### 简要描述:
蝉知CMS注入漏洞一枚,官网演示
### 详细说明:
1.蝉知的整体防注入还是真心做得很不错的,看了很久,都没找到什么可以利用的点。但是人无完人,程序员也总有疏忽的时候,这个时候,终于被我发现了。首先定位到漏洞system/module/message/model.php文件。
```
public function getByObject($type, $objectType, $objectID, $pager = null)
{
$userMessages = $this->cookie->cmts;
$userMessages = trim($userMessages, ',');
if(empty($userMessages)) $userMessages = '0';
return $this->dao->select('*')->from(TABLE_MESSAGE)
->where('type')->eq($type)
->beginIf(RUN_MODE == 'front' and $type == 'message')->andWhere('public')->eq(1)->fi()
->andWhere('objectType')->eq($objectType)
->andWhere('objectID')->eq($objectID)
->andWhere("(id in ({$userMessages}) or (status = '1'))")//这里是漏洞点
->orderBy('id_desc')
->page($pager)
->fetchAll();
}
```
2.可以看出这里蝉知的逻辑是这样的,首先接收一个cookie:cmts,然后把这个cookie经过处理之后传入了sql语句中的in中,从上面的代码可以看出,$userMessage直接进入了in,而没有进行防注入的过滤。这就造成了注入漏洞。我们接着来看哪里调用了该函数。
system/module/message/control.php文件中。
```
public function index($pageID = 1)
{
$recPerPage = !empty($this->config->site->messageRec) ? $this->config->site->messageRec : $this->config->message->recPerPage;
$this->app->loadClass('pager', $static = true);
$pager = new pager($recTotal = 0, $recPerPage, $pageID);
$this->view->messages = $this->message->getByObject($type = 'message', $objectType = 'message', $objectID = 0, $pager);//这里第一处调用漏洞函数
$this->view->pager = $pager;
$this->view->title = $this->lang->message->list;
$this->view->startNumber = ($pageID - 1) * 10;
$this->display();
}
```
```
public function comment($objectType, $objectID, $pageID = 1)
{
$recPerPage = !empty($this->config->site->commentRec) ? $this->config->site->commentRec : $this->config->message->recPerPage;
$this->app->loadClass('pager', $static = true);
$pager = new pager($recTotal = 0 , $recPerPage, $pageID);
$this->view->objectType = $objectType;
$this->view->objectID = $objectID;
$this->view->comments = $this->message->getByObject($type = 'comment', $objectType, $objectID, $pager);//这是第二处调用漏洞函数
$this->view->pager = $pager;
$this->view->startNumber = ($pageID - 1) * 10;
$this->lang->message = $this->lang->comment;
$this->display();
}
```
3.我们构造一个名称为cmts的cookie,值为测试代码所示
然后访问http://localhost/chanzhieps/www/message-index.html
[<img src="https://images.seebug.org/upload/201510/12152344c97ade8370a925c0ed35ffabab5dda3c.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/12152344c97ade8370a925c0ed35ffabab5dda3c.png)
4.同样的方法去官网看一下,话说官网demo好卡,你们应该检查一下是不是已经中招了
[<img src="https://images.seebug.org/upload/201510/121525200d8209d8d633a0089f7b3a1212cd9726.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/121525200d8209d8d633a0089f7b3a1212cd9726.png)
亲,你竟然和我一样,用root连接,我是本地,你可是官网demo啊
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201510/121525200d8209d8d633a0089f7b3a1212cd9726.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/121525200d8209d8d633a0089f7b3a1212cd9726.png)
京公网安备 11010502034610号
暂无评论