xycms审计

0x00 环境

源码：XYCMS-PHP-V1.0

PHP：5.6.40

MYSQL：5.7.26

0x01 前言

XYCMS使用原生PHP语句，未使用框架，项目架构如下

目录说明

system	后台目录
inc		存放过滤和配置文件
install	安装目录

其他为前台功能页面

0x02 后台添加信息处通用注入漏洞

<form name="add" method="post" action="?act=ok" onsubmit="return chkform();">
    <table width="100%" border="0" align="center" cellpadding="3" cellspacing="0" >
    <tr  onmouseout="style.backgroundColor='#F1F5F8'" bgcolor="#F1F5F8" >
    <td height="28" width="10%" class="td">网页标题</td>
    <td width="90%"  class="td">
    <input name="title" type="text" size="30"  /> <img src="images/ts.gif" width="14" height="15" alt="基本信息标题"/></td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#FFFFFF'" bgcolor="#FFFFFF">
    <td height="25" width="10%" class="td">网页关键词</td>
    <td class="td"><input name="keywords" type="text" size="50"  /> 
    [多词语可用符号“|”分开]</td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#F1F5F8'" bgcolor="#F1F5F8">
    <td height="25" width="10%" class="td">网页描述</td>
    <td class="td"><input name="descriptions" type="text" size="50"  /> <img src="images/ts.gif" width="14" height="15" alt="网页描述"/></td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#F1F5F8'" bgcolor="#F1F5F8">
    <td height="25" class="td">调用排序_ID</td>
    <td class="td"><input name="pl_id" type="text" size="30"  /></td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#F1F5F8'" bgcolor="#F1F5F8">
    <td height="25" class="td">信息来源</td>
    <td class="td"><input name="info_from" type="text" size="30" value="本站" /></td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#F1F5F8'" bgcolor="#F1F5F8">
    <td height="25" class="td">发布作者</td>
    <td class="td"><input name="info_auth" type="text"  size="30" value="admin" /></td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#FFFFFF'" bgcolor="#FFFFFF">
    <td height="25" class="td">主题信息内容</td>
    <td class="td"><textarea name="content" style="width:670px;height:400px;visibility:hidden;"></textarea></td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#FFFFFF'" bgcolor="#FFFFFF">
    <td height="25" class="td">&nbsp;</td>
        <td class="td"><input type="submit" name="button" id="button" value="确认提交"  class="button"/></td>
        </tr>
        </table>
        </form>
        </td>
        <td width="8" background="images/tab_15.gif">&nbsp;</td>
            </tr>
            </table></td>
            </tr>
            <tr>
            <td height="35" background="images/tab_19.gif"><table width="100%" border="0" cellspacing="0" cellpadding="0">
            <tr>
            <td width="12" height="35"><img src="images/tab_18.gif" width="12" height="35" /></td>
            <td>&nbsp;</td>
                <td width="16"><img src="images/tab_20.gif" width="16" height="35" /></td>
                </tr>
                </table></td>
                </tr>
                </table>
                </body>
                </html>
 //判断act是否为OK(是否提交值),获取到用户输入的值后，直接带入数据库查询，无任何过滤。
<?php
   if($_GET["act"]){
      $title=$_POST['title'];
      $keywords=$_POST['keywords'];
      $descriptions=$_POST['descriptions'];
      $pl_id=$_POST['pl_id'];
      $info_from=$_POST['info_from'];
      $info_auth=$_POST['info_auth'];
      $content=$_POST['content'];
      $sql="insert into common set title='$title',keywords='$keywords',descriptions='$descriptions',pl_id='$pl_id',info_from='$info_from',info_auth='$info_auth',content='$content',c_date=now()";
       mysql_query($sql);
       mysql_close($conn);
       echo "<script language='javascript'>"; 
       echo "alert('恭喜您，信息添加成功，点击继续添加!');";
       echo " location='add_common.php';"; 
       echo "</script>";
                }

后发现add_careers.php、add_case.php、add_down.php、add_,emu.php、add_news.php、add_pro.php

均存在同类型注入。

漏洞验证：

抓取POST包，由于是时间盲注，直接扔SQLMAP跑

0x03 后台通用XSS漏洞

漏洞点，同上注入，未做过滤，所以同样也可以执行xss代码

漏洞代码

<form name="add" method="post" action="?act=ok" onsubmit="return chkform();">
    <table width="100%" border="0" align="center" cellpadding="3" cellspacing="0" >
    <tr  onmouseout="style.backgroundColor='#F1F5F8'" bgcolor="#F1F5F8" >
    <td height="28" width="10%" class="td">网页标题</td>
    <td width="90%"  class="td">
    <input name="title" type="text" size="30"  /> <img src="images/ts.gif" width="14" height="15" alt="基本信息标题"/></td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#FFFFFF'" bgcolor="#FFFFFF">
    <td height="25" width="10%" class="td">网页关键词</td>
    <td class="td"><input name="keywords" type="text" size="50"  /> 
    [多词语可用符号“|”分开]</td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#F1F5F8'" bgcolor="#F1F5F8">
    <td height="25" width="10%" class="td">网页描述</td>
    <td class="td"><input name="descriptions" type="text" size="50"  /> <img src="images/ts.gif" width="14" height="15" alt="网页描述"/></td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#F1F5F8'" bgcolor="#F1F5F8">
    <td height="25" class="td">调用排序_ID</td>
    <td class="td"><input name="pl_id" type="text" size="30"  /></td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#F1F5F8'" bgcolor="#F1F5F8">
    <td height="25" class="td">信息来源</td>
    <td class="td"><input name="info_from" type="text" size="30" value="本站" /></td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#F1F5F8'" bgcolor="#F1F5F8">
    <td height="25" class="td">发布作者</td>
    <td class="td"><input name="info_auth" type="text"  size="30" value="admin" /></td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#FFFFFF'" bgcolor="#FFFFFF">
    <td height="25" class="td">主题信息内容</td>
    <td class="td"><textarea name="content" style="width:670px;height:400px;visibility:hidden;"></textarea></td>
    </tr>
    <tr  onmouseout="style.backgroundColor='#FFFFFF'" bgcolor="#FFFFFF">
    <td height="25" class="td">&nbsp;</td>
        <td class="td"><input type="submit" name="button" id="button" value="确认提交"  class="button"/></td>
        </tr>
        </table>
        </form>
        </td>
        <td width="8" background="images/tab_15.gif">&nbsp;</td>
            </tr>
            </table></td>
            </tr>
            <tr>
            <td height="35" background="images/tab_19.gif"><table width="100%" border="0" cellspacing="0" cellpadding="0">
            <tr>
            <td width="12" height="35"><img src="images/tab_18.gif" width="12" height="35" /></td>
            <td>&nbsp;</td>
                <td width="16"><img src="images/tab_20.gif" width="16" height="35" /></td>
                </tr>
                </table></td>
                </tr>
                </table>
                </body>
                </html>
<?php
   if($_GET["act"]){
      $title=$_POST['title'];
      $keywords=$_POST['keywords'];
      $descriptions=$_POST['descriptions'];
      $pl_id=$_POST['pl_id'];
      $info_from=$_POST['info_from'];
      $info_auth=$_POST['info_auth'];
      $content=$_POST['content'];
      $sql="insert into common set title='$title',keywords='$keywords',descriptions='$descriptions',pl_id='$pl_id',info_from='$info_from',info_auth='$info_auth',content='$content',c_date=now()";
       mysql_query($sql);
       mysql_close($conn);
       echo "<script language='javascript'>"; 
       echo "alert('恭喜您，信息添加成功，点击继续添加!');";
       echo " location='add_common.php';"; 
       echo "</script>";
                }

漏洞验证：

0x04 前台留言板注入漏洞

原理同上，基本前后台未做过滤，除了后台登录框做了过滤，其他输入点未过滤导致多处存在注入漏洞

/add_ book.php漏洞代码

            <form name="form" method="post" action="add_book.php?act=ok" onSubmit="return checkform();">
            <table class="tablecss">
              <tr>
                <th><span>*</span>留言标题：</th>
                <td><input name="title" type="text" size="40" /><span>必须填写</span></td>
              </tr>
              <tr>
                <th><span>*</span>姓名：</th>
                <td><input name="ly_name" type="text" size="20" /><span>必须填写，方便联系，网页不会公开</span></td>
              </tr>
              <tr>
                <th>联系电话：</th>
                <td><input name="tel" type="text" size="20" /><span>方便电话联系，网页不会公开</span></td>
              </tr>
              <tr>
                <th><span>*</span>联系邮箱：</th>
                <td><input name="spanail" type="text" size="30" /><span>必须填写，方便电话联系，网页不会公开</span></td>
              </tr>
              <tr>
                <th>是否隐藏：</th>
                <td><input type="radio" name="sf_yc" checked="checked" value="0" />否 <input type="radio" name="sf_yc" value="1" />是
                <span>选择隐藏，问题将不在列表显示，否则将显示</span>
                </td>
              </tr>
              <tr>
                <th><span>*</span>留言内容：</th>
                <td><textarea name="content" rows="7" cols="50"></textarea></td>
              </tr>
              <tr>
                <td colspan="2" align="center"><input type="submit" value="提交信息" /> <input type="reset" value="全部重写" /></td>
              </tr>
            </table>
            </form>
          </div>
        </div>
      </div>
    </div>
    <div class="dc_r">
      <div class="dc_r_t">
        <h3>快速通道</h3>
      </div>
      <div class="dc_r_c">
        <div class="dc_r_c_c">
          <ul>
            <li><a href="gbook.php" target="_self">查看留言</a></li>
            <li><a href="add_book.php" target="_self">添加留言</a></li>
          </ul>
        </div>
      </div>
      <div class="dc_r_t">
        <h3>联系我们</h3>
      </div>
      <div class="dc_r_c">
        <div class="dc_r_c_c">
          <ul>
            <li>公司名：<?php echo $wzname;?></li>
            <li>ADD：<?php echo $wzname;?></li>
            <li>联系人：<?php echo $managename;?></li>
            <li>Phone：<?php echo $phonenum;?></li>
            <li>TEL：<?php echo $telnum;?></li>
            <li>E_mail:<?php echo $email;?></li>
          </ul>
        </div>
      </div>
    </div>
    <div class="clear"></div>
  </div>
  <div id="foot">
    <?php include_once 'footer.php'; ?>
  </div>
</div>
</body>
</html>
<?php
if($_GET["act"]){
  $title=$_POST['title'];
  $ly_name=$_POST['ly_name'];
  $tel=$_POST['tel'];
  $spanail=$_POST['spanail'];
  $sf_yc=$_POST['sf_yc'];
  $content=$_POST['content'];
  $sql="insert into gbook set title='$title',ly_name='$ly_name',tel='$tel',spanail='$spanail',sf_yc='$sf_yc',content='$content',c_date=now()";
  echo $sql;
  mysql_query($sql);
  mysql_close($conn);
  echo "<script language='javascript'>"; 
  echo "alert('恭喜您，留言信息添加成功，请等待回复!');";
  echo " location='gbook.php';"; 
  echo "</script>";
}
?>

漏洞验证

抓取留言包，使用SQLMAP验证

源码比较简单，基本在添加数据和修改数据的地方都存在注入漏洞和XSS漏洞，上传点使用的kindeditor编辑器。