keywords'])){ // $data['keywords']= $this->getkeyword($data['title'].$data['description']); //自动获取中文关键词 // if(empty($data['keywords'])) $data['keywords']=str_replace(' ',',',$data['description']);//非中文 // } // if($_POST['iftag']) { // $iftag = $this->crtags($data['keywords']); // if(!$iftag) $this->alert('标签生成失败~'); // } if(!empty($_POST['photolist'])) $data['photolist']=implode(',',$_POST['photolist']); if(!empty($_POST['conlist'])) $data['conlist']=implode(',',in($_POST['conlist'])); if(model('photo')->insert($data)) $this->success('图集添加成功~',url('photo/index')); else $this->error('图集添加失败'); ``` ps:发布news的文件同样也存在这类问题。需求等待管理通过发布的商品，但是是看不到有什么异常的。恶意代码插入数据库后,看看那里会调用sort的数据 ``` /protected/apps/default/controller/columnController.php public function content() { $ename=in($_GET['col']); $id=intval($_GET['id']); if(empty($ename) || empty($id)) throw new Exception('参数错误~', 404); $this->col=$ename; $sortinfo=model('sort')->find("ename='{$ename}'",'type'); switch ($sortinfo['type']) { case 1://文章 $this->newscon($ename,$id); break; case 2://图集 $this->photocon($id); break; default: throw new Exception('此类型下没有内容~', 404); break; } } 从content函数进来,因为发的是图集,所以跟进photocon函数 protected function photocon($id) { $info=model('photo')->find("id='{$id}' and ispass='1'"); if(empty($info)) throw new Exception('内容不存在~', 404); $info['exsort']=explode(',', $info['exsort']); $page = new Page(); $info['content']=$info['content'] = $page->contentPage(html_out($info['content']), '<hr style="page-break-after:always;" class="ke-pagebreak" />',$url,10,4); //文章分页 model('photo')->update("id='$id'","hits=hits+1");//点击 if(!empty($info['conlist'])) $titar=explode(',',$info['conlist']); if(!empty($info['photolist'])){ $phoar=explode(',',$info['photolist']); $cont=sizeof($phoar); for($i=0;$i<$cont;$i++){ $photolist[$i]['picture']=$phoar[$i]; $photolist[$i]['tit']=$titar[$i]; //$tit.="'<p>$titar[$i]</p>',"; //$sphoto.="'".__ROOT__."https://images.seebug.org/upload/photos/thumb_$phoar[$i]',"; //$bphoto.="'".__ROOT__."https://images.seebug.org/upload/photos/$phoar[$i]',"; } $this->photolist=$photolist; $this->num=$cont; //$this->assign(tit,substr($tit,0,-1)); //$this->assign(sphoto,substr($sphoto,0,-1)); //$this->assign(bphoto,substr($bphoto,0,-1)); } //获取拓展数据 $sortid=substr($info['sort'],-6,6);//这里被限制了长度不能注入 $tabid=model('sort')->find("id='{$sortid}'",'extendid');//获取拓展表 ....省略 $crumbs=$this->crumbs($info['sort']);//这里导致了注入 ..... 跟进crumbs函数看一下 protected function crumbs($path=',000000') { $crumb=array(); if(strlen($path)>7){ $ids=substr($path,8);//这里可以完整带入注入语句 $crumb=model('sort')->select("id IN($ids)",'id,type,name,ename,method,url,extendid','deep'); foreach ($crumb as $key=>$vo){ $crumb[$key]['url']=getURl($vo['type'],$vo['method'],$vo['url'],$vo['id'],$vo['extendid'],$vo['ename']); } } return $crumb; } ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201409/191529171320b920d37e4d04ccd7b47ed7d08d7f.jpg" alt="sql.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/191529171320b920d37e4d04ccd7b47ed7d08d7f.jpg)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™