当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143240

漏洞标题:wancms sql盲注三处(比较鸡肋)

相关厂商:wancms.com

漏洞作者: 不能忍

提交时间:2015-10-12 11:07

修复时间:2016-01-15 11:09

公开时间:2016-01-15 11:09

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-12: 细节已通知厂商并且等待厂商处理中
2015-10-17: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-11: 细节向核心白帽子及相关领域专家公开
2015-12-21: 细节向普通白帽子公开
2015-12-31: 细节向实习白帽子公开
2016-01-15: 细节向公众公开

简要描述:

详细说明:

/app/Lib/Action/AccountsAction.class.php //118行

public function username_check1() {
		unset ( $_SESSION ['uid'] );
		unset ( $_SESSION ['member'] );
		cookie ( 'auth', '1' );
		$html = uc_user_synlogout ();
		$callback = isset ( $_GET ['jsonpCallback'] ) ? $_GET ['jsonpCallback'] : 'jsonpCallback';
	    $gid = htmlspecialchars($_GET['gid']);	    //并没有过滤
			//若sid、uid 丢失 获取相应最新的开服 uid默认为平台默认推广账号
	    $uid_1 = htmlspecialchars($_GET['uid']); //推广编号  查询出他的上级id//这个同样是没有过滤
		$username = strtolower(trim(htmlspecialchars($_GET ['cn'])));
		$password = trim ( htmlspecialchars($_GET ['pwd']) );
		$domain = $this->getdomain($_SERVER['HTTP_HOST']);
		$email = $username.'@'.$domain;
		if (! preg_match ( "/^([a-zA-Z0-9]|[._]){5,22}$/", $username )) {
		$data = "{\"result\":\"err0003\"}";
		echo $callback . '(' . $data  . ')';die();
		}
		if (strlen ( $password ) < 6 || strlen ( $password ) > 22 || $password == "") {
				$data = "{\"result\":\"err0006\"}";
				echo $callback . '(' . $data  . ')';die();
			}
			// #### 接入UC #####
			$uid = uc_user_register($username,$password,$email);
			$uid=321;
			if ($uid <= 0) {
				if ($uid == - 1) {
					$data = "{\"result\":\"err0001\"}";
					echo $callback . '(' . $data  . ')';die();
				} elseif ($uid == - 2) {
					$data = "{\"result\":\"err0001\"}";
					echo $callback . '(' . $data  . ')';die();
				} elseif ($uid == - 3) {
					$data = "{\"result\":\"err0003\"}";
					echo $callback . '(' . $data  . ')';die();
				} elseif ($uid == - 4) {
				$data = "{\"result\":\"err0001\"}";
				echo $callback . '(' . $data  . ')';die();
				} elseif ($uid == - 5) {
					$data = "{\"result\":\"err0001\"}";
					echo $callback . '(' . $data  . ')';die();
				} elseif ($uid == - 6) {
				$data = "{\"result\":\"err0001\"}";
				echo $callback . '(' . $data  . ')';die();
				} else {
				$data = "{\"result\":\"err0001\"}";
				echo $callback . '(' . $data  . ')';die();
				}
			} else{		// 注册成功
				$userinfo ['username'] = $username;
				$userinfo ['nickname'] = $username;
				$userinfo ['email'] = $email;
				$userinfo ['point'] = "0";
				$userinfo ['id_card'] = '';
				$userinfo ['uid'] = $uid;
				$model = M ( 'member' );
				if ($model->add ($userinfo)) {
					
					$extend = M ( 'member_extend_info' );
					$extends_info ['uid'] = $uid;
					$extends_info ['register_time'] = time ();
					$extends_info ['register_ip'] = get_client_ip ();
					$extends_info ['lastlogin_time'] = time ();
					$extends_info ['lastlogin_ip'] = get_client_ip ();
					$extends_info ['realname'] = '';
					$extends_info ['from_soical'] = 'cps';
					$extends_info ['gid'] = $gid;
					$extends_info ['sid'] = htmlspecialchars($_GET['sid']);
					$smodel = M('server');
					 
				 	if($extends_info ['sid']){
						$extends_info ['sid'] = htmlspecialchars($_GET['sid']);   //这也没过滤
					}else{
						$s_info= $smodel->where("status = '0' and gid = ".$gid)->order('add_time desc')->select();
						$extends_info ['sid'] =$s_info[0]['sid'];
					} 
					
					//确保sid与gid是同一款游戏
					$s_info1= $smodel->where("sid = ".$extends_info ['sid'])->find();    //这是第三处
					if($s_info1['gid']!=$extends_info ['gid']){
						$s_info= $smodel->where("status = '0' and gid = ".$gid)->order('add_time desc')->select();   //这是第一处
						$extends_info ['sid'] =$s_info[0]['sid'];
					}
					
					
					$sid = $extends_info ['sid'];
					//推广链接本身就是一级公会链接
					if($uid_1){
						$info = $extend->where (' grouping = 1 and uid ='.$uid_1)->find ();    //这是第二处
						if (empty($info)) {
							$extends_info ['sub_channels'] = '4';
							$extends_info ['total_channels'] = '4';
								
						}else{
							$extends_info ['sub_channels'] = $uid_1;
							if($info['subsign']=='0'){
								$extends_info ['total_channels'] = $uid_1;
							}else{
								$extends_info ['total_channels'] = $info['subsign'];
							}
							
						}
					}else{
						$extends_info ['sub_channels'] = '4';
						$extends_info ['total_channels'] = '4';
					}
					 $extend->add($extends_info);
					// 设置cookies
					setcookie ('auth', uc_authcode ( $uid . "\t" . $username, 'ENCODE' ), 0, C ( 'COOKIE_PATH' ), C ( 'COOKIE_DOMAIN' ), 0, false );
					setcookie ( 'name', $username, time () + 3600, "/" );
					/**
					 * **********************************
					*/
					// 防止本机注册
					import ( "@.ORG.Getmacaddr" );
					$mac = new GetMacAddr ( PHP_OS );
					$ip = get_client_ip ();
					$macaddr = $mac->mac_addr;
					setcookie ( "gameplf_anti_csrf", md5 ( $macaddr ), time () + 3600 * 24, "/" );
					setcookie ( "login_check_ip", md5 ( $ip ), time () + 3600 * 24, "/" );
						
					$ucsynlogin = uc_user_synlogin ( $uid );
					$_SESSION ['uid'] = $uid;
					$_SESSION ['member'] = $username;
					$ucsynlogin =str_replace('"', "'", $ucsynlogin);
					$data="{\"result\":\"success\",\"gid\":\"$gid\",\"fid\":\"$sid\",\"login\":\"$ucsynlogin\"}";
					echo $callback . '(' . $data  . ')';die();
					
					
				} else {
					$data = "{\"result\":\"err0001\"}";
					echo $callback . '(' . $data  . ')';die();
				}
					
			
			}
				
		
		
		
	}


这三处都没过滤,但是有个问题,已经注册过的用户是不能再注册的。
所以每次注入的时候都必须使用不同的用户名来进行注入。
而且页面不回显,只能盲注了。
这个必须写脚本才能测试。所以比较鸡肋,但是注入还是存在的
给个payload测试一下。
http://localhost/accounts/username_check1/?gid=1&cn=test1ees&pwd=111111&sid=0&uid=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'%23

漏洞证明:

QQ截图20150924174205.jpg

修复方案:

版权声明:转载请注明来源 不能忍@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-15 11:09

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无