当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-051735

漏洞标题:XDcms Sql Injection 29-50

相关厂商:www.xdcms.cn

漏洞作者: HackBraid

提交时间:2014-02-25 14:44

修复时间:2014-05-23 14:45

公开时间:2014-05-23 14:45

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:6

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-02-25: 细节已通知厂商并且等待厂商处理中
2014-03-07: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-05-01: 细节向核心白帽子及相关领域专家公开
2014-05-11: 细节向普通白帽子公开
2014-05-21: 细节向实习白帽子公开
2014-05-23: 细节向公众公开

简要描述:

Sql Injection

详细说明:

注入在XDCMS企业管理系统后台的栏目添加处,\system\modules\xdcms\category.php文件:
管理员在添加栏目和编辑栏目的时候会分别调用add_save()和edit_save()函数,三个注入点就出现在这两个函数里:
add_save()函数,11个注入点:

public function add_save(){
$config=base::load_cache("cache_set_config","_config");
$catname=safe_html($_POST['catname']);//注入点1,大写可绕过
$catdir=$_POST['catdir'];//注入点2
$thumb=safe_html($_POST['thumb']);//注入点3,大写可绕过
$is_link=intval($_POST['is_link']);
$url=$_POST['url'];//注入点4
$model=safe_html($_POST['model']);//注入点5,大写可绕过
$sort=intval($_POST['sort']);
$is_show=intval($_POST['is_show']);
$parentid=intval($_POST['parentid']);
$is_target=intval($_POST['is_target']);
$is_html=intval($_POST['is_html']);
$template_cate=safe_html($_POST['template_cate']);//注入点6,大写可绕过
$template_list=safe_html($_POST['template_list']);//注入点7,大写可绕过
$template_show=safe_html($_POST['template_show']);//注入点8,大写可绕过
$seo_title=safe_html($_POST['seo_title']);//注入点9,大写可绕过
$seo_key=safe_html($_POST['seo_key']);//注入点10,大写可绕过
$seo_des=safe_html($_POST['seo_des']);//注入点11,大写可绕过
$url_list=intval($_POST['url_list']);
$url_show=intval($_POST['url_show']);
$modelid=modelid($model);
$power=addslashes(var_export($_POST['power'],true));
$lang=isset($_POST['lang'])?intval($_POST['lang']):1;
$pagesize=intval($_POST['pagesize']);

if(empty($catname)||empty($catdir)||empty($model)||empty($pagesize)){
showmsg(C('material_not_complete'),'-1');
}

if(!check_str($catdir,'/^[a-z0-9][a-z0-9]*$/')){
showmsg(C('catdir').C('numbers_and_letters'),'-1');
}

if($is_html==1){
if($config['createhtml']!=1){
showmsg(C('config_html_error'),'index.php?m=xdcms&c=setting');
}
}

$nums=$this->mysql->db_num("category","catdir='".$catdir."'");
if($nums>0){
showmsg(C('catdir_exist'),'-1');
}

$sql="insert into ".DB_PRE."category (catname,catdir,thumb,is_link,url,model,modelid,sort,is_show,is_target,is_html,template_cate,template_list,parentid,template_show,seo_title,seo_key,seo_des,power,lang,url_list,url_show,pagesize) values ('".$catname."','".$catdir."','".$thumb."','".$is_link."','".$url."','".$model."','".$modelid."','".$sort."','".$is_show."','".$is_target."','".$is_html."','".$template_cate."','".$template_list."','".$parentid."','".$template_show."','".$seo_title."','".$seo_key."','".$seo_des."','".$power."','".$lang."','".$url_list."','".$url_show."','".$pagesize."')";
$this->mysql->query($sql);
$catid=$this->mysql->insert_id();

if($is_link==0){//生成url
$ob_url=base::load_class("url");
$url=$ob_url->caturl($catid,$catdir,$is_html,0,$lang,$url_list);
$this->mysql->db_update("category","`url`='".$url."'","`catid`=".$catid);
}

$this->category_cache();
showmsg(C('add_success'),'-1');
}


edit_save()函数有11个注入点:

public function edit_save(){
$config=base::load_cache("cache_set_config","_config");
$catid=intval($_POST['catid']);
$catname=safe_html($_POST['catname']);//注入点1,大写可绕过
$catdir=$_POST['catdir'];//注入点2
$thumb=safe_html($_POST['thumb']);//注入点3,大写可绕过
$is_link=intval($_POST['is_link']);
$url=$_POST['url'];//注入点4
$sort=intval($_POST['sort']);
$is_show=intval($_POST['is_show']);
$parentid=intval($_POST['parentid']);
$is_target=intval($_POST['is_target']);
$is_html=intval($_POST['is_html']);
$template_cate=safe_html($_POST['template_cate']);//注入点5,大写可绕过
$template_list=safe_html($_POST['template_list']);//注入点6,大写可绕过
$template_show=safe_html($_POST['template_show']);//注入点7,大写可绕过
$seo_title=safe_html($_POST['seo_title']);//注入点8,大写可绕过
$seo_key=safe_html($_POST['seo_key']);//注入点9,大写可绕过
$seo_des=safe_html($_POST['seo_des']);//注入点10,大写可绕过
$url_list=intval($_POST['url_list']);
$url_show=intval($_POST['url_show']);
$model=safe_html($_POST['model']);//注入点11,大写可绕过
$modelid=modelid($model);
$power=addslashes(var_export($_POST['power'],true));
$lang=isset($_POST['lang'])?intval($_POST['lang']):1;
$pagesize=intval($_POST['pagesize']);

if(empty($catname)||empty($catdir)||empty($catid)||empty($pagesize)){
showmsg(C('material_not_complete'),'-1');
}

if(!check_str($catdir,'/^[a-z0-9][a-z0-9]*$/')){
showmsg(C('catdir').C('numbers_and_letters'),'-1');
}

if($is_html==1){
if($config['createhtml']!=1){
showmsg(C('config_html_error'),'index.php?m=xdcms&c=setting');
}
}

$nums=$this->mysql->db_num("category","catdir='".$catdir."' and catid!=".$catid);
if($nums>0){
showmsg(C('catdir_exist'),'-1');
}

//判断栏目是否有数据,否则不予更改模型
$rs=$this->mysql->get_one("select catid,model from ".DB_PRE."category where `catid`=".$catid);
if($rs['model']!=$model){
$catnum=$this->mysql->db_num($rs['model'],"catid=".$catid);
if($catnum>0){
showmsg(C('category_have_data'),'-1');
}
}

if($is_link==0){ //生成url
$ob_url=base::load_class("url");
$url=$ob_url->caturl($catid,$catdir,$is_html,0,$lang,$url_list);
}

$this->mysql->db_update("category","`catname`='".$catname."',`catdir`='".$catdir."',`thumb`='".$thumb."',`is_link`='".$is_link."',`url`='".$url."',`sort`='".$sort."',`is_show`='".$is_show."',`is_target`='".$is_target."',`is_html`='".$is_html."',`parentid`='".$parentid."',`template_cate`='".$template_cate."',`template_list`='".$template_list."',`template_show`='".$template_show."',`seo_title`='".$seo_title."',`seo_key`='".$seo_key."',`seo_des`='".$seo_des."',`power`='".$power."',`lang`='".$lang."',`model`='".$model."',`modelid`='".$modelid."',`url_list`='".$url_list."',`url_show`='".$url_show."',`pagesize`='".$pagesize."'","`catid`=".$catid);
$this->category_cache();
showmsg(C('update_success'),'index.php?m=xdcms&c=category');
}


sort_save()函数包含1处注入点:

public function sort_save(){
$catid=$_POST['catid'];//未过滤
foreach($catid as $val){
$sort=$_POST["sort{$val}"];
if(is_numeric($sort)){
$this->mysql->db_update("category","`sort`='".$sort."'","`catid`=".$val);
}
}
$this->category_cache();
showmsg(C('update_success'),'index.php?m=xdcms&c=category');
}

漏洞证明:

添加栏目处以catname为例,点击栏目添加:

cat.jpg


抓包添加exp:

cat1.jpg


成功!:

cat2.jpg

修复方案:

过滤!

版权声明:转载请注明来源 HackBraid@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-05-23 14:45

厂商回复:

最新状态:

暂无