Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Mochazz.github.io/2018/09/30/DuomiCms3.0最新版漏洞挖掘/index.html
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
103 lines (98 sloc)
25.7 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html><html lang="zh-Hans"><head><meta name="generator" content="Hexo 3.9.0"><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"><meta name="description" content="DuomiCms3.0最新版漏洞挖掘"><meta name="keywords" content="Duomicms"><meta name="author" content="Mochazz"><meta name="copyright" content="Mochazz"><title>DuomiCms3.0最新版漏洞挖掘 | Mochazz's blog</title><link rel="shortcut icon" href="/favicon.png"><link rel="stylesheet" href="/css/index.css?version=1.6.1"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/font-awesome@latest/css/font-awesome.min.css?version=1.6.1"><link rel="dns-prefetch" href="https://cdn.staticfile.org"><link rel="dns-prefetch" href="https://cdn.bootcss.com"><link rel="dns-prefetch" href="https://creativecommons.org"><script>var GLOBAL_CONFIG = { | |
| root: '/', | |
| algolia: undefined, | |
| localSearch: undefined, | |
| copy: { | |
| success: '复制成功', | |
| error: '复制错误', | |
| noSupport: '浏览器不支持' | |
| } | |
| } </script></head><body><canvas class="fireworks"></canvas><i class="fa fa-arrow-right" id="toggle-sidebar" aria-hidden="true"></i><div id="sidebar"><div class="toggle-sidebar-info text-center"><span data-toggle="切换文章详情">切换站点概览</span><hr></div><div class="sidebar-toc"><div class="sidebar-toc__title">目录</div><div class="sidebar-toc__progress"><span class="progress-notice">你已经读了</span><span class="progress-num">0</span><span class="progress-percentage">%</span><div class="sidebar-toc__progress-bar"></div></div><div class="sidebar-toc__content"><ol class="toc"><li class="toc-item toc-level-3"><a class="toc-link" href="#前言"><span class="toc-number">1.</span> <span class="toc-text">前言</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#XXE漏洞挖掘"><span class="toc-number">2.</span> <span class="toc-text">XXE漏洞挖掘</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#前台代码执行"><span class="toc-number">3.</span> <span class="toc-text">前台代码执行</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#SQL注入漏洞挖掘"><span class="toc-number">4.</span> <span class="toc-text">SQL注入漏洞挖掘</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#结语"><span class="toc-number">5.</span> <span class="toc-text">结语</span></a></li></ol></div></div><div class="author-info hide"><div class="author-info__avatar text-center"><img src="/img/avatar.jpg"></div><div class="author-info__name text-center">Mochazz</div><div class="author-info__description text-center">人若无名,方可潜心练剑</div><div class="follow-button"><a href="https://github.com/Mochazz">Follow Me</a></div><hr><div class="author-info-articles"><a class="author-info-articles__archives article-meta" href="/archives"><span class="pull-left">文章</span><span class="pull-right">220</span></a><a class="author-info-articles__tags article-meta" href="/tags"><span class="pull-left">标签</span><span class="pull-right">81</span></a><a class="author-info-articles__categories article-meta" href="/categories"><span class="pull-left">分类</span><span class="pull-right">20</span></a></div><hr><div class="author-info-links"><div class="author-info-links__title text-center">Links</div><a class="author-info-links__name text-center" href="http://www.lmxspace.com">l1nk3r</a><a class="author-info-links__name text-center" href="https://www.virzz.com">Virink</a><a class="author-info-links__name text-center" href="https://www.kingkk.com">kingkk</a><a class="author-info-links__name text-center" href="https://hpdoger.cn">hpdoger</a><a class="author-info-links__name text-center" href="https://www.smi1e.top">smi1e</a><a class="author-info-links__name text-center" href="http://m4p1e.com">maple</a><a class="author-info-links__name text-center" href="https://zhzhdoai.github.io">osword</a><a class="author-info-links__name text-center" href="https://nikoeurus.github.io">Somnus</a><a class="author-info-links__name text-center" href="https://landgrey.me">LandGrey</a><a class="author-info-links__name text-center" href="https://www.cnpanda.net">panda</a><a class="author-info-links__name text-center" href="http://foreversong.cn">ADog</a></div></div></div><div id="content-outer"><div id="top-container" style="background-image: url(/img/backgroud.jpeg)"><div id="page-header"><span class="pull-left"> <a id="site-name" href="/">Mochazz's blog</a></span><i class="fa fa-bars toggle-menu pull-right" aria-hidden="true"></i><span class="pull-right menus"><a class="site-page" href="/">Home</a><a class="site-page" href="/archives">Archives</a><a class="site-page" href="/about">About</a><a class="site-page" href="/read">Read</a></span></div><div id="post-info"><div id="post-title">DuomiCms3.0最新版漏洞挖掘</div><div id="post-meta"><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2018-09-30</time><span class="post-meta__separator">|</span><i class="fa fa-inbox post-meta__icon" aria-hidden="true"></i><a class="post-meta__categories" href="/categories/代码审计/">代码审计</a></div></div></div><div class="layout" id="content-inner"><article id="post"><div class="article-container" id="post-content"><h3 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h3><p>这篇文章将记录 <strong>DuomiCms3.0最新版</strong> 的漏洞挖掘过程,当中会分享一些审计的技巧,希望对想要学习审计的朋友有所帮助。当中分享的每一个漏洞并不一定都存在,但是为了文章的完整性,还是把所有漏洞挖掘的过程记录下来。</p> | |
| <h3 id="XXE漏洞挖掘"><a href="#XXE漏洞挖掘" class="headerlink" title="XXE漏洞挖掘"></a>XXE漏洞挖掘</h3><p>先使用 <strong>phpstorm</strong> 的全局搜索 <strong>simplexml_load_</strong> 、 <strong>SimpleXMLElement</strong> 等字符串(快捷键为: <code>Ctrl+Shift+F</code> ),这里的 <strong>simplexml_load_</strong> 字符串主要针对 <strong>simplexml_load_file</strong> 和 <strong>simplexml_load_string</strong> 两个函数。我们可以发现搜索结果将近40条,如下:</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/1.png" alt="1"></p> | |
| <p>接下来我们就一个一个进行验证(其实不用真的每个都去验证,因为有的程序代码结构很像,或者看一眼就知道不存在漏洞了)。先来看一下 <strong>api.php</strong> 文件中的代码,可以看到这里的 <strong>XML</strong> 文件内容来自 <strong>$playerKindsfile</strong> 变量,该变量的值为 <strong>data/admin/playerKinds.xml</strong> 文件的内容。 <strong>api.php</strong> 文件代码如下:</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/2.png" alt="2"></p> | |
| <p>这时候,我们要考虑的就是 <strong>data/admin/playerKinds.xml</strong> 文件的内容是否可以被我们控制。如果该文件可以被攻击者控制,就很有可能存在 <strong>XXE</strong> 漏洞。于是,我们搜索字符串 <strong>playerKinds</strong> ,结果如下:</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/3.png" alt="3"></p> | |
| <p>我们发现其中有一个语句为 <strong>$doc -> save($playerKindsfile)</strong> 。按照函数名来推测,这里极有可能是将 <strong>$playerKindsfile</strong> 变量对应的内容保存进 <strong>data/admin/playerKinds.xml</strong> 文件。所以我们要来看一下 <strong>$playerKindsfile</strong> 变量对应的内容是否可控。</p> | |
| <p>我们找到 <strong>admin\admin_player.php</strong> 文件对应的代码,发现当 <strong>$action==”addnew”</strong> 的时候,会将 <strong>POST</strong> 方式传来的 <strong>playername</strong> 、 <strong>info</strong> 、 <strong>order</strong> 、 <strong>trail</strong> 四个参数写进 <strong>data/admin/playerKinds.xml</strong> 文件。相关代码如下:<br><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/4.png" alt="4"></p> | |
| <p>我们用 <strong>BurpSuite</strong> 抓包,并用 <strong>TheFolderSpy</strong> 监控 <strong>www</strong> 目录(其目的是检测用户输入是否有被写入文件中),结果如下:</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/5.png" alt="5"></p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/6.png" alt="6"></p> | |
| <p>我们发现 <strong>POST</strong> 方式传输的 <strong>playername</strong> 、 <strong>info</strong> 、 <strong>order</strong> 、 <strong>trail</strong> 四个参数,确实写进了 <strong>data/admin/playerKinds.xml</strong> 文件,但是特殊符号都被 <strong>HTML实体编码</strong> 了,所以这里无法利用。(下图是 <strong>payload</strong> 中特殊字符被 <strong>HTML实体编码</strong> 的截图)。</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/7.png" alt="7"></p> | |
| <p>我们接着看看其他位置是否存在 <strong>XXE</strong> 漏洞,会发现其他地方的 <strong>XML</strong> 文件加载方式基本和上面一样,因此应该不存在 <strong>XXE</strong> 漏洞。</p> | |
| <h3 id="前台代码执行"><a href="#前台代码执行" class="headerlink" title="前台代码执行"></a>前台代码执行</h3><p>这一处的代码执行和以前苹果CMS的代码执行是类似的,都是在解析模板标签的时候,将解析的标签拼接,并用在了 <strong>eval</strong> 函数中,最终造成了代码执行漏洞。</p> | |
| <p>在挖掘漏洞之初,我们先全局搜索 <strong>eval</strong> 函数,这里可以明显的看到只有 <strong>duomiphp\core.class.php</strong> 文件中使用了 <strong>eval</strong> 函数。搜索图如下:</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/8.png" alt="8"></p> | |
| <p>我们详细的看一下其代码,可以发现 <strong>eval</strong> 函数只出现在 <strong>parseIf</strong> 和 <strong>parseSubIf</strong> 函数中:</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/9.png" alt="9"></p> | |
| <p>那么我们就来搜索一下这两个函数在何处被调用。由于 <strong>parseSubIf</strong> 函数在 <strong>parseIf</strong> 函数中被调用,这里我就直接搜索 <strong>parseIf</strong> 函数,并挑选了一个较为简单的 <strong>search.php</strong> 文件进行分析。为了更好分析,我这里直接把 <strong>payload</strong> 带入分析,所使用的 <strong>payload</strong> 如下:</p> | |
| <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:<span class="comment">//localhost/search.php?searchword={if:phpinfo()}phpinfo(){end</span></span><br></pre></td></tr></table></figure> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/10.png" alt="10"></p> | |
| <p>下面我们来具体分析 <strong>search.php</strong> 文件。首先文件开头引入了 <strong>duomiphp/common.php</strong> 文件,而该文件引入了 <strong>duomiphp\webscan.php</strong> 文件对用户提交的变量进行处理。该文件使用以下三个正则分别对用户传递的 <strong>GPC</strong> ( <strong>GET、POST、COOKIE</strong> )参数进行过滤,但是我们的 <strong>payload</strong> 并不会触发这里的正则。</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/11.png" alt="11"></p> | |
| <p>在 <strong>duomiphp/common.php</strong> 文件中,还存在一处变量覆盖的利用点(如下图代码):</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/12.png" alt="12"></p> | |
| <p>继续回到 <strong>search.php</strong> 文件,我将有用的关键代码简化如下:</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/13.png" alt="13"></p> | |
| <p>这里需要注意,程序会 <strong>只截取20个字符</strong> 作为 <strong>$searchword</strong> (上图第2行),然后在 <strong>第14行</strong> 代码处把模板的 <strong>{duomicms:searchword}</strong> 替换成 <strong>$searchword</strong> 。替换后,又在 <strong>第17</strong> 行开始对模板中的IF语句进行解析。虽然程序有做一些过滤操作,但是都无法有效的避免我们的恶意代码。</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/14.png" alt="14"></p> | |
| <p>我们跟进 <strong>parseIf</strong> 方法。其实这里就是把 <strong>IF标签</strong> 的内容取出来,然后拼接到 <strong>eval</strong> 函数中执行了,这也是漏洞的成因,具体的变量值可以看下图右边墨绿色的字体,这里不再赘述。</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/15.png" alt="15"></p> | |
| <p>测了几个版本,都有影响。当然,前台getshell方式还不止这一种,可以利用前面的变量覆盖,伪造admin身份,最后写入webshell,具体分析之后会在 <strong>[红日安全]代码审计Day14 - 从变量覆盖到获取webshell</strong> 文章中详细分析。</p> | |
| <h3 id="SQL注入漏洞挖掘"><a href="#SQL注入漏洞挖掘" class="headerlink" title="SQL注入漏洞挖掘"></a>SQL注入漏洞挖掘</h3><p>根据 <strong>CNVD</strong> 的漏洞通告:<a href="http://www.cnvd.org.cn/flaw/show/CNVD-2018-05568" target="_blank" rel="noopener">DuomiCms x3.0前台duomiphp/ajax.php文件存在SQL注入漏洞</a> ,我们就直接打开 <strong>duomiphp/ajax.php</strong> 文件,观察其中所有的 <strong>SQL</strong> 语句,可以总结为以下几种类型:</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/16.png" alt="16"></p> | |
| <p>可以看到这里大多数 <strong>SQL</strong> 语句使用了拼接,而拼接用的变量又多数是全局变量,我们在前面的代码执行漏洞中,提到程序有注册变量的行为,这样容易造成变量覆盖。下面,我们来一个个分析这些变量。</p> | |
| <p>首先是 <strong>$id</strong> 变量,拼接在 <strong>SQL</strong> 语句尾巴且没有引号包裹。本来应该是比较好利用的,但是这里开头对 <strong>id</strong> 变量进行了类型判断。这样导致在 <strong>select语句</strong> 中无法再利用,但是我们可以用 <strong>16进制</strong> 编码绕过,将payload的 <strong>16进制</strong> 插入数据库中,形成二次注入。但是我们搜索 <strong>insert语句</strong> 的时候,发现其被单引号包裹,所以无法利用,具体代码如下:</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/17.png" alt="17"></p> | |
| <p>接着是 <strong>$score</strong> 变量,该变量位于 <strong>SQL</strong> 语句中间,这样就要引入注释符,将后面的语句注释掉。但是引入注释符,会触发 <strong>duomiphp/sql.class.php</strong> 文件的SQL检测规则,所以这处也不好利用。具体代码如下:</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/18.png" alt="18"></p> | |
| <p>最后剩下一个 <strong>$uid</strong> 变量了,该变量为全局变量,可以由用户控制,而且其位置在SQL语句最后,两边也没有引号包裹,极其好利用。如下图 <strong>第12行</strong> 代码:</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/19.png" alt="19"></p> | |
| <p>我们根据代码逻辑,即可构造出如下 <strong>payload</strong> :</p> | |
| <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ajax.php?action=addfav&id=<span class="number">1</span>&uid=<span class="number">1</span> <span class="keyword">and</span> extractvalue(<span class="number">1</span>,concat_ws(<span class="number">0x3A</span>,<span class="number">0x3A</span>,version()))</span><br></pre></td></tr></table></figure> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/20.png" alt="20"></p> | |
| <p>但是要想爆出有用的数据,这里还要绕过 <strong>duomiphp/sql.class.php</strong> 文件的SQL检测规则以及全局变量的 <strong>_RunMagicQuotes</strong> 函数的转义。这里直接给出我测试成功的 <strong>payload</strong> :</p> | |
| <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:<span class="comment">//localhost//duomiphp/ajax.php?action=addfav&id=1&uid=10101 and `'`.``.vid and extractvalue(1,concat_ws(0x3A,0x3A,(select`password` from`duomi_admin` limit 1))) and `'`.``.vid</span></span><br></pre></td></tr></table></figure> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/21.png" alt="21"></p> | |
| <p>下面,我们直接将 <strong>payload</strong> 带入到程序中进行分析。首先,我们的 <strong>payload</strong> 完美绕过了 <strong>duomiphp/webscan.php</strong> 文件的 <strong>$getfilter</strong> 规则,然后经过了 <strong>duomiphp/common.php</strong> 文件 <strong>_RunMagicQuotes</strong> 函数的转义并注册成全局变量。具体代码如下:</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/22.png" alt="22"></p> | |
| <p>此时 <strong>$uid</strong> 的值已经变成了下面这样:</p> | |
| <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">10101</span> <span class="keyword">and</span> `\<span class="string">'`.``.vid and extractvalue(1,concat_ws(0x3A,0x3A,(select`password` from`duomi_admin` limit 1))) and `\'`.``.vid</span></span><br></pre></td></tr></table></figure> | |
| <p>根据我们传入的 <strong>action=addf</strong> ,我们直接进入了 <strong>duomiphp\ajax.php</strong> 文件的 <strong>addfav</strong> 方法。然后直接拼接SQL语句,进入 <strong>duomiphp\sql.class.php</strong> 文件的 <strong>GetOne</strong> 方法。接着在 <strong>GetOne</strong> 方法中调用了 <strong>$this->Execute(“one”);</strong> (下图第22行)这段代码。</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/23.png" alt="23"></p> | |
| <p>在 <strong>Execute</strong> 方法中,我们最需要关注的就是 <strong>CheckSql</strong> 方法的实现。首先,如果是 <strong>select</strong> 语句,会先经过下面的正则,这个正则不允许我们使用联合查询。</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/24.png" alt="24"></p> | |
| <p>接着往下看,会发现一个很明显的问题。<strong>while</strong> 语句将处理后的数据库查询语句 <strong>$db_string</strong> 存在 <strong>$clean</strong> 中,然后用于检测的是 <strong>$clean</strong> 变量,最后返回的却是 <strong>$db_string</strong> 。所以我们只要在 <strong>$clean</strong> 变量中不出现敏感词,即可绕过SQL语句的检测。</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/25.png" alt="25"></p> | |
| <p>我们来具体看一下 <strong>while</strong> 中的程序。该函数会先搜索第一个单引号的下标,取引号前面的字符串给 <strong>$clean</strong> ,然后将第一个引号和第二个引号之间的字符用 <strong>$s$</strong> 来代替,最后取第二个引号之后的内容给 <strong>$clean</strong> 变量。</p> | |
| <p><img src="/img/DuomiCms3.0%E6%9C%80%E6%96%B0%E7%89%88%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98/26.png" alt="26"></p> | |
| <p>处理后获得的 <strong>$clean</strong> (如下)可以绕过下面的 <strong>SQL</strong> 检测,然后程序又将 <strong>$db_string</strong> 原样返回,此时也就造成了SQL注入。</p> | |
| <figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// $clean</span></span><br><span class="line">select id from `duomi_favorite` where vid=<span class="number">1</span> <span class="keyword">and</span> uid=<span class="number">10101</span> <span class="keyword">and</span> `\$s$`.``.vid</span><br><span class="line"><span class="comment">// $db_string </span></span><br><span class="line">Select id From `duomi_favorite` where vid=<span class="number">1</span> <span class="keyword">and</span> uid=<span class="number">10101</span> <span class="keyword">and</span> `\<span class="string">'`.``.vid and extractvalue(1,concat_ws(0x3A,0x3A,(select`password` from`duomi_admin` limit 1))) and `\'`.``.vid</span></span><br></pre></td></tr></table></figure> | |
| <h3 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h3><p>实际上,这个CMS在CNVD上通告的漏洞还是蛮多的,虽然没有漏洞详情,但是我们也可以自己审计或者根据描述细节来还原漏洞,从而提高自身的审计能力。在审计某一cms的时候,可以先在CVE、CNVD、seebug上搜搜,了解一下历史漏洞,然后在进行审计,或许会有意外之喜:)</p> | |
| <p><a href="http://www.cnvd.org.cn" target="_blank" rel="noopener">http://www.cnvd.org.cn</a></p> | |
| <p><a href="https://www.seebug.org/search/?keywords=Duomicms" target="_blank" rel="noopener">https://www.seebug.org/search/?keywords=Duomicms</a></p> | |
| <p><a href="http://cve.mitre.org" target="_blank" rel="noopener">http://cve.mitre.org</a></p> | |
| </div></article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">Mochazz</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://mochazz.github.io/2018/09/30/DuomiCms3.0最新版漏洞挖掘/">https://mochazz.github.io/2018/09/30/DuomiCms3.0最新版漏洞挖掘/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外,均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://mochazz.github.io">Mochazz's blog</a>!</span></div></div><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/Duomicms/">Duomicms</a></div><nav id="pagination"><div class="prev-post pull-left"><a href="/2018/10/04/齐博CMS_V7.0前台SQL注入/"><i class="fa fa-chevron-left"> </i><span>齐博CMS_V7.0前台SQL注入</span></a></div><div class="next-post pull-right"><a href="/2018/09/30/PHP-Audit-Labs题解之Day9-12/"><span>PHP-Audit-Labs题解之Day9-12</span><i class="fa fa-chevron-right"></i></a></div></nav><div id="vcomment"></div><script src="https://cdn1.lncld.net/static/js/3.0.4/av-min.js"></script><script src="https://cdn.jsdelivr.net/npm/valine/dist/Valine.min.js"></script><script>var notify = 'true' == true ? true : false; | |
| var verify = 'false' == true ? true : false; | |
| var GUEST_INFO = ['nick','mail','link']; | |
| var guest_info = 'nick,mail,link'.split(',').filter(function(item){ | |
| return GUEST_INFO.indexOf(item) > -1 | |
| }); | |
| guest_info = guest_info.length == 0 ? GUEST_INFO :guest_info; | |
| window.valine = new Valine({ | |
| el:'#vcomment', | |
| notify:notify, | |
| verify:verify, | |
| appId:'cFxDjSziPHq4xGCbSpRGkND7-gzGzoHsz', | |
| appKey:'YhJIRxQHzY9Aix5pSGnYxKkv', | |
| placeholder:'ヾノ≧∀≦)o留下评论再走吧', | |
| avatar:'wavatar', | |
| guest_info:guest_info, | |
| pageSize:'10', | |
| lang: 'zh-cn' | |
| })</script></div></div><footer class="footer-bg" style="background-image: url(/img/backgroud.jpeg)"><div class="layout" id="footer"><div class="copyright">©2017 - 2020 By Mochazz</div><div class="framework-info"><span>驱动 - </span><a href="http://hexo.io"><span>Hexo</span></a><span class="footer-separator">|</span><span>主题 - </span><a href="https://github.com/Molunerfinn/hexo-theme-melody"><span>Melody</span></a></div><div class="busuanzi"><script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script><span id="busuanzi_container_page_pv"><i class="fa fa-file-o"></i><span id="busuanzi_value_page_pv"></span><span></span></span></div></div></footer><i class="fa fa-arrow-up" id="go-up" aria-hidden="true"></i><script src="https://cdn.jsdelivr.net/npm/animejs@latest/anime.min.js"></script><script src="https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-animate@latest/velocity.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-ui-pack@latest/velocity.ui.min.js"></script><script src="/js/utils.js?version=1.6.1"></script><script src="/js/fancybox.js?version=1.6.1"></script><script src="/js/sidebar.js?version=1.6.1"></script><script src="/js/copy.js?version=1.6.1"></script><script src="/js/fireworks.js?version=1.6.1"></script><script src="/js/transition.js?version=1.6.1"></script><script src="/js/scroll.js?version=1.6.1"></script><script src="/js/head.js?version=1.6.1"></script><script>if(/Android|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)) { | |
| $('#nav').addClass('is-mobile') | |
| $('footer').addClass('is-mobile') | |
| }</script></body></html> |