/*******************************************************/ /* cutecms_v3.5 SQL Injection Vulnerability /* ======================== /* By: : Kn1f3 /* E-Mail : 681796@qq.com /*******************************************************/ /* Welcome to https://www.90sec.com */ /*******************************************************/ 首先看首页文件 index.php >>>>/**/无关代码省略/**/ define('IN_CUTECMS', true); if(!file_exists("include/install.lock")) { header("location:install/");exit; } require_once('include/helper.php'); require_once('include/generate_static.inc.php'); //包含文件 >>>>/**/无关代码省略/**/ if($staticUrl && $staticUrl!='index') { if(preg_match("/^(.*)_page([0-9]{1,})$/i", $staticUrl)) { $url = substr($staticUrl, 0, strpos($staticUrl, "_page")).".html"; $staticUrlRow = getStaticUrlRow($db, $url); $action = $staticUrlRow['action']; $urlChannelId = $urlContentId = $staticUrlRow['rid']; $urlPageNum = substr($staticUrl, strpos($staticUrl, "_page")+5); } else { $url = $staticUrl.".html"; $staticUrlRow = getStaticUrlRow($db, $url); //发现带入了数据库查询,看看getStaticUrlRow函数 if(!$staticUrlRow) { $pathPartsArr = pathinfo($url); $staticPathArr = explode("/", $pathPartsArr['dirname']); $staticChannelHtmlName = array_pop($staticPathArr); >>>>/**/无关代码省略/**/ //跟入helper.php require_once( BASE."lang.inc.php" ); require_once( BASE."base.inc.php" ); require_once( BASE."validate.inc.php" ); require_once( BASE."elements.inc.php" ); require_once( BASE."template.inc.php" ); //继续跟入base.inc.php function getStaticUrlRow( $db, $url = "", $rid = "" ) { $sql = "SELECT * FROM ".PREFIX."static_url WHERE 1"; if ( $url ) //带入查询没有任何过滤 { $sql .= " AND url = '".$url."'"; } if ( $rid ) { $sql .= " AND rid = ".$rid; } $sql .= " LIMIT 1"; $re = $db->getRow( $sql ); return $re; } //以为把文件加密了,就能把漏洞给修补?作者太2了吧 >>>>/**/无关代码省略/**/ https://127.0.0.1/cutecms_free_v3.5/index.php?staticUrl=[sql]


修复方案:

:) 可以用80sec那段防注入代码