### 简要描述:
版本号:CmsEasy 5_5_0_20140420_UTF8,SQL注射,程序员过于追求完美时,会忽略那些值得珍惜的人或事,比如女朋友(会有么?),比如这一处代码...
### 详细说明:
/lib/default/user_act.php 326行左右,及/lib/tool/front_class.php 541行左右,有对ip是否正确的判断:
```
if(!preg_match('/^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/', front::ip())&&!preg_match('@^\s*((([0-9A-Fa-f]{1,4}:){7}(([0-9A-Fa-f]{1,4})|:))|(([0-9A-Fa-f]{1,4}:){6}(:|((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})|(:[0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){4}(:[0-9A-Fa-f]{1,4}){0,1}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){3}(:[0-9A-Fa-f]{1,4}){0,2}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){2}(:[0-9A-Fa-f]{1,4}){0,3}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:)(:[0-9A-Fa-f]{1,4}){0,4}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(:(:[0-9A-Fa-f]{1,4}){0,5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})))(%.+)?\s*$@', front::ip())){ //这位置写得太复杂了,好像很强大,我看到了(%.+)?,呃,%'不过可以注入引号了?
exit('来源非法');
}
```
而本程序的ip获取是有X-Forwarded-For 代理ip的
测试了下程序,用户注册,游客投稿等都能注入,看漏洞证明截图
### 漏洞证明:
1. 用户注册注入X-Forwarded-For
[<img src="https://images.seebug.org/upload/201405/311142582c8d013f1291a31fbc16393517392504.png" alt="QQ20140531-3@2x.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/311142582c8d013f1291a31fbc16393517392504.png)
2. 登录看结果吧
[<img src="https://images.seebug.org/upload/201405/31114357147512d885bedf6e07a2f5903c07c7b8.png" alt="QQ20140531-4@2x.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/31114357147512d885bedf6e07a2f5903c07c7b8.png)
京公网安备 11010502034610号
暂无评论