乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-23: 细节已通知厂商并且等待厂商处理中 2014-09-29: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-11-23: 细节向核心白帽子及相关领域专家公开 2014-12-03: 细节向普通白帽子公开 2014-12-13: 细节向实习白帽子公开 2014-12-19: 细节向公众公开
yxcms二次注入漏洞
/protected/apps/member/controller/photoController.php $data['account']=$this->mesprefix.$this->auth['account']; $data['sort']=$_POST['sort'];//从这里入口 $data['exsort']=empty($_POST['exsort'])?'':implode(',',$_POST['exsort']); $data['title']=in($_POST['title']); $data['keywords']=in($_POST['keywords']); $data['picture']=$_POST['picture']; $data['description']=in($_POST['description']); $data['content']=in($_POST['content']); $data['method']='photo/content'; $data['tpcontent']=in($_POST['tpcontent']); $data['ispass']=0; $data['recmd']=0; $data['hits']=0; $data['norder']=0; $data['addtime']=time(); // if (empty($data['description'])) { // $data['description']=in(substr(deletehtml($_POST['content']), 0, 250)); //自动提取描述 // } // if(empty($data['keywords'])){ // $data['keywords']= $this->getkeyword($data['title'].$data['description']); //自动获取中文关键词 // if(empty($data['keywords'])) $data['keywords']=str_replace(' ',',',$data['description']);//非中文 // } // if($_POST['iftag']) { // $iftag = $this->crtags($data['keywords']); // if(!$iftag) $this->alert('标签生成失败~'); // } if(!empty($_POST['photolist'])) $data['photolist']=implode(',',$_POST['photolist']); if(!empty($_POST['conlist'])) $data['conlist']=implode(',',in($_POST['conlist'])); if(model('photo')->insert($data)) $this->success('图集添加成功~',url('photo/index')); else $this->error('图集添加失败');
ps:发布news的文件同样也存在这类问题。需求等待管理通过发布的商品,但是是看不到有什么异常的。恶意代码插入数据库后,看看那里会调用sort的数据
/protected/apps/default/controller/columnController.phppublic function content() { $ename=in($_GET['col']); $id=intval($_GET['id']); if(empty($ename) || empty($id)) throw new Exception('参数错误~', 404); $this->col=$ename; $sortinfo=model('sort')->find("ename='{$ename}'",'type'); switch ($sortinfo['type']) { case 1://文章 $this->newscon($ename,$id); break; case 2://图集 $this->photocon($id); break; default: throw new Exception('此类型下没有内容~', 404); break; } }从content函数进来,因为发的是图集,所以跟进photocon函数 protected function photocon($id) { $info=model('photo')->find("id='{$id}' and ispass='1'"); if(empty($info)) throw new Exception('内容不存在~', 404); $info['exsort']=explode(',', $info['exsort']); $page = new Page(); $info['content']=$info['content'] = $page->contentPage(html_out($info['content']), '<hr style="page-break-after:always;" class="ke-pagebreak" />',$url,10,4); //文章分页 model('photo')->update("id='$id'","hits=hits+1");//点击 if(!empty($info['conlist'])) $titar=explode(',',$info['conlist']); if(!empty($info['photolist'])){ $phoar=explode(',',$info['photolist']); $cont=sizeof($phoar); for($i=0;$i<$cont;$i++){ $photolist[$i]['picture']=$phoar[$i]; $photolist[$i]['tit']=$titar[$i]; //$tit.="'<p>$titar[$i]</p>',"; //$sphoto.="'".__ROOT__."/upload/photos/thumb_$phoar[$i]',"; //$bphoto.="'".__ROOT__."/upload/photos/$phoar[$i]',"; } $this->photolist=$photolist; $this->num=$cont; //$this->assign(tit,substr($tit,0,-1)); //$this->assign(sphoto,substr($sphoto,0,-1)); //$this->assign(bphoto,substr($bphoto,0,-1)); } //获取拓展数据 $sortid=substr($info['sort'],-6,6);//这里被限制了长度 不能注入 $tabid=model('sort')->find("id='{$sortid}'",'extendid');//获取拓展表 ....省略 $crumbs=$this->crumbs($info['sort']);//这里导致了注入.....跟进crumbs函数看一下 protected function crumbs($path=',000000') { $crumb=array(); if(strlen($path)>7){ $ids=substr($path,8);//这里可以完整带入注入语句 $crumb=model('sort')->select("id IN($ids)",'id,type,name,ename,method,url,extendid','deep'); foreach ($crumb as $key=>$vo){ $crumb[$key]['url']=getURl($vo['type'],$vo['method'],$vo['url'],$vo['id'],$vo['extendid'],$vo['ename']); } } return $crumb; }
既然都是数字,正则过滤一下咯
危害等级:无影响厂商忽略
忽略时间:2014-12-19 17:34
暂无
