2013-12-23: 细节已通知厂商并且等待厂商处理中 2013-12-23: 厂商已经确认,细节仅向厂商公开 2013-12-26: 细节向第三方安全合作伙伴开放 2014-02-16: 细节向核心白帽子及相关领域专家公开 2014-02-26: 细节向普通白帽子公开 2014-03-08: 细节向实习白帽子公开 2014-03-23: 细节向公众公开
ThinkSAAS SQL注入#6
thinksaas在添加标签处,由于不完全的过滤,以及特殊的构造拼接导致sql注入。在/app/tag/action/add.php文件:
case "do": $objname = t($_POST['objname']); $idname = t($_POST['idname']); $objid = intval($_POST['objid']); $tags = t($_POST['tags']); $new['tag']->addTag($objname,$idname,$objid,$tags); tsNotice('标签添加成功!'); break;
注意这里的$objname参数。然后,跟进t函数:
function t($text) { $text = preg_replace ( '/\[.*?\]/is', '', $text ); $text = cleanJs ( $text ); // 彻底过滤空格BY QINIAO $text = preg_replace ( '/\s(?=\s)/', '', $text ); $text = preg_replace ( '/[\n\r\t]/', ' ', $text ); $text = str_replace ( ' ', ' ', $text ); // $text = str_replace ( ' ', '', $text ); $text = str_replace ( ' ', '', $text ); $text = str_replace ( '&', '', $text ); $text = str_replace ( '=', '', $text ); $text = str_replace ( '-', '', $text ); $text = str_replace ( '#', '', $text ); $text = str_replace ( '%', '', $text ); $text = str_replace ( '!', '', $text ); $text = str_replace ( '@', '', $text ); $text = str_replace ( '^', '', $text ); $text = str_replace ( '*', '', $text ); $text = str_replace ( 'amp;', '', $text ); $text = str_replace ( 'position', '', $text ); $text = strip_tags ( $text ); $text = htmlspecialchars ( $text ); $text = str_replace ( "'", "", $text ); return $text;}
然后,跟进addTag函数:
$tagIdCount = $this->findCount("tag_".$objname."_index",array( 'tagid'=>$tagData['tagid'], )); $count_obj = "count_".$objname; $this->update('tag',array( 'tagid'=>$tagData['tagid'], ),array( $count_obj=>$tagIdCount, 'uptime'=>$uptime, ));
看到这里的$objname参数带入了$count_obj中,然后进入了sql语句update中。
public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "`$key` = '$value'"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}"; return $this->db->query ( $sql ); }
这里在处理sql语句时,在key上使用了反引号。而这里的key使我们输入的$objname参数拼接起来的,正好从上面的过滤来看,没有过滤掉反引号。导致在key这里造成注入。
构造请求,在$objname处添加反引号,查看sql执行日志:
反引号被成功带入到了update时的key中。
过滤
危害等级:高
漏洞Rank:20
确认时间:2013-12-23 20:23
非常感谢反馈,问题真实存在,正在积极修复中。
暂无
