乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-28: 细节已通知厂商并且等待厂商处理中 2015-12-28: 厂商已经确认,细节仅向厂商公开 2016-01-07: 细节向核心白帽子及相关领域专家公开 2016-01-17: 细节向普通白帽子公开 2016-01-27: 细节向实习白帽子公开 2016-02-09: 细节向公众公开
thinksaas2.4+php2.6+apache2 未过滤感谢@xfkxfk
先看消息写入代码:/var/www/html/thinksaas/app/user/action/message.php
case "do": $msg_userid = $userid; $msg_touserid = intval($_POST['touserid']); $msg_content = tsFilter($_POST['content']); //用tsFilter过滤 aac('system')->antiWord($msg_content); //过滤垃圾词 aac('message')->sendmsg($msg_userid,$msg_touserid,$msg_content); /× //发送消息 public function sendmsg($userid,$touserid,$content){ $userid = intval($userid); $touserid = intval($touserid); $content = str_replace(SITE_URL,'[SITE_URL]',$content); $content = addslashes(trim($content)); if($touserid && $content){ $messageid = $this->create('message',array( 'userid' => $userid, 'touserid' => $touserid, 'content' => $content, 'addtime' => time(), )); } } }×/ header("Location: ".tsUrl('message','my')); break;}
/var/www/html/thinksaas/thinksaas/tsFunction.php
function tsFilter($value) { $value = trim($value); //定义不允许提交的SQl命令和关键字 $words = array(); $words[] = "add "; $words[] = "and "; $words[] = "count "; $words[] = "order "; $words[] = "table "; $words[] = "by "; $words[] = "create "; $words[] = "delete "; $words[] = "drop "; $words[] = "from "; $words[] = "grant "; $words[] = "insert "; $words[] = "select "; $words[] = "truncate "; $words[] = "update "; $words[] = "use "; $words[] = "--"; $words[] = "#"; $words[] = "group_concat"; $words[] = "column_name"; $words[] = "information_schema.columns"; $words[] = "table_schema"; $words[] = "union "; $words[] = "where "; $words[] = "alert"; $value = strtolower($value); //转换为小写 foreach ($words as $word) { if (strstr($value, $word)) { $value = str_replace($word, '', $value); } } return $value;}
可以看到只过滤了一些sql注入关键字,问题是仅仅过滤了一遍。继续来看取出有没有过滤/var/www/html/thinksaas/app/message/action/my.php
<?phpdefined('IN_TS') or die('Access Denied.');$arrMsg = $new['message']->findAll('message',array( 'touserid'=>$strUser['userid'], 'isread'=>'0',));foreach($arrMsg as $key=>$item){ //可以看到没编码也没过滤 $arrMsg[$key]['content'] = str_replace('[SITE_URL]',SITE_URL,$item['content']); if($item['userid']){ $arrMsg[$key]['user'] = aac('user')->getOneUser($item['userid']); }}$title = '我的消息盒子';include template("my");
编码过滤
危害等级:中
漏洞Rank:10
确认时间:2015-12-28 23:03
感谢反馈,已经修复。
暂无