### 简要描述: TCCMS SQL注入漏洞,可任意用户登陆 ### 详细说明: 前台会员登录处: app/controller/user.class.php: ``` /* 前台会员登陆 */ public function loginIn() { $userObj = M ( 'user' ); $username = trim ( $_POST ['username'] );//注入 $password = trim ( $_POST ['password'] ); $checkError = $this->checkErrorLogin ( $userObj, $username, $password ); if (empty ( $username ) || empty ( $password )) { StringUtil::jsback ( Config::lang ( "USERNAMEORPASSWORDWRONG" ) ); } $isLogin = $userObj->checkUserLogin ( $username, $password ); ``` $username, $password未过滤,进入checkUserLogin,跟进: app/model/userAction.class.php: ``` public function checkUserLogin($username, $password) { $pwd1 = md5(trim($password)); $sql = "select * from " . $this->table . " where username='".$username."' and password='".$pwd1."' and status=1"; $sql = str_replace("#", '', $sql); $sql = str_replace("-", '', $sql); $rt = $this->db->query($sql); $row = mysql_fetch_array($rt); if (!$row) { return false; } else { return $row; } } ``` 直接进入sql语句。 ### 漏洞证明:...
### 简要描述: TCCMS SQL注入漏洞,可任意用户登陆 ### 详细说明: 前台会员登录处: app/controller/user.class.php: ``` /* 前台会员登陆 */ public function loginIn() { $userObj = M ( 'user' ); $username = trim ( $_POST ['username'] );//注入 $password = trim ( $_POST ['password'] ); $checkError = $this->checkErrorLogin ( $userObj, $username, $password ); if (empty ( $username ) || empty ( $password )) { StringUtil::jsback ( Config::lang ( "USERNAMEORPASSWORDWRONG" ) ); } $isLogin = $userObj->checkUserLogin ( $username, $password ); ``` $username, $password未过滤,进入checkUserLogin,跟进: app/model/userAction.class.php: ``` public function checkUserLogin($username, $password) { $pwd1 = md5(trim($password)); $sql = "select * from " . $this->table . " where username='".$username."' and password='".$pwd1."' and status=1"; $sql = str_replace("#", '', $sql); $sql = str_replace("-", '', $sql); $rt = $this->db->query($sql); $row = mysql_fetch_array($rt); if (!$row) { return false; } else { return $row; } } ``` 直接进入sql语句。 ### 漏洞证明: 我们注册一个用户111111,密码111111. 然后用错误密码123登陆: [<img src="https://images.seebug.org/upload/201401/09101544c0e4d769cc7a40222cfa7d65916b1c45.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/09101544c0e4d769cc7a40222cfa7d65916b1c45.png) 错误密码登陆失败。 [<img src="https://images.seebug.org/upload/201401/09101603c6e57b2e9610f9308b6790bf95050c76.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/09101603c6e57b2e9610f9308b6790bf95050c76.png) 错误密码登陆成功。 [<img src="https://images.seebug.org/upload/201401/09101632ad1f6f7e0dab8c470425e8959103bcf6.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/09101632ad1f6f7e0dab8c470425e8959103bcf6.png) SQL语句执行记录。
