乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-19: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-10-03: 厂商已经主动忽略漏洞,细节向公众公开
0.0
先看到D:/wamp/www/opensns/Application/User/Api/UserApi.class.php
public function login($username, $password, $type = 1){ if(file_exists('./api/uc_login.lock')){ include_once './api/uc_client/client.php'; if(strtolower(UC_CHARSET) == 'gbk'){ $username = iconv('UTF-8', 'GBK', $username); } $uc_user = uc_user_login($username,$password,0); if($uc_user[0]==-2){ return '密码错误'; } elseif($uc_user[0]==-1){ return '用户不存在,或者被删除'; } elseif($uc_user[0]>0){ if(strtolower(UC_CHARSET) == 'gbk'){ $uc_user[1] = iconv('GBK', 'UTF-8', $uc_user[1]); } D('member')->where(array('uid'=>$uc_user[0]))->setField('nickname',$uc_user[1]); D('ucenter_member')->where(array('id'=>$uc_user[0]))->setField('username',$uc_user[1]); return $uc_user[0]; } }else{ if(UC_SYNC && $username != get_username(1)){ return $this->ucLogin($username, $password); } return $this->model->login($username, $password, $type); } }
跟进D:/wamp/www/opensns/Application/User/Model/UcenterMemberModel.class.php
*/ public function login($username, $password, $type = 1) { $map = array(); switch ($type) { case 1: $map['username'] = $username; break; case 2: $map['email'] = $username; break; case 3: $map['mobile'] = $username; break; case 4: $map['id'] = $username; break; default: return 0; //参数错误 } /* 获取用户数据 */ $user = $this->where($map)->find(); $return = check_action_limit('input_password','ucenter_member',$user['id'],$user['id']); if($return && !$return['state']){ return $return['info']; } if (UC_SYNC && $user['id'] != 1) { return $this->ucLogin($username, $password); } if (is_array($user) && $user['status']) { /* 验证用户密码 */ if (think_ucenter_md5($password, UC_AUTH_KEY) === $user['password']) { $this->updateLogin($user['id']); //更新用户登录信息 return $user['id']; //登录成功,返回用户ID } else { action_log('input_password','ucenter_member',$user['id'],$user['id']); return -2; //密码错误 } } else { return -1; //用户不存在或被禁用 } }
进入数据库处理函数,跟入D:/wamp/www/opensns/ThinkPHP/Library/Think/Db.class.php
protected function parseWhereItem($key,$val) { $whereStr = ''; if(is_array($val)) { if(is_string($val[0])) { if(preg_match('/^(EQ|NEQ|GT|EGT|LT|ELT)$/i',$val[0])) { // 比较运算 $whereStr .= $key.' '.$this->comparison[strtolower($val[0])].' '.$this->parseValue($val[1]); }elseif(preg_match('/^(NOTLIKE|LIKE)$/i',$val[0])){// 模糊查找 if(is_array($val[1])) { $likeLogic = isset($val[2])?strtoupper($val[2]):'OR'; if(in_array($likeLogic,array('AND','OR','XOR'))){ $likeStr = $this->comparison[strtolower($val[0])]; $like = array(); foreach ($val[1] as $item){ $like[] = $key.' '.$likeStr.' '.$this->parseValue($item); } $whereStr .= '('.implode(' '.$likeLogic.' ',$like).')'; } }else{ $whereStr .= $key.' '.$this->comparison[strtolower($val[0])].' '.$this->parseValue($val[1]); } }elseif('exp'==strtolower($val[0])){ // 使用表达式 $whereStr .= $key.' '.$val[1]; }elseif(preg_match('/IN/i',$val[0])){ // IN 运算 if(isset($val[2]) && 'exp'==$val[2]) { $whereStr .= $key.' '.strtoupper($val[0]).' '.$val[1]; }else{ if(is_string($val[1])) { $val[1] = explode(',',$val[1]); } $zone = implode(',',$this->parseValue($val[1])); $whereStr .= $key.' '.strtoupper($val[0]).' ('.$zone.')'; } }elseif(preg_match('/BETWEEN/i',$val[0])){ // BETWEEN运算 $data = is_string($val[1])? explode(',',$val[1]):$val[1]; $whereStr .= $key.' '.strtoupper($val[0]).' '.$this->parseValue($data[0]).' AND '.$this->parseValue($data[1]); }else{ E(L('_EXPRESS_ERROR_').':'.$val[0]); } }else { $count = count($val); $rule = isset($val[$count-1]) ? (is_array($val[$count-1]) ? strtoupper($val[$count-1][0]) : strtoupper($val[$count-1]) ) : '' ; if(in_array($rule,array('AND','OR','XOR'))) { $count = $count -1; }else{ $rule = 'AND'; } for($i=0;$i<$count;$i++) { $data = is_array($val[$i])?$val[$i][1]:$val[$i]; if('exp'==strtolower($val[$i][0])) { $whereStr .= $key.' '.$data.' '.$rule.' '; }else{ $whereStr .= $this->parseWhereItem($key,$val[$i]).' '.$rule.' '; } } $whereStr = '( '.substr($whereStr,0,-4).' )'; } }else { //对字符串类型字段采用模糊匹配 if(C('DB_LIKE_FIELDS') && preg_match('/('.C('DB_LIKE_FIELDS').')/i',$key)) { $val = '%'.$val.'%'; $whereStr .= $key.' LIKE '.$this->parseValue($val); }else { $whereStr .= $key.' = '.$this->parseValue($val); } } return $whereStr; }
可以看到val[0]存在in就可以注入了.具体利用方式看测试代码.
语句成功注入脚本猜解密码
案例
90371.comwww.qunren.cnwww.uidear.comdrname.comwww.chuangkelianmeng.orgsns1.543210.comwww.oomee.com/
未能联系到厂商或者厂商积极拒绝