### 简要描述: TCCMS SQL注入漏洞,同一文件多处SQL注入,可获取管理员账户信息 ### 详细说明: app/controller/news.class.php: ``` public function all() { $_Obj = M($this->objName); $categoryObj = M("category"); $_Obj->pageSize = 20; $where = "1=1"; $key = $_POST['key'];//注入,再次参数上举例 $cid = $_GET['cid']; if ($key != "") { $where .= " and title like '$key%'"; } if (!empty($cid) && $cid != "") { $where .= " and classid = " . $cid; } if ($_GET["type"] == "user") { $where .= " and uid = " . $_COOKIE['userId']; } if (isset($_GET['yz'])) { $where .= " AND yz =".$_GET['yz']; } if (isset($_GET['levels'])) { $where .= " AND levels =".$_GET['levels']; } if (isset($_GET['special'])) { $where .= " AND special =".$_GET['special']; } if (isset($_GET['top'])) { $where .= " AND top =".$_GET['top']; } if (isset($_GET['flashpic'])) { $where .= " AND flashpic =".$_GET['flashpic']; } if (isset($_GET['isphoto'])) { $where .= " AND isphoto =".$_GET['isphoto']; } $_Obj->setSortId(); $orderBy = $_GET['sortId']; $_objAry =...
### 简要描述: TCCMS SQL注入漏洞,同一文件多处SQL注入,可获取管理员账户信息 ### 详细说明: app/controller/news.class.php: ``` public function all() { $_Obj = M($this->objName); $categoryObj = M("category"); $_Obj->pageSize = 20; $where = "1=1"; $key = $_POST['key'];//注入,再次参数上举例 $cid = $_GET['cid']; if ($key != "") { $where .= " and title like '$key%'"; } if (!empty($cid) && $cid != "") { $where .= " and classid = " . $cid; } if ($_GET["type"] == "user") { $where .= " and uid = " . $_COOKIE['userId']; } if (isset($_GET['yz'])) { $where .= " AND yz =".$_GET['yz']; } if (isset($_GET['levels'])) { $where .= " AND levels =".$_GET['levels']; } if (isset($_GET['special'])) { $where .= " AND special =".$_GET['special']; } if (isset($_GET['top'])) { $where .= " AND top =".$_GET['top']; } if (isset($_GET['flashpic'])) { $where .= " AND flashpic =".$_GET['flashpic']; } if (isset($_GET['isphoto'])) { $where .= " AND isphoto =".$_GET['isphoto']; } $_Obj->setSortId(); $orderBy = $_GET['sortId']; $_objAry = $_Obj->where($where)->orderby("id ".$orderBy)->getList(); //$pidSelectStr = $categoryObj->getTree($categoryObj, 1,false); //$this->setValue("pidSelectStr", $pidSelectStr); $this->setValue("categoryObj", $categoryObj); $this->setValue("objAry", $_objAry); $this->setValue("Obj", $_Obj); $this->setValue("action", "list"); $this->forward("user/newsList.html"); } ``` 进入where和orderby,getList函数,system/core/model.class.php: ``` public function where($where) { $this->where = empty($this->where) ? " where " . $where : $this->where . $where; return $this; } public function orderby($orderby) { $this->orderby = $orderby; $this->orderby = empty($this->orderby) ? "" : " order by " . $this->orderby; return $this; } public function getList() { $offset = 0; $page = intval($_GET['page']); $pageSize = $this->pageSize; if (!$page) { $page = 1; } $offset = ($page - 1) * $pageSize; $sql = "select " . $this->field . " from " . $this->table . " " . $this->where . $this->orderby . " limit $offset,$pageSize"; $rt = $this->db->query($sql);//带入SQL语句 $coun = mysql_query("select count(*) as cou from " . $this->table . "" . $this->where);//带入SQL语句 $arr = mysql_fetch_array($coun); $total = $arr['cou']; $this->count = $total; if ($_GET['a'] == 'all') { $this->isAdmin = 1; } $this->pagenav = $this->db->pageft($total, $pageSize, 1, 1, 1, 5, "", $this->model, $this->isAdmin); while ($row = $this->db->fetch_assoc($rt)) { $objList[] = $row; } $this->where = ''; return $objList; } ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201401/091129350c1652664d3d047480aa28ac785ebb98.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/091129350c1652664d3d047480aa28ac785ebb98.png)
