乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-09: 细节已通知厂商并且等待厂商处理中 2014-06-09: 厂商已经确认,细节仅向厂商公开 2014-08-03: 细节向核心白帽子及相关领域专家公开 2014-08-13: 细节向普通白帽子公开 2014-08-23: 细节向实习白帽子公开 2014-09-07: 厂商已经修复漏洞并主动公开,细节向公众公开
最新版。
在lib/indexaction.php中
public function saveself() { $user = $_SESSION['youyax_user']; if ($user == "" || $user == null) $this->redirect("Index" . C('default_url') . "index" . C('static_url')); $face = addslashes($_POST['face']); mysql_query("update " . C('db_prefix') . "user set face='" . $face . "' where user='" . $user . "'"); mysql_query("update " . C('db_prefix') . "talk set face='" . $face . "' where zuozhe='" . $user . "'"); mysql_query("update " . C('db_prefix') . "reply set face1='" . $face . "' where zuozhe1='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark2 set pic='" . $face . "' where marker='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark1 set pic='" . $face . "' where marker='" . $user . "'"); $this->assign('jumpurl', $this->youyax_url . "/Index" . C('default_url') . "self" . C('static_url'))->assign('msgtitle', '操作成功')->assign('message', '图片更新成功!')->success(); }
依旧是这里入库 虽然$face经过了addslashes一次 但是入库后转义符会消失找找出库的地方。0x01 lib/contentaction.php中
public function mark() { $mix = require("./Conf/mix.config.php"); if ($mix['is_limit_time']) { if (!LimitAction::limit_time($mix['limit_time'])) { $this->assign("msgtitle", "操作限制!")->assign("message", "在" . $mix['limit_time'] . "秒内不能发帖和回帖!")->assign("jumpurl", C('SITE'))->error(); } } $tid = intval($_POST['id']); if (!is_numeric($tid)) { $this->assign("msgtitle", "操作错误!")->assign("message", "点评序号不为非数字!")->assign("jumpurl", C('SITE'))->error(); } $rid = intval($_POST['id2']); $mid = intval($_POST['mid']); $content = filter_var($_POST['t'], FILTER_CALLBACK, array( "options" => "filter_function" )); $content = nl2br(addslashes(htmlspecialchars($content, ENT_QUOTES,"UTF-8"))); $reply_u = addslashes($_POST['reply_u']);
if (empty($rid)) { $user = $this->find(C('db_prefix') . "user", "string", "user='" . $marker . "'");//这里出库 $pic = $user['face'];//出库 /*$result = $this->find(C('db_prefix') . "mark1", "string", "tid=" . $tid . " and marker='" . $marker . "'"); if ($result) { echo "<script>alert('您不能重复点评');</script>"; } else {*/ if (!empty($reply_u)) { $res = $this->find(C('db_prefix') . "mark1", "string", "marker='" . $reply_u . "' and id=" . $mid); if ($res) { $content = "<span style=\'vertical-align:top;display:inline-block;*display:inline;\'>" . $_SESSION['youyax_user'] . " @ " . $reply_u . " :</span><span style=\'display:inline-block;*display:inline;\'>" . $content . "</span>"; } else { $this->assign("code", "操作错误!")->assign("msg", "非法操作")->display("Public/exception.html"); echo "<script>setTimeout(function(){window.parent.location.href='" . $this->youyax_url . "/Content" . C('default_url') . "index" . C('default_url') . "id" . C('default_url') . $tid . C('static_url') . "#p" . $num2 . "';},3000)</script>"; exit; } } mysql_query("insert into " . C('db_prefix') . "mark1(tid,marker,pic,count,content,time) values(" . $tid . ",'" . $marker . "','" . $pic . "',1,'" . $content . "',now())")//$pic带入查询;
出库后就直接带入到了查询当中 造成了注入。
成功引入单引号 可以注入了。
见说明。
出库的时候再addslashes一次把。
危害等级:低
漏洞Rank:5
确认时间:2014-06-09 16:27
修复
2014-06-09:修复公开