乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-02-20: 细节已通知厂商并且等待厂商处理中 2014-02-20: 厂商已经确认,细节仅向厂商公开 2014-02-23: 细节向第三方安全合作伙伴开放 2014-04-16: 细节向核心白帽子及相关领域专家公开 2014-04-26: 细节向普通白帽子公开 2014-05-06: 细节向实习白帽子公开 2014-05-21: 细节向公众公开
ThinkSAAS 最新版2.1,官方2月15日更新,SQL注入第一弹
文件/app/photo/action/album.php
//批量修改执行 case "info_do": //用户是否登录 $userid = aac('user')->isLogin(); $albumid = intval($_POST['albumid']); $albumface = tsClean($_POST['albumface']);//进行了过滤,但未过滤完全 $arrPhotoId = intval($_POST['photoid']); $arrPhotoDesc = $_POST['photodesc']; if($TS_USER['user']['isadmin']==0){ foreach($arrPhotoDesc as $key=>$item){ //过滤内容开始 aac('system')->antiWord($item); //过滤内容结束 } } foreach($arrPhotoDesc as $key=>$item){ if($item){ $photoid = intval($arrPhotoId[$key]); $new['photo']->update('photo',array( 'photoid'=>$photoid, ),array( 'photodesc'=>tsClean($item), )); } } //更新相册封面 if($albumface){ $new['photo']->update('photo_album',array( 'userid'=>$userid, 'albumid'=>$albumid, ),array( 'albumface'=>$albumface,//带入数据库查询导致SQL注入 )); } header("Location: ".tsUrl('photo','album',array('id'=>$albumid))); break;
虽然进行了tsClean过滤,但是我们来看看函数:
function tsClean($text) { $text = cleanJs ( $text ); return $text;}/** * 过滤脚本代码 * @param unknown $text * @return mixed */function cleanJs($text) { $text = trim ( $text ); $text = stripslashes ( $text ); // 完全过滤注释 $text = preg_replace ( '/<!--?.*-->/', '', $text ); // 完全过滤动态代码 $text = preg_replace ( '/<\?|\?>/', '', $text ); // 完全过滤js $text = preg_replace ( '/<script?.*\/script>/', '', $text ); // 过滤多余html $text = preg_replace ( '/<\/?(html|head|meta|link|base|body|title|style|script|form|iframe|frame|frameset)[^><]*>/i', '', $text ); // 过滤on事件lang js while ( preg_match ( '/(<[^><]+)(lang|data|onfinish|onmouse|onexit|onerror|onclick|onkey|onload|onchange|onfocus|onblur)[^><]+/i', $text, $mat ) ) { $text = str_replace ( $mat [0], $mat [1], $text ); } while ( preg_match ( '/(<[^><]+)(window\.|javascript:|js:|about:|file:|document\.|vbs:|cookie)([^><]*)/i', $text, $mat ) ) { $text = str_replace ( $mat [0], $mat [1] . $mat [3], $text ); } return $text;}
只是用来过滤js代码。再来看看update的处理:
public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "`$key` = '$value'"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}"; return $this->db->query ( $sql ); }
虽然在conditions处做了转义但是在row处没有处理,这里正好在row处,导致SQL注入。
构造请求如图,即可:
严格过滤啊
危害等级:高
漏洞Rank:20
确认时间:2014-02-20 10:29
谢谢反馈,已经修复。
暂无