phpcms 2008 注入漏洞

漏洞作者: icefish

要描述:
phpcms 2008 中广告模块,存在参数过滤不严,导致了sql注入漏洞,如果对方服务器开启了错误显示,可直接利用,如果关闭了错误显示,可以采用基于时间和错误的盲注
详细说明:
js.php

ad.php

table_status(DB_PRE.’ads_’.$year);

if(!$table_status) {

include MOD_ROOT.’include/create.table.php’;

}

$place->show($id);

?>

common.inc.php

select(“SELECT groupid FROM `”.DB_PRE.”member_group_extend` WHERE `userid`=$_userid”);

}

?>

ads_place.class.php

function show($placeid)

{

global $_username;

$placeid = intval($placeid);

if(!$placeid) return FALSE;

$ip = IP;

$time = time();

//echo $this->referer;

$adses = $this->db->select(“SELECT * FROM “.DB_PRE.”ads a, $this->table p WHERE a.placeid=p.placeid AND p.placeid=$placeid AND a.fromdate<=UNIX_TIMESTAMP() AND a.todate>=UNIX_TIMESTAMP() AND a.passed=1 AND a.status=1 AND p.passed=1″);

if($adses[0][‘option’])

{

foreach($adses as $ads)

{

$contents[] = ads_content($ads, 1);

echo (“INSERT INTO $this->stat_table (`adsid`, `username`, `ip`, `referer`, `clicktime`, `type`) VALUES (‘$ads[adsid]’, ‘$_username’, ‘$ip’, ‘$this->referer’, ‘$time’, ‘0’)”);

$this->db->query(“INSERT INTO $this->stat_table (`adsid`, `username`, `ip`, `referer`, `clicktime`, `type`) VALUES (‘$ads[adsid]’, ‘$_username’, ‘$ip’, ‘$this->referer’, ‘$time’, ‘0’)”);

$template = $ads[‘template’] ? $ads[‘template’] : ‘ads’;

}

}

else

{ echo (“INSERT INTO $this->stat_table (`adsid`, `username`, `ip`, `referer`, `clicktime`, `type`) VALUES (‘$ads[adsid]’, ‘$_username’, ‘$ip’, ‘$this->referer’, ‘$time’, ‘0’)”);

$ads = $this->db->get_one(“SELECT * FROM “.DB_PRE.”ads a, $this->table p WHERE a.placeid=p.placeid AND p.placeid=$placeid AND a.fromdate<=UNIX_TIMESTAMP() AND a.todate>=UNIX_TIMESTAMP() AND a.passed=1 AND a.status=1 ORDER BY rand() LIMIT 1″);

$contents[] = ads_content($ads, 1);

$this->db->query(“INSERT INTO $this->stat_table (`adsid`, `username`, `ip`, `referer`, `clicktime`, `type`) VALUES (‘$ads[adsid]’, ‘$_username’, ‘$ip’, ‘$this->referer’, ‘$time’, ‘0’)”);

$template = $ads[‘template’] ? $ads[‘template’] : ‘ads’;

}

include template(‘ads’, $template);

}

具体问题在于
$this->db->query(“INSERT INTO $this->stat_table (`adsid`, `username`, `ip`, `referer`, `clicktime`, `type`) VALUES (‘$ads[adsid]’, ‘$_username’, ‘$ip’, ‘$this->referer’, ‘$time’, ‘0’)”);
这段中$this->referer没有经过过滤,可以被用户所操作,如果没有关闭错误提示,则可以直接利用注入工具,采用基于错误的方式进行sql注入
如果有自定义错误页面,则可以采用盲注的方式

发表评论?

0 条评论。

发表评论