Walks

网络安全爱好者

代码审计:Semcms v2.3 PHP版多处问题

前言:

《代码审计:Semcms v2.3 PHP版多处问题》

如上图,在知道创宇看到了几个新出的漏洞,就想去看看漏洞出在什么地方,下载最新V2.3版本,发现了一个很有趣的问题,原来这个漏洞是V2.1版本就有的,至今未修复。下面就给大家简单的分析分析,其实漏洞也很简单。

Web_Mail注入:

if ($Type=="fintpassword"){
    
    
  if (@htmlspecialchars($_POST['Email']) !==""){ // 判断是否输入邮箱
        
    $sql="select * from sc_user where user_email='".$_POST['Email']."'"; 
    $result=mysql_query($sql); 
    $row = mysql_fetch_array($result,MYSQL_ASSOC); 
    if (mysql_num_rows($result)>0) 
        {

我们看代码,你是不是发现了问题?虽然if语句里面有htmlspecialchars这个用来过滤单双引号,但是后面sql执行的时候,过滤的东西跑哪去啦?这就产生了注入。

后台绕过:

function checkuser(){ //判断账号 
    $cookieuser=@htmlspecialchars($_COOKIE["scuser"]);
    $cookieuserqx=@htmlspecialchars($_COOKIE["scuserqx"]);
    $sql="select * from sc_user where user_ps='$cookieuser' and user_qx='$cookieuserqx'"; 
    $result=mysql_query($sql); 
    $row = mysql_fetch_array($result,MYSQL_ASSOC); 
    if (!mysql_num_rows($result)){ echo "<script language='javascript'>alert('账号密码不正确重新登陆!');top.location.href='index.html';</script>";} 
    else {echo'';}     
  
}

这是在function.php里面的代码,虽然有简单的过滤,但是依旧可以绕过。

当$cookieuser=\;$cookieuserqx=or 1=1# 的时候,sql语句等于select * from sc_user where user_ps='\' and user_qx='or 1=1#',后面的单引号跟前面的闭合了。产生了我们可控的参数。就可以后台登陆了。

还有其他几个漏洞不多说。给大家个V2.1版本漏洞的地址,反正跟V2.3的一样,也没修复,想看的自己看看吧。

参考地址:http://0day5.com/archives/4320/

点赞
  1. supreme hoodie说道:

    I'm also commenting to let you know what a terrific discovery our princess encountered viewing your webblog. She learned a wide variety of pieces, which included how it is like to have a very effective teaching style to get other people completely comprehend a variety of extremely tough matters. You actually exceeded visitors' desires. Many thanks for supplying such effective, trustworthy, informative and even fun tips about the topic to Gloria.

  2. I must show thanks to this writer for rescuing me from this particular condition. After searching through the world-wide-web and obtaining basics which are not pleasant, I figured my life was over. Being alive devoid of the strategies to the difficulties you've resolved as a result of the guideline is a serious case, as well as the kind which could have in a negative way affected my entire career if I had not come across your web site. Your main know-how and kindness in handling everything was tremendous. I don't know what I would have done if I hadn't come upon such a stuff like this. I am able to now look ahead to my future. Thanks a lot very much for your skilled and result oriented guide. I won't be reluctant to recommend your web page to any individual who needs and wants guidelines on this subject matter.

  3. fila shoes说道:

    Thank you a lot for giving everyone an extraordinarily pleasant chance to read in detail from this site. It's usually very nice and also packed with a good time for me and my office mates to visit your web site at the least three times weekly to read through the new items you have. Not to mention, I'm also usually satisfied for the wonderful tips and hints you serve. Some 3 points in this posting are undoubtedly the most effective I have had.

  4. off white hoodie说道:

    Thank you for all your valuable efforts on this web site. Kim take interest in doing internet research and it's really easy to see why. A number of us know all relating to the powerful manner you present very helpful tips via this website and in addition encourage response from website visitors about this concept then our favorite girl is in fact starting to learn a whole lot. Take advantage of the remaining portion of the year. You're the one conducting a first class job.

  5. I must show my admiration for your kindness in support of those people that require help with this important matter. Your personal commitment to passing the message all over had been especially productive and have in most cases enabled regular people much like me to reach their dreams. This warm and friendly help and advice entails a lot a person like me and somewhat more to my peers. Regards; from everyone of us.

  6. moncler jackets说道:

    I truly wanted to construct a quick word to express gratitude to you for all the lovely points you are giving on this website. My particularly long internet search has at the end been compensated with really good facts and strategies to write about with my family members. I would say that we website visitors actually are extremely lucky to exist in a great site with very many special individuals with helpful suggestions. I feel very blessed to have seen the web site and look forward to so many more cool minutes reading here. Thanks a lot once again for a lot of things.

发表评论

电子邮件地址不会被公开。 必填项已用*标注