CmsTop媒体版某模板存在三处SQL盲注漏洞（非全部网站用户）

基本字段

漏洞编号：: SSV-96141

披露/发现时间：: 2015-10-09

提交时间：: 2015-10-09

漏洞等级：

漏洞类别：: 其他类型

影响组件：: CMSTOP

漏洞作者：: Xser

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

http://wooyun.org/bugs/wooyun-2015-0144894

漏洞详情

贡献者 Knownsec 共获得 0KB

### 简要描述：不是全部网站都安装了这几个模板，这个模板用户量一般 ### 详细说明：漏洞文件是/apps/rss/controller/fullsite.php中 ``` public function get_sectiondata(){ $sectionid = $_GET['sectionid']; //多个以','隔开 $outtyle = $_GET['outtyle']; //输出类型 $section_list = $this->_rss->ls_section($sectionid); $data = array(); foreach($section_list as $section){ if ($section['data'] && ($section['data']{0} == '{' || $section['data']{0} == '[')) { $data[] = json_decode($section['data'], true); } else { $data[] = unserialize($section['data']); ``` 跟踪ls_section函数在/apps/rss/model/fullsite.php中 ``` function ls_section($sectionid){ $sql = "SELECT * FROM `#table_section` "; if($sectionid) $sql .= " WHERE sectionid IN (".$sectionid.")"; $sql .= " ORDER BY sectionid DESC"; $data = $this->db->select($sql); return $data; } ``` ``` $sectionid = $_GET['sectionid']; (".$sectionid.")"; ``` 可以看到没有过滤也没有单引号，不知道是不是有过滤，因为我源码没有完整解密我们要减法盲注测试下是不是存在注入一号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=1&outtyle=1 ``` 二号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=2-1&outtyle=1 ``` 三号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=2&outtyle=1 ``` 一号的值是1和二号的2-1=1是等于，返回了同样的数据而三号是2，所以返回不同，所以存在注入 [<img src="https://images.seebug.org/upload/201510/05145940966685542c7a799a727dfd5da27dad65.png" alt="XI8U{`~R9{N3WB76K)[6[_S.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/05145940966685542c7a799a727dfd5da27dad65.png) [<img src="https://images.seebug.org/upload/201510/051459491a1ddf4ad9d31463dd51972596e0ff82.png" alt="QQ截图20151005145909.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/051459491a1ddf4ad9d31463dd51972596e0ff82.png) [<img src="https://images.seebug.org/upload/201510/05145957bc90609c052caaf1ddc816c2c5312c4c.png" alt="QQ截图20151005145926.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/05145957bc90609c052caaf1ddc816c2c5312c4c.png) 第二处在/apps/rss/controller/fullsite.php中 ``` public function get_category(){ $categoryid = $_GET['categoryid']; //多个以','隔开 $outtyle = $_GET['outtyle']; //输出类型 $category_list = $this->_rss->ls_category($categoryid); $this->template->assign('list',$category_list); ``` 跟踪ls_category函数在/apps/rss/model/fullsite.php中 ``` //获取栏目数据信息的数据 function ls_category($categoryid){ $sql = "SELECT * FROM `#table_category` "; if($categoryid) $sql .= " WHERE catid IN (".$categoryid.")"; $sql .= " ORDER BY catid DESC"; $data = $this->db->select($sql); return $data; ``` 和第一处一样就不演示了第三处是延时注入在apps\editor\controller\slide.php中 ``` public function pic_html() { $idtmp = explode(',',$_GET['id']); foreach($idtmp as $k=>$v){ if(!empty($v)){ $id[] = $v; } } $db = factory::db(); //得到$id[0]组图信息 $data = $db->select("SELECT * FROM #table_picture_group WHERE contentid=$id[0] ORDER BY sort ASC"); $html .= '<p><div class="picgroup"><div class="moverpic"><ul class="mover">'; $_count = 0; foreach($data as $value) ``` ``` $idtmp = explode(',',$_GET['id']); $data = $db->select("SELECT * FROM #table_picture_group WHERE contentid=$id[0] ORDER BY sort ASC"); ``` 分割后带入查询了，我们用sqlmap测试一下 [<img src="https://images.seebug.org/upload/201510/0711085666b43e65f069ee44aef00796a947e2be.png" alt="QQ截图20151007110840.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/0711085666b43e65f069ee44aef00796a947e2be.png) ### 漏洞证明：漏洞文件是/apps/rss/controller/fullsite.php中 ``` public function get_sectiondata(){ $sectionid = $_GET['sectionid']; //多个以','隔开 $outtyle = $_GET['outtyle']; //输出类型 $section_list = $this->_rss->ls_section($sectionid); $data = array(); foreach($section_list as $section){ if ($section['data'] && ($section['data']{0} == '{' || $section['data']{0} == '[')) { $data[] = json_decode($section['data'], true); } else { $data[] = unserialize($section['data']); ``` 跟踪ls_section函数在/apps/rss/model/fullsite.php中 ``` function ls_section($sectionid){ $sql = "SELECT * FROM `#table_section` "; if($sectionid) $sql .= " WHERE sectionid IN (".$sectionid.")"; $sql .= " ORDER BY sectionid DESC"; $data = $this->db->select($sql); return $data; } ``` ``` $sectionid = $_GET['sectionid']; (".$sectionid.")"; ``` 可以看到没有过滤也没有单引号，不知道是不是有过滤，因为我源码没有完整解密我们要减法盲注测试下是不是存在注入一号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=1&outtyle=1 ``` 二号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=2-1&outtyle=1 ``` 三号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=2&outtyle=1 ``` 一号的值是1和二号的2-1=1是等于，返回了同样的数据而三号是2，所以返回不同，所以存在注入 [<img src="https://images.seebug.org/upload/201510/05145940966685542c7a799a727dfd5da27dad65.png" alt="XI8U{`~R9{N3WB76K)[6[_S.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/05145940966685542c7a799a727dfd5da27dad65.png) [<img src="https://images.seebug.org/upload/201510/051459491a1ddf4ad9d31463dd51972596e0ff82.png" alt="QQ截图20151005145909.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/051459491a1ddf4ad9d31463dd51972596e0ff82.png) [<img src="https://images.seebug.org/upload/201510/05145957bc90609c052caaf1ddc816c2c5312c4c.png" alt="QQ截图20151005145926.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/05145957bc90609c052caaf1ddc816c2c5312c4c.png) 第二处在/apps/rss/controller/fullsite.php中 ``` public function get_category(){ $categoryid = $_GET['categoryid']; //多个以','隔开 $outtyle = $_GET['outtyle']; //输出类型 $category_list = $this->_rss->ls_category($categoryid); $this->template->assign('list',$category_list); ``` 跟踪ls_category函数在/apps/rss/model/fullsite.php中 ``` //获取栏目数据信息的数据 function ls_category($categoryid){ $sql = "SELECT * FROM `#table_category` "; if($categoryid) $sql .= " WHERE catid IN (".$categoryid.")"; $sql .= " ORDER BY catid DESC"; $data = $this->db->select($sql); return $data; ``` 和第一处一样就不演示了第三处是延时注入在apps\editor\controller\slide.php中 ``` public function pic_html() { $idtmp = explode(',',$_GET['id']); foreach($idtmp as $k=>$v){ if(!empty($v)){ $id[] = $v; } } $db = factory::db(); //得到$id[0]组图信息 $data = $db->select("SELECT * FROM #table_picture_group WHERE contentid=$id[0] ORDER BY sort ASC"); $html .= '<p><div class="picgroup"><div class="moverpic"><ul class="mover">'; $_count = 0; foreach($data as $value) ``` ``` $idtmp = explode(',',$_GET['id']); $data = $db->select("SELECT * FROM #table_picture_group WHERE contentid=$id[0] ORDER BY sort ASC"); ``` 分割后带入查询了，我们用sqlmap测试一下 [<img src="https://images.seebug.org/upload/201510/0711085666b43e65f069ee44aef00796a947e2be.png" alt="QQ截图20151007110840.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/0711085666b43e65f069ee44aef00796a947e2be.png)

共 0 兑换了

PoC

暂无 PoC

参考链接

http://wooyun.org/bugs/wooyun-2015-0144894

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

CmsTop媒体版某模板存在三处SQL盲注漏洞（非全部网站用户）

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

CmsTop媒体版某模板存在三处SQL盲注漏洞（非全部网站用户）

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定