2014-05-27: 细节已通知厂商并且等待厂商处理中 2014-05-27: 厂商已经确认,细节仅向厂商公开 2014-07-21: 细节向核心白帽子及相关领域专家公开 2014-07-31: 细节向普通白帽子公开 2014-08-10: 细节向实习白帽子公开 2014-08-25: 厂商已经修复漏洞并主动公开,细节向公众公开
YouYaX是良心厂商~所以来刷点洞,第一个
/ext/register.php 文件当($mix['is_prevent_reg']为true时
if($mix['is_prevent_reg']){ if (!empty($_SERVER['HTTP_CLIENT_IP'])) $myIp = $_SERVER['HTTP_CLIENT_IP']; else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $myIp = $_SERVER['HTTP_X_FORWARDED_FOR']; else $myIp = $_SERVER['REMOTE_ADDR']; $sql = "select * from " . $config['db_prefix'] . "user where ip_addr='" . $myIp . "'"; $result = mysql_query($sql); $num = mysql_num_rows($result);
可以伪造IP进行注入,因为不回显应该是用延时注入比较合适.这里echo 出sql语句做一下漏洞证明
为了管理员复现漏洞方便(该CMS还要配置邮件服务器,我注释这些代码)复制了我的代码上来你复现直接粘贴上去就可以了
<?phpinclude('../ext_public/include.php');include('../ext_public/database.php');function doUserCount($param){ $count_arr = mysql_fetch_array(mysql_query("select * from " . $param . "count where id=1")); $data=unserialize($count_arr['user_count']); $date=date('w', time()); $date2=date('W',time()); if($date2 != $count_arr['week_order']){ mysql_query("update " . $param . "count set user_count='',post_count='',week_order='".$date2."' where id=1"); $count_arr = mysql_fetch_array(mysql_query("select * from " . $param . "count where id=1")); $data=unserialize($count_arr['user_count']); } switch($date){ case 0: @$data['g']++; break; case 1: @$data['a']++; break; case 2: @$data['b']++; break; case 3: @$data['c']++; break; case 4: @$data['d']++; break; case 5: @$data['e']++; break; case 6: @$data['f']++; break; } mysql_query("update " . $param . "count set user_count='".serialize($data)."' where id=1");}if (isset($_POST['sub'])) { if(empty($config['default_user_group'])||empty($config['not_log_in_user_group'])){ echo "<script>alert('请至后台[注册激活管理-配置]设置注册和未登陆默认用户组');</script>"; exit; } $user = htmlspecialchars(addslashes(trim($_POST['user'])), ENT_QUOTES, "UTF-8"); if(mb_strlen($user,'utf8')>7 || mb_strlen($user,'utf8')<2){ echo "<script>alert('用户名长度必须在2~7个字符之间');</script>"; echo "<script>window.parent.location.href='" . url_site . "';</script>"; exit; } if (empty($_POST['pass'])) { echo "<script>alert('密码必填');</script>"; echo "<script>window.parent.location.href='" . url_site . "';</script>"; exit; } $pass = md5(addslashes($_POST['pass'])); $_POST['email']=addslashes($_POST['email']); if (empty($_POST['email'])) { echo "<script>alert('邮箱名必填');</script>"; echo "<script>window.parent.location.href='" . url_site . "';</script>"; exit; } if($mix['is_prevent_reg']){ if (!empty($_SERVER['HTTP_CLIENT_IP'])) $myIp = $_SERVER['HTTP_CLIENT_IP']; else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $myIp = $_SERVER['HTTP_X_FORWARDED_FOR']; else $myIp = $_SERVER['REMOTE_ADDR']; $sql = "select * from " . $config['db_prefix'] . "user where ip_addr='" . $myIp . "'"; $result = mysql_query($sql); var_dump($sql); $num = mysql_num_rows($result); if($num >= $mix['prevent_reg_num']){ echo "<script>alert('注册失败,此IP地址已经使用超过 ".$mix['prevent_reg_num']." 次了');</script>"; echo "<script>window.parent.location.href='" . url_site . "';</script>"; exit; } } $code = ''; for ($i = 0; $i < 6; $i++) { $code .= mt_rand(0, 9); } if($config['register_mode']==1){/* $mailconf = require("../Conf/mail.config.php"); if(empty($mailconf['mail_Host'])&&empty($mailconf['mail_Username'])&&empty($mailconf['mail_Password'])){ echo "<script>alert('管理员后台未配置邮件服务器');</script>"; exit; }*/ } mysql_query("SET NAMES 'utf8'"); mysql_query("SET sql_mode=''"); date_default_timezone_set('Asia/Shanghai'); $sql = "select * from " . $config['db_prefix'] . "user where user='" . $user . "'"; $result = mysql_query($sql); $num = mysql_num_rows($result); //判断是否被注册 if ($num > 0) { echo "<script>alert('该用户名已被注册');</script>"; echo "<script>window.parent.location.href='" . url_site . "';</script>"; } else { $sql2 = "select * from " . $config['db_prefix'] . "user where email='" . $_POST['email'] . "'"; $result2 = mysql_query($sql2); $num2 = mysql_num_rows($result2); if ($num2 > 0) { echo "<script>alert('邮箱名已被注册');</script>"; echo "<script>window.parent.location.href='" . url_site . "';</script>"; exit; } else { if($config['register_mode']==1){/* require_once("../ext_public/phpmailer/class.phpmailer.php"); $mail = new PHPMailer(); $mail->IsSMTP(); $mail->Host = $mailconf['mail_Host']; $mail->SMTPAuth = true; $mail->Username = $mailconf['mail_Username']; $mail->Password = $mailconf['mail_Password']; $mail->From = $mailconf['mail_From']; $mail->FromName = $mailconf['mail_FromName']; $mail->AddAddress($_POST['email']); $mail->IsHTML(true); $mail->CharSet = "UTF-8"; $mail->Encoding = "base64"; $mail->Subject = $mailconf['mail_Subject']; $mail->Body = $mailconf['mail_Body'] . "<a href='" . url_site . "/ext/mail_active.php?user=" . $user . "&pass=" . $pass . "&email=" . $_POST['email'] . "&code=" . $code . "'>点此激活</a>"; if (!empty($_POST['email'])) { exit; }*/ if($mix['is_prevent_reg']){ $sql = "insert into " . $config['db_prefix'] . "user(user,pass,status,email,complete,face,time,fatieshu,bid,codes,ip_addr,user_group) values('" . $user . "','" . $pass . "',0,'" . $_POST['email'] . "','0','00.gif',now(),0,'".$mix['bid_init']."','" . $code . "','".$myIp."','".$config['default_user_group']."')"; }else{ $sql = "insert into " . $config['db_prefix'] . "user(user,pass,status,email,complete,face,time,fatieshu,bid,codes,user_group) values('" . $user . "','" . $pass . "',0,'" . $_POST['email'] . "','0','00.gif',now(),0,'".$mix['bid_init']."','" . $code . "','".$config['default_user_group']."')"; } mysql_query($sql); doUserCount($config['db_prefix']); echo "<script>alert('注册成功,请至邮箱激活!');</script>"; echo "<script>window.parent.location.href='" . url_site . "';</script>"; }else{ if(addslashes($_POST['valicode'])!=$_SESSION['verify']){ echo "<script>alert('输入的验证码不正确!');</script>"; exit; }else{ if($mix['is_prevent_reg']){ $sql = "insert into " . $config['db_prefix'] . "user(user,pass,status,email,complete,face,time,fatieshu,bid,codes,ip_addr,user_group) values('" . $user . "','" . $pass . "',1,'" . $_POST['email'] . "','0','00.gif',now(),0,'".$mix['bid_init']."','". $code . "','".$myIp."','".$config['default_user_group']."')"; }else{ $sql = "insert into " . $config['db_prefix'] . "user(user,pass,status,email,complete,face,time,fatieshu,bid,codes,user_group) values('" . $user . "','" . $pass . "',1,'" . $_POST['email'] . "','0','00.gif',now(),0,'".$mix['bid_init']."','". $code . "','".$config['default_user_group']."')"; } mysql_query($sql); doUserCount($config['db_prefix']); echo "<script>alert('注册成功!');</script>"; $_SESSION['youyax_data'] = 1; $_SESSION['youyax_user'] = $user; $_SESSION['youyax_bz'] = 1; echo "<script>window.parent.location.href='" . url_site . "';</script>"; } } } }}?>
对IP正则判断
危害等级:高
漏洞Rank:20
确认时间:2014-05-27 12:19
似乎可以绕过注册限制,多谢反馈
2014-05-27:公开漏洞是为了在程序发展初期,无太多用户积累的情况下更好的检测安全性
http://bbs.youyax.com/Content-index-id-5411.aspx
@只发通用型 还在初期阶段的系统啊,提前重视起安全是个好开始 :P
@只发通用型 这个的确是一种隐患啊,这样数据库逐个测试可以拿到后台管理员帐户但是似乎不能拿到密码吧,因为是经过md5加密后存在admin表中的,就算这样测试拿到了所有的md5密码也是不可逆的,密码复杂的时候破解不了的
@YouYaX http://www.cmd5.com/ MD5可以在这个网站上查 查不出来他会帮你暴力破解 你们的安全意识有待提高啊
@只发通用型 没有“们”,只有我一个人。
@YouYaX 你屌炸天了!我有你们的一个洞,只是还没发。。
@YouYaX 打错,是“你”。。。
@养乐多Ngan 谁叫你不发啊 哈哈
@neal 没事 貌似不是同一处
( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)