当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144894

漏洞标题:CmsTop媒体版某模板存在三处SQL盲注漏洞(非全部网站用户)

相关厂商:CmsTop

漏洞作者: Xser

提交时间:2015-10-09 18:32

修复时间:2016-01-12 18:34

公开时间:2016-01-12 18:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-09: 细节已通知厂商并且等待厂商处理中
2015-10-14: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-08: 细节向核心白帽子及相关领域专家公开
2015-12-18: 细节向普通白帽子公开
2015-12-28: 细节向实习白帽子公开
2016-01-12: 细节向公众公开

简要描述:

不是全部网站都安装了这几个模板,这个模板用户量一般

详细说明:

漏洞文件是/apps/rss/controller/fullsite.php中

public function get_sectiondata(){
		$sectionid = $_GET['sectionid'];  //多个以','隔开
		$outtyle = $_GET['outtyle'];	//输出类型
		$section_list = $this->_rss->ls_section($sectionid);
		$data = array();
		foreach($section_list as $section){
			if ($section['data'] && ($section['data']{0} == '{' || $section['data']{0} == '['))
			{
				$data[] = json_decode($section['data'], true);
			}
			else
			{
				$data[] = unserialize($section['data']);


跟踪ls_section函数
在/apps/rss/model/fullsite.php中

function ls_section($sectionid){
		$sql = "SELECT * FROM `#table_section` ";
		if($sectionid) $sql .= " WHERE sectionid IN (".$sectionid.")";
		$sql .= " ORDER BY sectionid DESC";
		$data = $this->db->select($sql);
		return $data;
	}


$sectionid = $_GET['sectionid'];
(".$sectionid.")";


可以看到没有过滤也没有单引号,不知道是不是有过滤,因为我源码没有完整解密
我们要减法盲注测试下是不是存在注入
一号

http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=1&outtyle=1


二号

http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=2-1&outtyle=1


三号

http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=2&outtyle=1


一号的值是1和二号的2-1=1是等于,返回了同样的数据
而三号是2,所以返回不同,所以存在注入

XI8U{`~R9{N3WB76K)[6[_S.png

QQ截图20151005145909.png

QQ截图20151005145926.png


第二处在/apps/rss/controller/fullsite.php中

public function get_category(){
		$categoryid = $_GET['categoryid'];  //多个以','隔开
		$outtyle = $_GET['outtyle'];	//输出类型
		$category_list = $this->_rss->ls_category($categoryid);
		$this->template->assign('list',$category_list);


跟踪ls_category函数
在/apps/rss/model/fullsite.php中

//获取栏目数据信息的数据
	function ls_category($categoryid){
		$sql = "SELECT * FROM `#table_category` ";
		if($categoryid) $sql .= " WHERE catid IN (".$categoryid.")";
		$sql .= " ORDER BY catid DESC";
		$data = $this->db->select($sql);
		return $data;


和第一处一样就不演示了
第三处是延时注入
在apps\editor\controller\slide.php中

public function pic_html()
	{
		$idtmp = explode(',',$_GET['id']);
		foreach($idtmp as $k=>$v){
		    if(!empty($v)){
		        $id[] = $v;
		    }
		}
		$db = factory::db();
		//得到$id[0]组图信息
		$data = $db->select("SELECT * FROM #table_picture_group WHERE contentid=$id[0] ORDER BY sort ASC");
		$html .= '<p><div class="picgroup"><div class="moverpic"><ul class="mover">';
		$_count = 0;
		foreach($data as $value)


$idtmp = explode(',',$_GET['id']);
$data = $db->select("SELECT * FROM #table_picture_group WHERE contentid=$id[0] ORDER BY sort ASC");


分割后带入查询了,我们用sqlmap测试一下

QQ截图20151007110840.png

漏洞证明:

漏洞文件是/apps/rss/controller/fullsite.php中

public function get_sectiondata(){
		$sectionid = $_GET['sectionid'];  //多个以','隔开
		$outtyle = $_GET['outtyle'];	//输出类型
		$section_list = $this->_rss->ls_section($sectionid);
		$data = array();
		foreach($section_list as $section){
			if ($section['data'] && ($section['data']{0} == '{' || $section['data']{0} == '['))
			{
				$data[] = json_decode($section['data'], true);
			}
			else
			{
				$data[] = unserialize($section['data']);


跟踪ls_section函数
在/apps/rss/model/fullsite.php中

function ls_section($sectionid){
		$sql = "SELECT * FROM `#table_section` ";
		if($sectionid) $sql .= " WHERE sectionid IN (".$sectionid.")";
		$sql .= " ORDER BY sectionid DESC";
		$data = $this->db->select($sql);
		return $data;
	}


$sectionid = $_GET['sectionid'];
(".$sectionid.")";


可以看到没有过滤也没有单引号,不知道是不是有过滤,因为我源码没有完整解密
我们要减法盲注测试下是不是存在注入
一号

http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=1&outtyle=1


二号

http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=2-1&outtyle=1


三号

http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=2&outtyle=1


一号的值是1和二号的2-1=1是等于,返回了同样的数据
而三号是2,所以返回不同,所以存在注入

XI8U{`~R9{N3WB76K)[6[_S.png

QQ截图20151005145909.png

QQ截图20151005145926.png


第二处在/apps/rss/controller/fullsite.php中

public function get_category(){
		$categoryid = $_GET['categoryid'];  //多个以','隔开
		$outtyle = $_GET['outtyle'];	//输出类型
		$category_list = $this->_rss->ls_category($categoryid);
		$this->template->assign('list',$category_list);


跟踪ls_category函数
在/apps/rss/model/fullsite.php中

//获取栏目数据信息的数据
	function ls_category($categoryid){
		$sql = "SELECT * FROM `#table_category` ";
		if($categoryid) $sql .= " WHERE catid IN (".$categoryid.")";
		$sql .= " ORDER BY catid DESC";
		$data = $this->db->select($sql);
		return $data;


和第一处一样就不演示了
第三处是延时注入
在apps\editor\controller\slide.php中

public function pic_html()
	{
		$idtmp = explode(',',$_GET['id']);
		foreach($idtmp as $k=>$v){
		    if(!empty($v)){
		        $id[] = $v;
		    }
		}
		$db = factory::db();
		//得到$id[0]组图信息
		$data = $db->select("SELECT * FROM #table_picture_group WHERE contentid=$id[0] ORDER BY sort ASC");
		$html .= '<p><div class="picgroup"><div class="moverpic"><ul class="mover">';
		$_count = 0;
		foreach($data as $value)


$idtmp = explode(',',$_GET['id']);
$data = $db->select("SELECT * FROM #table_picture_group WHERE contentid=$id[0] ORDER BY sort ASC");


分割后带入查询了,我们用sqlmap测试一下

QQ截图20151007110840.png

修复方案:

intval参数

版权声明:转载请注明来源 Xser@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-12 18:34

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无