乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-01-09: 细节已通知厂商并且等待厂商处理中 2014-01-09: 厂商已经确认,细节仅向厂商公开 2014-01-12: 细节向第三方安全合作伙伴开放 2014-03-05: 细节向核心白帽子及相关领域专家公开 2014-03-15: 细节向普通白帽子公开 2014-03-25: 细节向实习白帽子公开 2014-04-09: 细节向公众公开
TCCMS SQL注入漏洞,同一文件多处SQL注入,可获取管理员账户信息
app/controller/news.class.php:
public function all() { $_Obj = M($this->objName); $categoryObj = M("category"); $_Obj->pageSize = 20; $where = "1=1"; $key = $_POST['key'];//注入,再次参数上举例 $cid = $_GET['cid']; if ($key != "") { $where .= " and title like '$key%'"; } if (!empty($cid) && $cid != "") { $where .= " and classid = " . $cid; } if ($_GET["type"] == "user") { $where .= " and uid = " . $_COOKIE['userId']; } if (isset($_GET['yz'])) { $where .= " AND yz =".$_GET['yz']; } if (isset($_GET['levels'])) { $where .= " AND levels =".$_GET['levels']; } if (isset($_GET['special'])) { $where .= " AND special =".$_GET['special']; } if (isset($_GET['top'])) { $where .= " AND top =".$_GET['top']; } if (isset($_GET['flashpic'])) { $where .= " AND flashpic =".$_GET['flashpic']; } if (isset($_GET['isphoto'])) { $where .= " AND isphoto =".$_GET['isphoto']; } $_Obj->setSortId(); $orderBy = $_GET['sortId']; $_objAry = $_Obj->where($where)->orderby("id ".$orderBy)->getList(); //$pidSelectStr = $categoryObj->getTree($categoryObj, 1,false); //$this->setValue("pidSelectStr", $pidSelectStr); $this->setValue("categoryObj", $categoryObj); $this->setValue("objAry", $_objAry); $this->setValue("Obj", $_Obj); $this->setValue("action", "list"); $this->forward("user/newsList.html"); }
进入where和orderby,getList函数,system/core/model.class.php:
public function where($where) { $this->where = empty($this->where) ? " where " . $where : $this->where . $where; return $this; } public function orderby($orderby) { $this->orderby = $orderby; $this->orderby = empty($this->orderby) ? "" : " order by " . $this->orderby; return $this; }public function getList() { $offset = 0; $page = intval($_GET['page']); $pageSize = $this->pageSize; if (!$page) { $page = 1; } $offset = ($page - 1) * $pageSize; $sql = "select " . $this->field . " from " . $this->table . " " . $this->where . $this->orderby . " limit $offset,$pageSize"; $rt = $this->db->query($sql);//带入SQL语句 $coun = mysql_query("select count(*) as cou from " . $this->table . "" . $this->where);//带入SQL语句 $arr = mysql_fetch_array($coun); $total = $arr['cou']; $this->count = $total; if ($_GET['a'] == 'all') { $this->isAdmin = 1; } $this->pagenav = $this->db->pageft($total, $pageSize, 1, 1, 1, 5, "", $this->model, $this->isAdmin); while ($row = $this->db->fetch_assoc($rt)) { $objList[] = $row; } $this->where = ''; return $objList; }
过滤
危害等级:中
漏洞Rank:5
确认时间:2014-01-09 13:04
这是后台的文章列表,没有管理员身份不能进行访问的吧?
2014-01-09:不过安全漏洞,无处不在,要严谨对待,感谢。