2014-02-20: 细节已通知厂商并且等待厂商处理中 2014-02-20: 厂商已经确认,细节仅向厂商公开 2014-02-23: 细节向第三方安全合作伙伴开放 2014-04-16: 细节向核心白帽子及相关领域专家公开 2014-04-26: 细节向普通白帽子公开 2014-05-06: 细节向实习白帽子公开 2014-05-21: 细节向公众公开
ThinkSAAS 最新版2.1,官方2月15日更新,SQL注入第二弹
上传资料处/app/attach/action/upload.php:
case "do": $userid = intval($_GET['userid']); $albumid = intval($_GET['albumid']); if($userid=='0' || $albumid == 0){ echo '00000'; exit; } $attachid = $new['attach']->create('attach',array( 'userid' => $userid, 'locationid'=>aac('user')->getLocationId($userid), 'albumid'=>$albumid, 'addtime' => date('Y-m-d H:i:s'), )); //上传 $arrUpload = tsUpload($_FILES['Filedata'],$attachid,'attach',array('pptx','docx','pdf','jpg','gif','png','rar','zip','doc','ppt','txt')); if($arrUpload){ $new['attach']->update('attach',array( 'attachid'=>$attachid, ),array( 'attachname'=>$arrUpload['name'], 'attachtype'=>$arrUpload['type'], 'attachurl'=>$arrUpload['url'], 'attachsize'=>$arrUpload['size'], )); //对积分进行处理 aac('user')->doScore($app,$ac,$ts,$userid); } echo $attachid; break;
然后使用tsUpload函数对文件进行上传。$_FILES['Filedata']是上传表单的名字。
function tsUpload($files, $projectid, $dir, $uptypes) { if ($files ['size'] > 0) { $menu2 = intval ( $projectid / 1000 ); $menu1 = intval ( $menu2 / 1000 ); $path = $menu1 . '/' . $menu2; $dest_dir = 'uploadfile/' . $dir . '/' . $path; createFolders ( $dest_dir ); //$ext = pathinfo($files['name'],PATHINFO_EXTENSION); $arrType = explode ( '.', strtolower ( $files ['name'] ) ); // 转小写一下 $type = array_pop ( $arrType ); if (in_array ( $type, $uptypes )) { $name = $projectid . '.' . $type; $dest = $dest_dir . '/' . $name; // 先删除 unlink ( $dest ); // 后上传 move_uploaded_file ( $files ['tmp_name'], mb_convert_encoding ( $dest, "gb2312", "UTF-8" ) ); chmod ( $dest, 0777 ); $filesize = filesize ( $dest ); if (intval ( $filesize ) > 0) { return array ( 'name' => tsFilter($files ['name']), 'path' => $path, 'url' => $path . '/' . $name, 'type' => $type, 'size' => $files ['size'] ); } else { return false; } } else { return false; } }}
有一个过滤的函数tsFilter:
function tsFilter($value){ $value = trim($value); //定义不允许提交的SQl命令和关键字 $words = array(); $words[] = "add "; $words[] = "and "; $words[] = "count "; $words[] = "order "; $words[] = "table "; $words[] = "by "; $words[] = "create "; $words[] = "delete "; $words[] = "drop "; $words[] = "from "; $words[] = "grant "; $words[] = "insert "; $words[] = "select "; $words[] = "truncate "; $words[] = "update "; $words[] = "use "; $words[] = "--"; $words[] = "#"; $words[] = "group_concat"; $words[] = "column_name"; $words[] = "information_schema.columns"; $words[] = "table_schema"; $words[] = "union "; $words[] = "where "; $words[] = "alert"; $value = strtolower($value);//转换为小写 foreach($words as $word){ if(strstr($value,$word)){ $value = str_replace($word,'',$value); } } return $value;}
过滤了关键字及注释符号。可是仔细一看,过滤的是类似“select ”这种,关键字后面加了个空格。但是我们可以用制表符,它能完美代替空格。我们来看看update函数:
public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "`$key` = '$value'"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}"; return $this->db->query ( $sql ); }
在conditions处做了处理,但是我们这是在row中,没有处理,导致SQL注入。
保证最新版:
发送下面的请求:
这个cms还有一个特点,它不会显示mysql错误,但会把错误保存在/logs/文件夹里,名字就是日期+-mysql-error.txt。这样,我们就可以看到mysql的报错信息,从而爆出得到管理员账号密码。
对参数进行严格处理,过滤。
危害等级:高
漏洞Rank:20
确认时间:2014-02-20 10:28
谢谢反馈,已经修复。
暂无
这个必须膜拜下。
