-
Notifications
You must be signed in to change notification settings - Fork 15
/
index.html
103 lines (98 loc) · 25.7 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
<!DOCTYPE html><html lang="zh-Hans"><head><meta name="generator" content="Hexo 3.9.0"><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"><meta name="description" content="DuomiCms3.0最新版漏洞挖掘"><meta name="keywords" content="Duomicms"><meta name="author" content="Mochazz"><meta name="copyright" content="Mochazz"><title>DuomiCms3.0最新版漏洞挖掘 | Mochazz's blog</title><link rel="shortcut icon" href="/favicon.png"><link rel="stylesheet" href="/css/index.css?version=1.6.1"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/font-awesome@latest/css/font-awesome.min.css?version=1.6.1"><link rel="dns-prefetch" href="https://cdn.staticfile.org"><link rel="dns-prefetch" href="https://cdn.bootcss.com"><link rel="dns-prefetch" href="https://creativecommons.org"><script>var GLOBAL_CONFIG = {
root: '/',
algolia: undefined,
localSearch: undefined,
copy: {
success: '复制成功',
error: '复制错误',
noSupport: '浏览器不支持'
}
} </script></head><body><canvas class="fireworks"></canvas><i class="fa fa-arrow-right" id="toggle-sidebar" aria-hidden="true"></i><div id="sidebar"><div class="toggle-sidebar-info text-center"><span data-toggle="切换文章详情">切换站点概览</span><hr></div><div class="sidebar-toc"><div class="sidebar-toc__title">目录</div><div class="sidebar-toc__progress"><span class="progress-notice">你已经读了</span><span class="progress-num">0</span><span class="progress-percentage">%</span><div class="sidebar-toc__progress-bar"></div></div><div class="sidebar-toc__content"><ol class="toc"><li class="toc-item toc-level-3"><a class="toc-link" href="#前言"><span class="toc-number">1.</span> <span class="toc-text">前言</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#XXE漏洞挖掘"><span class="toc-number">2.</span> <span class="toc-text">XXE漏洞挖掘</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#前台代码执行"><span class="toc-number">3.</span> <span class="toc-text">前台代码执行</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#SQL注入漏洞挖掘"><span class="toc-number">4.</span> <span class="toc-text">SQL注入漏洞挖掘</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#结语"><span class="toc-number">5.</span> <span class="toc-text">结语</span></a></li></ol></div></div><div class="author-info hide"><div class="author-info__avatar text-center"><img src="/img/avatar.jpg"></div><div class="author-info__name text-center">Mochazz</div><div class="author-info__description text-center">人若无名,方可潜心练剑</div><div class="follow-button"><a href="https://github.com/Mochazz">Follow Me</a></div><hr><div class="author-info-articles"><a class="author-info-articles__archives article-meta" href="/archives"><span class="pull-left">文章</span><span class="pull-right">220</span></a><a class="author-info-articles__tags article-meta" href="/tags"><span class="pull-left">标签</span><span class="pull-right">81</span></a><a class="author-info-articles__categories article-meta" href="/categories"><span class="pull-left">分类</span><span class="pull-right">20</span></a></div><hr><div class="author-info-links"><div class="author-info-links__title text-center">Links</div><a class="author-info-links__name text-center" href="http://www.lmxspace.com">l1nk3r</a><a class="author-info-links__name text-center" href="https://www.virzz.com">Virink</a><a class="author-info-links__name text-center" href="https://www.kingkk.com">kingkk</a><a class="author-info-links__name text-center" href="https://hpdoger.cn">hpdoger</a><a class="author-info-links__name text-center" href="https://www.smi1e.top">smi1e</a><a class="author-info-links__name text-center" href="http://m4p1e.com">maple</a><a class="author-info-links__name text-center" href="https://zhzhdoai.github.io">osword</a><a class="author-info-links__name text-center" href="https://nikoeurus.github.io">Somnus</a><a class="author-info-links__name text-center" href="https://landgrey.me">LandGrey</a><a class="author-info-links__name text-center" href="https://www.cnpanda.net">panda</a><a class="author-info-links__name text-center" href="http://foreversong.cn">ADog</a></div></div></div><div id="content-outer"><div id="top-container" style="background-image: url(/img/backgroud.jpeg)"><div id="page-header"><span class="pull-left"> <a id="site-name" href="/">Mochazz's blog</a></span><i class="fa fa-bars toggle-menu pull-right" aria-hidden="true"></i><span class="pull-right menus"><a class="site-page" href="/">Home</a><a class="site-page" href="/archives">Archives</a><a class="site-page" href="/about">About</a><a class="site-page" href="/read">Read</a></span></div><div id="post-info"><div id="post-title">DuomiCms3.0最新版漏洞挖掘</div><div id="post-meta"><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2018-09-30</time><span class="post-meta__separator">|</span><i class="fa fa-inbox post-meta__icon" aria-hidden="true"></i><a class="post-meta__categories" href="/categories/代码审计/">代码审计</a></div></div></div><div class="layout" id="content-inner"><article id="post"><div class="article-container" id="post-content"><h3 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h3><p>这篇文章将记录 <strong>DuomiCms3.0最新版</strong> 的漏洞挖掘过程,当中会分享一些审计的技巧,希望对想要学习审计的朋友有所帮助。当中分享的每一个漏洞并不一定都存在,但是为了文章的完整性,还是把所有漏洞挖掘的过程记录下来。</p>
<h3 id="XXE漏洞挖掘"><a href="#XXE漏洞挖掘" class="headerlink" title="XXE漏洞挖掘"></a>XXE漏洞挖掘</h3><p>先使用 <strong>phpstorm</strong> 的全局搜索 <strong>simplexml_load_</strong> 、 <strong>SimpleXMLElement</strong> 等字符串(快捷键为: <code>Ctrl+Shift+F</code> ),这里的 <strong>simplexml_load_</strong> 字符串主要针对 <strong>simplexml_load_file</strong> 和 <strong>simplexml_load_string</strong> 两个函数。我们可以发现搜索结果将近40条,如下:</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/1.png" alt="1"></p>
<p>接下来我们就一个一个进行验证(其实不用真的每个都去验证,因为有的程序代码结构很像,或者看一眼就知道不存在漏洞了)。先来看一下 <strong>api.php</strong> 文件中的代码,可以看到这里的 <strong>XML</strong> 文件内容来自 <strong>$playerKindsfile</strong> 变量,该变量的值为 <strong>data/admin/playerKinds.xml</strong> 文件的内容。 <strong>api.php</strong> 文件代码如下:</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/2.png" alt="2"></p>
<p>这时候,我们要考虑的就是 <strong>data/admin/playerKinds.xml</strong> 文件的内容是否可以被我们控制。如果该文件可以被攻击者控制,就很有可能存在 <strong>XXE</strong> 漏洞。于是,我们搜索字符串 <strong>playerKinds</strong> ,结果如下:</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/3.png" alt="3"></p>
<p>我们发现其中有一个语句为 <strong>$doc -> save($playerKindsfile)</strong> 。按照函数名来推测,这里极有可能是将 <strong>$playerKindsfile</strong> 变量对应的内容保存进 <strong>data/admin/playerKinds.xml</strong> 文件。所以我们要来看一下 <strong>$playerKindsfile</strong> 变量对应的内容是否可控。</p>
<p>我们找到 <strong>admin\admin_player.php</strong> 文件对应的代码,发现当 <strong>$action==”addnew”</strong> 的时候,会将 <strong>POST</strong> 方式传来的 <strong>playername</strong> 、 <strong>info</strong> 、 <strong>order</strong> 、 <strong>trail</strong> 四个参数写进 <strong>data/admin/playerKinds.xml</strong> 文件。相关代码如下:<br><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/4.png" alt="4"></p>
<p>我们用 <strong>BurpSuite</strong> 抓包,并用 <strong>TheFolderSpy</strong> 监控 <strong>www</strong> 目录(其目的是检测用户输入是否有被写入文件中),结果如下:</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/5.png" alt="5"></p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/6.png" alt="6"></p>
<p>我们发现 <strong>POST</strong> 方式传输的 <strong>playername</strong> 、 <strong>info</strong> 、 <strong>order</strong> 、 <strong>trail</strong> 四个参数,确实写进了 <strong>data/admin/playerKinds.xml</strong> 文件,但是特殊符号都被 <strong>HTML实体编码</strong> 了,所以这里无法利用。(下图是 <strong>payload</strong> 中特殊字符被 <strong>HTML实体编码</strong> 的截图)。</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/7.png" alt="7"></p>
<p>我们接着看看其他位置是否存在 <strong>XXE</strong> 漏洞,会发现其他地方的 <strong>XML</strong> 文件加载方式基本和上面一样,因此应该不存在 <strong>XXE</strong> 漏洞。</p>
<h3 id="前台代码执行"><a href="#前台代码执行" class="headerlink" title="前台代码执行"></a>前台代码执行</h3><p>这一处的代码执行和以前苹果CMS的代码执行是类似的,都是在解析模板标签的时候,将解析的标签拼接,并用在了 <strong>eval</strong> 函数中,最终造成了代码执行漏洞。</p>
<p>在挖掘漏洞之初,我们先全局搜索 <strong>eval</strong> 函数,这里可以明显的看到只有 <strong>duomiphp\core.class.php</strong> 文件中使用了 <strong>eval</strong> 函数。搜索图如下:</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/8.png" alt="8"></p>
<p>我们详细的看一下其代码,可以发现 <strong>eval</strong> 函数只出现在 <strong>parseIf</strong> 和 <strong>parseSubIf</strong> 函数中:</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/9.png" alt="9"></p>
<p>那么我们就来搜索一下这两个函数在何处被调用。由于 <strong>parseSubIf</strong> 函数在 <strong>parseIf</strong> 函数中被调用,这里我就直接搜索 <strong>parseIf</strong> 函数,并挑选了一个较为简单的 <strong>search.php</strong> 文件进行分析。为了更好分析,我这里直接把 <strong>payload</strong> 带入分析,所使用的 <strong>payload</strong> 如下:</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:<span class="comment">//localhost/search.php?searchword={if:phpinfo()}phpinfo(){end</span></span><br></pre></td></tr></table></figure>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/10.png" alt="10"></p>
<p>下面我们来具体分析 <strong>search.php</strong> 文件。首先文件开头引入了 <strong>duomiphp/common.php</strong> 文件,而该文件引入了 <strong>duomiphp\webscan.php</strong> 文件对用户提交的变量进行处理。该文件使用以下三个正则分别对用户传递的 <strong>GPC</strong> ( <strong>GET、POST、COOKIE</strong> )参数进行过滤,但是我们的 <strong>payload</strong> 并不会触发这里的正则。</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/11.png" alt="11"></p>
<p>在 <strong>duomiphp/common.php</strong> 文件中,还存在一处变量覆盖的利用点(如下图代码):</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/12.png" alt="12"></p>
<p>继续回到 <strong>search.php</strong> 文件,我将有用的关键代码简化如下:</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/13.png" alt="13"></p>
<p>这里需要注意,程序会 <strong>只截取20个字符</strong> 作为 <strong>$searchword</strong> (上图第2行),然后在 <strong>第14行</strong> 代码处把模板的 <strong>{duomicms:searchword}</strong> 替换成 <strong>$searchword</strong> 。替换后,又在 <strong>第17</strong> 行开始对模板中的IF语句进行解析。虽然程序有做一些过滤操作,但是都无法有效的避免我们的恶意代码。</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/14.png" alt="14"></p>
<p>我们跟进 <strong>parseIf</strong> 方法。其实这里就是把 <strong>IF标签</strong> 的内容取出来,然后拼接到 <strong>eval</strong> 函数中执行了,这也是漏洞的成因,具体的变量值可以看下图右边墨绿色的字体,这里不再赘述。</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/15.png" alt="15"></p>
<p>测了几个版本,都有影响。当然,前台getshell方式还不止这一种,可以利用前面的变量覆盖,伪造admin身份,最后写入webshell,具体分析之后会在 <strong>[红日安全]代码审计Day14 - 从变量覆盖到获取webshell</strong> 文章中详细分析。</p>
<h3 id="SQL注入漏洞挖掘"><a href="#SQL注入漏洞挖掘" class="headerlink" title="SQL注入漏洞挖掘"></a>SQL注入漏洞挖掘</h3><p>根据 <strong>CNVD</strong> 的漏洞通告:<a href="http://www.cnvd.org.cn/flaw/show/CNVD-2018-05568" target="_blank" rel="noopener">DuomiCms x3.0前台duomiphp/ajax.php文件存在SQL注入漏洞</a> ,我们就直接打开 <strong>duomiphp/ajax.php</strong> 文件,观察其中所有的 <strong>SQL</strong> 语句,可以总结为以下几种类型:</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/16.png" alt="16"></p>
<p>可以看到这里大多数 <strong>SQL</strong> 语句使用了拼接,而拼接用的变量又多数是全局变量,我们在前面的代码执行漏洞中,提到程序有注册变量的行为,这样容易造成变量覆盖。下面,我们来一个个分析这些变量。</p>
<p>首先是 <strong>$id</strong> 变量,拼接在 <strong>SQL</strong> 语句尾巴且没有引号包裹。本来应该是比较好利用的,但是这里开头对 <strong>id</strong> 变量进行了类型判断。这样导致在 <strong>select语句</strong> 中无法再利用,但是我们可以用 <strong>16进制</strong> 编码绕过,将payload的 <strong>16进制</strong> 插入数据库中,形成二次注入。但是我们搜索 <strong>insert语句</strong> 的时候,发现其被单引号包裹,所以无法利用,具体代码如下:</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/17.png" alt="17"></p>
<p>接着是 <strong>$score</strong> 变量,该变量位于 <strong>SQL</strong> 语句中间,这样就要引入注释符,将后面的语句注释掉。但是引入注释符,会触发 <strong>duomiphp/sql.class.php</strong> 文件的SQL检测规则,所以这处也不好利用。具体代码如下:</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/18.png" alt="18"></p>
<p>最后剩下一个 <strong>$uid</strong> 变量了,该变量为全局变量,可以由用户控制,而且其位置在SQL语句最后,两边也没有引号包裹,极其好利用。如下图 <strong>第12行</strong> 代码:</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/19.png" alt="19"></p>
<p>我们根据代码逻辑,即可构造出如下 <strong>payload</strong> :</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ajax.php?action=addfav&id=<span class="number">1</span>&uid=<span class="number">1</span> <span class="keyword">and</span> extractvalue(<span class="number">1</span>,concat_ws(<span class="number">0x3A</span>,<span class="number">0x3A</span>,version()))</span><br></pre></td></tr></table></figure>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/20.png" alt="20"></p>
<p>但是要想爆出有用的数据,这里还要绕过 <strong>duomiphp/sql.class.php</strong> 文件的SQL检测规则以及全局变量的 <strong>_RunMagicQuotes</strong> 函数的转义。这里直接给出我测试成功的 <strong>payload</strong> :</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:<span class="comment">//localhost//duomiphp/ajax.php?action=addfav&id=1&uid=10101 and `'`.``.vid and extractvalue(1,concat_ws(0x3A,0x3A,(select`password` from`duomi_admin` limit 1))) and `'`.``.vid</span></span><br></pre></td></tr></table></figure>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/21.png" alt="21"></p>
<p>下面,我们直接将 <strong>payload</strong> 带入到程序中进行分析。首先,我们的 <strong>payload</strong> 完美绕过了 <strong>duomiphp/webscan.php</strong> 文件的 <strong>$getfilter</strong> 规则,然后经过了 <strong>duomiphp/common.php</strong> 文件 <strong>_RunMagicQuotes</strong> 函数的转义并注册成全局变量。具体代码如下:</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/22.png" alt="22"></p>
<p>此时 <strong>$uid</strong> 的值已经变成了下面这样:</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">10101</span> <span class="keyword">and</span> `\<span class="string">'`.``.vid and extractvalue(1,concat_ws(0x3A,0x3A,(select`password` from`duomi_admin` limit 1))) and `\'`.``.vid</span></span><br></pre></td></tr></table></figure>
<p>根据我们传入的 <strong>action=addf</strong> ,我们直接进入了 <strong>duomiphp\ajax.php</strong> 文件的 <strong>addfav</strong> 方法。然后直接拼接SQL语句,进入 <strong>duomiphp\sql.class.php</strong> 文件的 <strong>GetOne</strong> 方法。接着在 <strong>GetOne</strong> 方法中调用了 <strong>$this->Execute(“one”);</strong> (下图第22行)这段代码。</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/23.png" alt="23"></p>
<p>在 <strong>Execute</strong> 方法中,我们最需要关注的就是 <strong>CheckSql</strong> 方法的实现。首先,如果是 <strong>select</strong> 语句,会先经过下面的正则,这个正则不允许我们使用联合查询。</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/24.png" alt="24"></p>
<p>接着往下看,会发现一个很明显的问题。<strong>while</strong> 语句将处理后的数据库查询语句 <strong>$db_string</strong> 存在 <strong>$clean</strong> 中,然后用于检测的是 <strong>$clean</strong> 变量,最后返回的却是 <strong>$db_string</strong> 。所以我们只要在 <strong>$clean</strong> 变量中不出现敏感词,即可绕过SQL语句的检测。</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/25.png" alt="25"></p>
<p>我们来具体看一下 <strong>while</strong> 中的程序。该函数会先搜索第一个单引号的下标,取引号前面的字符串给 <strong>$clean</strong> ,然后将第一个引号和第二个引号之间的字符用 <strong>$s$</strong> 来代替,最后取第二个引号之后的内容给 <strong>$clean</strong> 变量。</p>
<p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/26.png" alt="26"></p>
<p>处理后获得的 <strong>$clean</strong> (如下)可以绕过下面的 <strong>SQL</strong> 检测,然后程序又将 <strong>$db_string</strong> 原样返回,此时也就造成了SQL注入。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// $clean</span></span><br><span class="line">select id from `duomi_favorite` where vid=<span class="number">1</span> <span class="keyword">and</span> uid=<span class="number">10101</span> <span class="keyword">and</span> `\$s$`.``.vid</span><br><span class="line"><span class="comment">// $db_string </span></span><br><span class="line">Select id From `duomi_favorite` where vid=<span class="number">1</span> <span class="keyword">and</span> uid=<span class="number">10101</span> <span class="keyword">and</span> `\<span class="string">'`.``.vid and extractvalue(1,concat_ws(0x3A,0x3A,(select`password` from`duomi_admin` limit 1))) and `\'`.``.vid</span></span><br></pre></td></tr></table></figure>
<h3 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h3><p>实际上,这个CMS在CNVD上通告的漏洞还是蛮多的,虽然没有漏洞详情,但是我们也可以自己审计或者根据描述细节来还原漏洞,从而提高自身的审计能力。在审计某一cms的时候,可以先在CVE、CNVD、seebug上搜搜,了解一下历史漏洞,然后在进行审计,或许会有意外之喜:)</p>
<p><a href="http://www.cnvd.org.cn" target="_blank" rel="noopener">http://www.cnvd.org.cn</a></p>
<p><a href="https://www.seebug.org/search/?keywords=Duomicms" target="_blank" rel="noopener">https://www.seebug.org/search/?keywords=Duomicms</a></p>
<p><a href="http://cve.mitre.org" target="_blank" rel="noopener">http://cve.mitre.org</a></p>
</div></article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">Mochazz</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://mochazz.github.io/2018/09/30/DuomiCms3.0最新版漏洞挖掘/">https://mochazz.github.io/2018/09/30/DuomiCms3.0最新版漏洞挖掘/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外,均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://mochazz.github.io">Mochazz's blog</a>!</span></div></div><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/Duomicms/">Duomicms</a></div><nav id="pagination"><div class="prev-post pull-left"><a href="/2018/10/04/齐博CMS_V7.0前台SQL注入/"><i class="fa fa-chevron-left"> </i><span>齐博CMS_V7.0前台SQL注入</span></a></div><div class="next-post pull-right"><a href="/2018/09/30/PHP-Audit-Labs题解之Day9-12/"><span>PHP-Audit-Labs题解之Day9-12</span><i class="fa fa-chevron-right"></i></a></div></nav><div id="vcomment"></div><script src="https://cdn1.lncld.net/static/js/3.0.4/av-min.js"></script><script src="https://cdn.jsdelivr.net/npm/valine/dist/Valine.min.js"></script><script>var notify = 'true' == true ? true : false;
var verify = 'false' == true ? true : false;
var GUEST_INFO = ['nick','mail','link'];
var guest_info = 'nick,mail,link'.split(',').filter(function(item){
return GUEST_INFO.indexOf(item) > -1
});
guest_info = guest_info.length == 0 ? GUEST_INFO :guest_info;
window.valine = new Valine({
el:'#vcomment',
notify:notify,
verify:verify,
appId:'cFxDjSziPHq4xGCbSpRGkND7-gzGzoHsz',
appKey:'YhJIRxQHzY9Aix5pSGnYxKkv',
placeholder:'ヾノ≧∀≦)o留下评论再走吧',
avatar:'wavatar',
guest_info:guest_info,
pageSize:'10',
lang: 'zh-cn'
})</script></div></div><footer class="footer-bg" style="background-image: url(/img/backgroud.jpeg)"><div class="layout" id="footer"><div class="copyright">©2017 - 2020 By Mochazz</div><div class="framework-info"><span>驱动 - </span><a href="http://hexo.io"><span>Hexo</span></a><span class="footer-separator">|</span><span>主题 - </span><a href="https://github.com/Molunerfinn/hexo-theme-melody"><span>Melody</span></a></div><div class="busuanzi"><script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script><span id="busuanzi_container_page_pv"><i class="fa fa-file-o"></i><span id="busuanzi_value_page_pv"></span><span></span></span></div></div></footer><i class="fa fa-arrow-up" id="go-up" aria-hidden="true"></i><script src="https://cdn.jsdelivr.net/npm/animejs@latest/anime.min.js"></script><script src="https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-animate@latest/velocity.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-ui-pack@latest/velocity.ui.min.js"></script><script src="/js/utils.js?version=1.6.1"></script><script src="/js/fancybox.js?version=1.6.1"></script><script src="/js/sidebar.js?version=1.6.1"></script><script src="/js/copy.js?version=1.6.1"></script><script src="/js/fireworks.js?version=1.6.1"></script><script src="/js/transition.js?version=1.6.1"></script><script src="/js/scroll.js?version=1.6.1"></script><script src="/js/head.js?version=1.6.1"></script><script>if(/Android|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)) {
$('#nav').addClass('is-mobile')
$('footer').addClass('is-mobile')
}</script></body></html>