您的位置 » 首页 » 代码审计,实用工具 » 代码审计:Ucenter Home SQL注入漏洞详细分析(需要GPC=OFF)

代码审计:Ucenter Home SQL注入漏洞详细分析(需要GPC=OFF)

发表于4年前 | 作者: seay | 分类: 代码审计, 实用工具 | 孵化于:2013年05月01日 | 文章热度:4,225 次 全屏阅读

显示不全请点击全屏阅读

SQL Injection 1:

漏洞在文件\source\cp_profile.php

 

<?php //  
.......省略.......

                //性别
                $_POST['sex'] = intval($_POST['sex']);
                if($_POST['sex'] && empty($space['sex'])) $setarr['sex'] = $_POST['sex'];
                
                foreach ($profilefields as $field => $value) {
                        if($value['formtype'] == 'select') $value['maxsize'] = 255;
                        $setarr['field_'.$field] = getstr($_POST['field_'.$field], $value['maxsize'], 1, 1);
                        if($value['required'] && empty($setarr['field_'.$field])) {
                                showmessage('field_required', '', 1, array($value['title']));
                        }
                }
                
                updatetable('spacefield', $setarr, array('uid'=>$_SGLOBAL['supe_uid']));
                
                //隐私
                $inserts = array();
                foreach ($_POST['friend'] as $key => $value) {
                        $value = intval($value);
                        $inserts[] = "('base','$key','$space[uid]','$value')"; //这是要干嘛? key没过滤 11年至今未修复
                }
                if($inserts) {
                        $_SGLOBAL['db']->query("DELETE FROM ".tname('spaceinfo')." WHERE uid='$space[uid]' AND type='base'");
                        $_SGLOBAL['db']->query("INSERT INTO ".tname('spaceinfo')." (type,subtype,uid,friend)
                                VALUES ".implode(',', $inserts)); //带入了 不解释...
                }

SQL Injection 2:

通读了一遍, 除了上面那个冷饭以外还有一个地方对KEY也没做处理, 导致注射:

 漏洞文件 \source\cp_privacy.php

<?php //  
.......省略.......

} elseif(submitcheck('privacy2submit')) {

        //类型筛选
        $space['privacy']['filter_icon'] = array();
        foreach ($_POST['privacy']['filter_icon'] as $key => $value) {
                $space['privacy']['filter_icon'][$key] = 1;
        }
        //用户组设置
        $space['privacy']['filter_gid'] = array();
        foreach ($_POST['privacy']['filter_gid'] as $key => $value) {
                $space['privacy']['filter_gid'][$key] = intval($value);
        }
        
        //通知筛选
        $space['privacy']['filter_note'] = array();
        foreach ($_POST['privacy']['filter_note'] as $key => $value) { //此处开始把key转到$space['privacy']['filter_note'][$key]
                $space['privacy']['filter_note'][$key] = 1;
        }
        
        privacy_update();

        //更新好友缓存
        friend_cache($_SGLOBAL['supe_uid']);

        showmessage('do_success', 'cp.php?ac=privacy&op=view');
}

if($_GET['op'] == 'view') {
        //好友组
        
        $groups = getfriendgroup();
        //屏蔽
        $filter_icons = empty($space['privacy']['filter_icon'])?array():$space['privacy']['filter_icon']; //赋值到$filter_icons
        $filter_note = empty($space['privacy']['filter_note'])?array():$space['privacy']['filter_note'];
        $iconnames = $appids = $icons = $uids = $users = array();

.......省略.......
        

foreach ($filter_icons as $key => $value) {

list($icon, $uid) = explode('|', $key); //使用|分割 将key赋值到$uid 并未做任何过滤

$icons[$key] = $icon;

$uids[$key] = $uid; //此处写进$uids也没过滤

if(is_numeric($icon)) {

$appids[$key] = $icon;

}
}

if($uids) {
                $query = $_SGLOBAL['db']->query("SELECT uid, username FROM ".tname('space')." WHERE uid IN (".simplode($uids).")"); //射了射了射了射了射了射了射了射了射了射了射了射了射了射了射了射了
                $_SGLOBAL['db']->fetch_array($query);
while ($value = $_SGLOBAL['db']->fetch_array($query)) {
                        $users[$value['uid']] = $value['username'];
                }
        }
        //获取应用名称
        if($appids) {
                $query = $_SGLOBAL['db']->query("SELECT appid, appname FROM ".tname('myapp')." WHERE appid IN (".simplode($appids).")");
                while ($value = $_SGLOBAL['db']->fetch_array($query)) {
                        $iconnames[$value['appid']] = $value['appname'];
                }
        }
        
        $cat_actives = array('view' => ' class="active"');

}

 看看simplode函数吧~

function simplode($ids) {
        return "'".implode("','", $ids)."'"; //虽然有单引号, 但是程序并没有过滤post过去的KEY值, 所以在GPC=OFF的情况下可射.
}

测试图:

 

 

注意必须要先登录并且找到formhash, 登陆后源码里面就能找到

 

作者:Rices

 

 

 

Tags:

Ucenter Home漏洞, 代码审计,

如果您喜欢我的博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容: 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡


来自 Seay互联网安全博客
本文地址:http://www.cnseay.com/2738/
文章版权说明请看置顶文章,尊重作者,转载请以链接形式标明原文地址

马上分享给你的朋友吧~

发表评论

你的大名(必填)

你的邮箱(必填)

评论内容(必填)