鸿 网 互 联 www.68idc.cn

cutecms_v3.5 SQL注入及修复

来源:互联网 作者:佚名 时间:2016-05-07 10:04
/*******************************************************//* cutecms_v3.5 SQL Injection Vulnerability/* ======================== /* By: : Kn1f3 /* E-Mail : 681796@qq.com/*******************************************************//* Welcome to
/*******************************************************/

/* cutecms_v3.5 SQL Injection Vulnerability



/* ======================== 



/* By: : Kn1f3 



/* E-Mail : 681796@qq.com



/*******************************************************/

/* Welcome to http://www.90sec.com */

/*******************************************************/

首先看首页文件



index.php




>>>>/**/无关代码省略/**/

 define('IN_CUTECMS', true);

 if(!file_exists("include/install.lock")) {
	 header("location:install/");exit;
 }

 require_once('include/helper.php');
 require_once('include/generate_static.inc.php');   //包含文件

>>>>/**/无关代码省略/**/

	 if($staticUrl && $staticUrl!='index') {    


		 if(preg_match("/^(.*)_page([0-9]{1,})$/i",   $staticUrl)) {

		   $url = substr($staticUrl, 0, strpos($staticUrl, "_page")).".html";
		   $staticUrlRow = getStaticUrlRow($db, $url);
		   $action = $staticUrlRow['action'];
		   $urlChannelId = $urlContentId = $staticUrlRow['rid'];
		   $urlPageNum = substr($staticUrl, strpos($staticUrl, "_page")+5);

		 }
		 
		 else {

			 $url = $staticUrl.".html";

			 $staticUrlRow = getStaticUrlRow($db, $url);  //发现带入了数据库查询,看看getStaticUrlRow函数

	         if(!$staticUrlRow) {

			   $pathPartsArr = pathinfo($url);
              
			   $staticPathArr = explode("/", $pathPartsArr['dirname']);
	           $staticChannelHtmlName = array_pop($staticPathArr);

>>>>/**/无关代码省略/**/

//跟入helper.php

require_once( BASE."lang.inc.php" );
require_once( BASE."base.inc.php" );
require_once( BASE."validate.inc.php" );
require_once( BASE."elements.inc.php" );
require_once( BASE."template.inc.php" );

//继续跟入base.inc.php

function getStaticUrlRow( $db, $url = "", $rid = "" )
{
				$sql = "SELECT * FROM ".PREFIX."static_url WHERE 1";
				if ( $url ) //带入查询没有任何过滤
				{
								$sql .= " AND url = '".$url."'";
				}
				if ( $rid )
				{
								$sql .= " AND rid = ".$rid;
				}
				$sql .= " LIMIT 1";
				$re = $db->getRow( $sql );
				return $re;
}

//以为把文件加密了,就能把漏洞给修补?作者太2了吧
 

>>>>/**/无关代码省略/**/

http://127.0.0.1/cutecms_free_v3.5/index.php?staticUrl=[sql]

 




修复方案:

:) 可以用80sec那段防注入代码 

网友评论
<