精讯cms sql注入(直接提升为管理员)

### 简要描述： 用户量挺大的一个cms ### 详细说明： 看到Lib\Action\MemberAction.class.php ``` public function profile() { $this -> obj -> isLogin() or $this -> showMsg(L('LOGIN_FIRST'), Url :: getUrl('member', 'login')); if ($this -> isSubmit) { if ($this -> obj -> edit()) { $this -> showMsg(L('OPERATE_SUCCESS'), $this -> referer); } else $this -> showMsg($this -> obj -> error); } $member = $this -> obj -> find(get_cookie('userid')); $tmp = explode('-', $member['birthday']); $birthday = array('year' => intval($tmp[0]), 'month' => intval($tmp[1]), 'day' => intval($tmp[2])); $birthday['timestamp'] = $member['birthday'] != '0000-00-00' ? Func :: timeStamp($member['birthday']) : ''; $this -> assign('birthday', $birthday); $this -> assign('member', $member); $this -> assign('title', L('USER_PROFILE')); $this -> display('member_profile'); } ``` 然后跟进edit ``` public function edit() { $info = R('info', 'post'); $info['userid'] = intval($info['userid']); if (!$info['userid']) { $this -> error = $this -> L['NOPARAM']; return false; } $data = $this -> find($info['userid']); if (empty($data)) { $this -> error = $this -> L['USER_IS_NOT_EXIST']; return false; } $info['userid'] == get_cookie('userid') or show_error($this -> L['NO_PERMISSION']); $info['birthday'] = R('birthyear') . '-' . R('birthmonth') . '-' . R('birthday'); return $this -> create($info) -> update(); } ``` 意思就是将POST进来的info数组插入数据库，但是没判断字段名，导致我们可以自己添加，然后提升到管理员权限。 首先注册一个普通用户 [<img src="https://images.seebug.org/upload/201503/100059055861c752b6a8469410e4a418b87b1f93.png" alt="14.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/100059055861c752b6a8469410e4a418b87b1f93.png) 在数据库里面可以看到管理员和普通会员在一个表里面，就只有一个groupid字段来判断权限 然后进入修改个人资料页面 [<img src="https://images.seebug.org/upload/201503/100107046f769aa565e5197a7a0e39a130e8e4d9.png" alt="17.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/100107046f769aa565e5197a7a0e39a130e8e4d9.png) 然后登陆后台 [<img src="https://images.seebug.org/upload/201503/10010723733e4b194925167adbf6856ccf781e7c.png" alt="18.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/10010723733e4b194925167adbf6856ccf781e7c.png) 成功登陆 [<img src="https://images.seebug.org/upload/201503/10010740880ab3e34b11535204bc9718e63f6096.png" alt="19.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/10010740880ab3e34b11535204bc9718e63f6096.png) 搜索案例 [<img src="https://images.seebug.org/upload/201503/10010940fe818364f37e0eab0fccd83af5d674c0.png" alt="20.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/10010940fe818364f37e0eab0fccd83af5d674c0.png) 然后再提供5个互联网实际案例,以下网址账号为wooyun，密码为wooyun123 http://test.tzks.cn/admin.php?a=defaults [<img src="https://images.seebug.org/upload/201503/1001163378ded9b80b7dbc133a28ef44aa126f41.png" alt="21.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1001163378ded9b80b7dbc133a28ef44aa126f41.png) http://qiushibang.com/admin.php?a=defaults [<img src="https://images.seebug.org/upload/201503/10011648c0346256f1c5e3458ce7c7032a26b4bb.png" alt="22.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/10011648c0346256f1c5e3458ce7c7032a26b4bb.png) http://www.gsdedu.com/admin.php?a=defaults [<img src="https://images.seebug.org/upload/201503/10012019188d9e885f945f5b6308b4616b7dae32.png" alt="23.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/10012019188d9e885f945f5b6308b4616b7dae32.png) http://www.cnekw.com/saes/admin.php?a=defaults [<img src="https://images.seebug.org/upload/201503/10012251714780eb8d78983c3aa6fe98bf755d8c.png" alt="24.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/10012251714780eb8d78983c3aa6fe98bf755d8c.png) http://www.jiuyehangbiao.com/admin.php?a=defaults [<img src="https://images.seebug.org/upload/201503/10012546db9ef15f7d54a6b936496601a21e0362.png" alt="25.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/10012546db9ef15f7d54a6b936496601a21e0362.png) ### 漏洞证明： http://test.tzks.cn/admin.php?a=defaults [<img src="https://images.seebug.org/upload/201503/1001163378ded9b80b7dbc133a28ef44aa126f41.png" alt="21.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1001163378ded9b80b7dbc133a28ef44aa126f41.png) http://qiushibang.com/admin.php?a=defaults [<img src="https://images.seebug.org/upload/201503/10011648c0346256f1c5e3458ce7c7032a26b4bb.png" alt="22.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/10011648c0346256f1c5e3458ce7c7032a26b4bb.png) http://www.gsdedu.com/admin.php?a=defaults [<img src="https://images.seebug.org/upload/201503/10012019188d9e885f945f5b6308b4616b7dae32.png" alt="23.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/10012019188d9e885f945f5b6308b4616b7dae32.png) http://www.cnekw.com/saes/admin.php?a=defaults [<img src="https://images.seebug.org/upload/201503/10012251714780eb8d78983c3aa6fe98bf755d8c.png" alt="24.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/10012251714780eb8d78983c3aa6fe98bf755d8c.png) http://www.jiuyehangbiao.com/admin.php?a=defaults [<img src="https://images.seebug.org/upload/201503/10012546db9ef15f7d54a6b936496601a21e0362.png" alt="25.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/10012546db9ef15f7d54a6b936496601a21e0362.png)