### 简要描述:
TCCMS SQL注入漏洞,可任意用户登陆
### 详细说明:
前台会员登录处:
app/controller/user.class.php:
```
/* 前台会员登陆 */
public function loginIn() {
$userObj = M ( 'user' );
$username = trim ( $_POST ['username'] );//注入
$password = trim ( $_POST ['password'] );
$checkError = $this->checkErrorLogin ( $userObj, $username, $password );
if (empty ( $username ) || empty ( $password )) {
StringUtil::jsback ( Config::lang ( "USERNAMEORPASSWORDWRONG" ) );
}
$isLogin = $userObj->checkUserLogin ( $username, $password );
```
$username, $password未过滤,进入checkUserLogin,跟进:
app/model/userAction.class.php:
```
public function checkUserLogin($username, $password) {
$pwd1 = md5(trim($password));
$sql = "select * from " . $this->table . " where username='".$username."' and password='".$pwd1."' and status=1";
$sql = str_replace("#", '', $sql);
$sql = str_replace("-", '', $sql);
$rt = $this->db->query($sql);
$row = mysql_fetch_array($rt);
if (!$row) {
return false;
} else {
return $row;
}
}
```
直接进入sql语句。
### 漏洞证明:
我们注册一个用户111111,密码111111.
然后用错误密码123登陆:
[<img src="https://images.seebug.org/upload/201401/09101544c0e4d769cc7a40222cfa7d65916b1c45.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/09101544c0e4d769cc7a40222cfa7d65916b1c45.png)
错误密码登陆失败。
[<img src="https://images.seebug.org/upload/201401/09101603c6e57b2e9610f9308b6790bf95050c76.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/09101603c6e57b2e9610f9308b6790bf95050c76.png)
错误密码登陆成功。
[<img src="https://images.seebug.org/upload/201401/09101632ad1f6f7e0dab8c470425e8959103bcf6.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/09101632ad1f6f7e0dab8c470425e8959103bcf6.png)
SQL语句执行记录。
京公网安备 11010502034610号
暂无评论