### 简要描述: Sql Injection ### 详细说明: 注入在XDCMS企业管理系统后台的栏目添加处,\system\modules\xdcms\category.php文件: 管理员在添加栏目和编辑栏目的时候会分别调用add_save()和edit_save()函数,三个注入点就出现在这两个函数里: add_save()函数,11个注入点: ``` public function add_save(){ $config=base::load_cache("cache_set_config","_config"); $catname=safe_html($_POST['catname']);//注入点1,大写可绕过 $catdir=$_POST['catdir'];//注入点2 $thumb=safe_html($_POST['thumb']);//注入点3,大写可绕过 $is_link=intval($_POST['is_link']); $url=$_POST['url'];//注入点4 $model=safe_html($_POST['model']);//注入点5,大写可绕过 $sort=intval($_POST['sort']); $is_show=intval($_POST['is_show']); $parentid=intval($_POST['parentid']); $is_target=intval($_POST['is_target']); $is_html=intval($_POST['is_html']); $template_cate=safe_html($_POST['template_cate']);//注入点6,大写可绕过 $template_list=safe_html($_POST['template_list']);//注入点7,大写可绕过 $template_show=safe_html($_POST['template_show']);//注入点8,大写可绕过 $seo_title=safe_html($_POST['seo_title']);//注入点9,大写可绕过 $seo_key=safe_html($_POST['seo_key']);//注入点10,大写可绕过...
### 简要描述: Sql Injection ### 详细说明: 注入在XDCMS企业管理系统后台的栏目添加处,\system\modules\xdcms\category.php文件: 管理员在添加栏目和编辑栏目的时候会分别调用add_save()和edit_save()函数,三个注入点就出现在这两个函数里: add_save()函数,11个注入点: ``` public function add_save(){ $config=base::load_cache("cache_set_config","_config"); $catname=safe_html($_POST['catname']);//注入点1,大写可绕过 $catdir=$_POST['catdir'];//注入点2 $thumb=safe_html($_POST['thumb']);//注入点3,大写可绕过 $is_link=intval($_POST['is_link']); $url=$_POST['url'];//注入点4 $model=safe_html($_POST['model']);//注入点5,大写可绕过 $sort=intval($_POST['sort']); $is_show=intval($_POST['is_show']); $parentid=intval($_POST['parentid']); $is_target=intval($_POST['is_target']); $is_html=intval($_POST['is_html']); $template_cate=safe_html($_POST['template_cate']);//注入点6,大写可绕过 $template_list=safe_html($_POST['template_list']);//注入点7,大写可绕过 $template_show=safe_html($_POST['template_show']);//注入点8,大写可绕过 $seo_title=safe_html($_POST['seo_title']);//注入点9,大写可绕过 $seo_key=safe_html($_POST['seo_key']);//注入点10,大写可绕过 $seo_des=safe_html($_POST['seo_des']);//注入点11,大写可绕过 $url_list=intval($_POST['url_list']); $url_show=intval($_POST['url_show']); $modelid=modelid($model); $power=addslashes(var_export($_POST['power'],true)); $lang=isset($_POST['lang'])?intval($_POST['lang']):1; $pagesize=intval($_POST['pagesize']); if(empty($catname)||empty($catdir)||empty($model)||empty($pagesize)){ showmsg(C('material_not_complete'),'-1'); } if(!check_str($catdir,'/^[a-z0-9][a-z0-9]*$/')){ showmsg(C('catdir').C('numbers_and_letters'),'-1'); } if($is_html==1){ if($config['createhtml']!=1){ showmsg(C('config_html_error'),'index.php?m=xdcms&c=setting'); } } $nums=$this->mysql->db_num("category","catdir='".$catdir."'"); if($nums>0){ showmsg(C('catdir_exist'),'-1'); } $sql="insert into ".DB_PRE."category (catname,catdir,thumb,is_link,url,model,modelid,sort,is_show,is_target,is_html,template_cate,template_list,parentid,template_show,seo_title,seo_key,seo_des,power,lang,url_list,url_show,pagesize) values ('".$catname."','".$catdir."','".$thumb."','".$is_link."','".$url."','".$model."','".$modelid."','".$sort."','".$is_show."','".$is_target."','".$is_html."','".$template_cate."','".$template_list."','".$parentid."','".$template_show."','".$seo_title."','".$seo_key."','".$seo_des."','".$power."','".$lang."','".$url_list."','".$url_show."','".$pagesize."')"; $this->mysql->query($sql); $catid=$this->mysql->insert_id(); if($is_link==0){//生成url $ob_url=base::load_class("url"); $url=$ob_url->caturl($catid,$catdir,$is_html,0,$lang,$url_list); $this->mysql->db_update("category","`url`='".$url."'","`catid`=".$catid); } $this->category_cache(); showmsg(C('add_success'),'-1'); } ``` edit_save()函数有11个注入点: ``` public function edit_save(){ $config=base::load_cache("cache_set_config","_config"); $catid=intval($_POST['catid']); $catname=safe_html($_POST['catname']);//注入点1,大写可绕过 $catdir=$_POST['catdir'];//注入点2 $thumb=safe_html($_POST['thumb']);//注入点3,大写可绕过 $is_link=intval($_POST['is_link']); $url=$_POST['url'];//注入点4 $sort=intval($_POST['sort']); $is_show=intval($_POST['is_show']); $parentid=intval($_POST['parentid']); $is_target=intval($_POST['is_target']); $is_html=intval($_POST['is_html']); $template_cate=safe_html($_POST['template_cate']);//注入点5,大写可绕过 $template_list=safe_html($_POST['template_list']);//注入点6,大写可绕过 $template_show=safe_html($_POST['template_show']);//注入点7,大写可绕过 $seo_title=safe_html($_POST['seo_title']);//注入点8,大写可绕过 $seo_key=safe_html($_POST['seo_key']);//注入点9,大写可绕过 $seo_des=safe_html($_POST['seo_des']);//注入点10,大写可绕过 $url_list=intval($_POST['url_list']); $url_show=intval($_POST['url_show']); $model=safe_html($_POST['model']);//注入点11,大写可绕过 $modelid=modelid($model); $power=addslashes(var_export($_POST['power'],true)); $lang=isset($_POST['lang'])?intval($_POST['lang']):1; $pagesize=intval($_POST['pagesize']); if(empty($catname)||empty($catdir)||empty($catid)||empty($pagesize)){ showmsg(C('material_not_complete'),'-1'); } if(!check_str($catdir,'/^[a-z0-9][a-z0-9]*$/')){ showmsg(C('catdir').C('numbers_and_letters'),'-1'); } if($is_html==1){ if($config['createhtml']!=1){ showmsg(C('config_html_error'),'index.php?m=xdcms&c=setting'); } } $nums=$this->mysql->db_num("category","catdir='".$catdir."' and catid!=".$catid); if($nums>0){ showmsg(C('catdir_exist'),'-1'); } //判断栏目是否有数据,否则不予更改模型 $rs=$this->mysql->get_one("select catid,model from ".DB_PRE."category where `catid`=".$catid); if($rs['model']!=$model){ $catnum=$this->mysql->db_num($rs['model'],"catid=".$catid); if($catnum>0){ showmsg(C('category_have_data'),'-1'); } } if($is_link==0){ //生成url $ob_url=base::load_class("url"); $url=$ob_url->caturl($catid,$catdir,$is_html,0,$lang,$url_list); } $this->mysql->db_update("category","`catname`='".$catname."',`catdir`='".$catdir."',`thumb`='".$thumb."',`is_link`='".$is_link."',`url`='".$url."',`sort`='".$sort."',`is_show`='".$is_show."',`is_target`='".$is_target."',`is_html`='".$is_html."',`parentid`='".$parentid."',`template_cate`='".$template_cate."',`template_list`='".$template_list."',`template_show`='".$template_show."',`seo_title`='".$seo_title."',`seo_key`='".$seo_key."',`seo_des`='".$seo_des."',`power`='".$power."',`lang`='".$lang."',`model`='".$model."',`modelid`='".$modelid."',`url_list`='".$url_list."',`url_show`='".$url_show."',`pagesize`='".$pagesize."'","`catid`=".$catid); $this->category_cache(); showmsg(C('update_success'),'index.php?m=xdcms&c=category'); } ``` sort_save()函数包含1处注入点: ``` public function sort_save(){ $catid=$_POST['catid'];//未过滤 foreach($catid as $val){ $sort=$_POST["sort{$val}"]; if(is_numeric($sort)){ $this->mysql->db_update("category","`sort`='".$sort."'","`catid`=".$val); } } $this->category_cache(); showmsg(C('update_success'),'index.php?m=xdcms&c=category'); } ``` ### 漏洞证明: 添加栏目处以catname为例,点击栏目添加: [<img src="https://images.seebug.org/upload/201402/22212422234795e0ea9020a6c5cb8a7ba9e59efd.jpg" alt="cat.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/22212422234795e0ea9020a6c5cb8a7ba9e59efd.jpg) 抓包添加exp: [<img src="https://images.seebug.org/upload/201402/22212456a094486374c7195cd7f4797b983c6355.jpg" alt="cat1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/22212456a094486374c7195cd7f4797b983c6355.jpg) 成功!: [<img src="https://images.seebug.org/upload/201402/2221251342edd464c428a7c0d7b17fdc933dd4dc.jpg" alt="cat2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/2221251342edd464c428a7c0d7b17fdc933dd4dc.jpg)
