当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-051476

漏洞标题:ThinkSAAS 最新版SQL注入之二

相关厂商:thinksaas.cn

漏洞作者: xfkxfk

提交时间:2014-02-20 10:04

修复时间:2014-05-21 10:04

公开时间:2014-05-21 10:04

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-02-20: 细节已通知厂商并且等待厂商处理中
2014-02-20: 厂商已经确认,细节仅向厂商公开
2014-02-23: 细节向第三方安全合作伙伴开放
2014-04-16: 细节向核心白帽子及相关领域专家公开
2014-04-26: 细节向普通白帽子公开
2014-05-06: 细节向实习白帽子公开
2014-05-21: 细节向公众公开

简要描述:

ThinkSAAS 最新版2.1,官方2月15日更新,SQL注入第二弹

详细说明:

上传资料处/app/attach/action/upload.php:

case "do":
$userid = intval($_GET['userid']);
$albumid = intval($_GET['albumid']);
if($userid=='0' || $albumid == 0){
echo '00000';
exit;
}

$attachid = $new['attach']->create('attach',array(
'userid' => $userid,
'locationid'=>aac('user')->getLocationId($userid),
'albumid'=>$albumid,
'addtime' => date('Y-m-d H:i:s'),
));

//上传
$arrUpload = tsUpload($_FILES['Filedata'],$attachid,'attach',array('pptx','docx','pdf','jpg','gif','png','rar','zip','doc','ppt','txt'));

if($arrUpload){
$new['attach']->update('attach',array(
'attachid'=>$attachid,
),array(
'attachname'=>$arrUpload['name'],
'attachtype'=>$arrUpload['type'],
'attachurl'=>$arrUpload['url'],
'attachsize'=>$arrUpload['size'],
));

//对积分进行处理
aac('user')->doScore($app,$ac,$ts,$userid);


}
echo $attachid;
break;


然后使用tsUpload函数对文件进行上传。$_FILES['Filedata']是上传表单的名字。

function tsUpload($files, $projectid, $dir, $uptypes) {
if ($files ['size'] > 0) {

$menu2 = intval ( $projectid / 1000 );

$menu1 = intval ( $menu2 / 1000 );

$path = $menu1 . '/' . $menu2;

$dest_dir = 'uploadfile/' . $dir . '/' . $path;

createFolders ( $dest_dir );

//$ext = pathinfo($files['name'],PATHINFO_EXTENSION);

$arrType = explode ( '.', strtolower ( $files ['name'] ) ); // 转小写一下

$type = array_pop ( $arrType );

if (in_array ( $type, $uptypes )) {

$name = $projectid . '.' . $type;

$dest = $dest_dir . '/' . $name;

// 先删除
unlink ( $dest );
// 后上传
move_uploaded_file ( $files ['tmp_name'], mb_convert_encoding ( $dest, "gb2312", "UTF-8" ) );

chmod ( $dest, 0777 );

$filesize = filesize ( $dest );
if (intval ( $filesize ) > 0) {
return array (
'name' => tsFilter($files ['name']),
'path' => $path,
'url' => $path . '/' . $name,
'type' => $type,
'size' => $files ['size']
);
} else {
return false;
}
} else {
return false;
}
}
}


有一个过滤的函数tsFilter:

function tsFilter($value){
$value = trim($value);
//定义不允许提交的SQl命令和关键字
$words = array();
$words[] = "add ";
$words[] = "and ";
$words[] = "count ";
$words[] = "order ";
$words[] = "table ";
$words[] = "by ";
$words[] = "create ";
$words[] = "delete ";
$words[] = "drop ";
$words[] = "from ";
$words[] = "grant ";
$words[] = "insert ";
$words[] = "select ";
$words[] = "truncate ";
$words[] = "update ";
$words[] = "use ";
$words[] = "--";
$words[] = "#";
$words[] = "group_concat";
$words[] = "column_name";
$words[] = "information_schema.columns";
$words[] = "table_schema";
$words[] = "union ";
$words[] = "where ";
$words[] = "alert";
$value = strtolower($value);//转换为小写
foreach($words as $word){
if(strstr($value,$word)){
$value = str_replace($word,'',$value);
}
}

return $value;
}


过滤了关键字及注释符号。
可是仔细一看,过滤的是类似“select ”这种,关键字后面加了个空格。
但是我们可以用制表符,它能完美代替空格。
我们来看看update函数:

public function update($table, $conditions, $row) {
$where = "";
if (empty ( $row ))
return FALSE;
if (is_array ( $conditions )) {
$join = array ();
foreach ( $conditions as $key => $condition ) {
$condition = $this->escape ( $condition );
$join [] = "{$key} = {$condition}";
}
$where = "WHERE " . join ( " AND ", $join );
} else {
if (null != $conditions)
$where = "WHERE " . $conditions;
}
foreach ( $row as $key => $value ) {
$vals [] = "`$key` = '$value'";
}
$values = join ( ", ", $vals );
$sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}";
return $this->db->query ( $sql );
}


在conditions处做了处理,但是我们这是在row中,没有处理,导致SQL注入。

漏洞证明:

保证最新版:

0.png


发送下面的请求:

1.png


这个cms还有一个特点,它不会显示mysql错误,但会把错误保存在/logs/文件夹里,名字就是日期+-mysql-error.txt。这样,我们就可以看到mysql的报错信息,从而爆出得到管理员账号密码。

2.png

修复方案:

对参数进行严格处理,过滤。

版权声明:转载请注明来源 xfkxfk@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-02-20 10:28

厂商回复:

谢谢反馈,已经修复。

最新状态:

暂无