ISPConfig <= 3.0.5.4p7 monitor/show_sys_state.php SQL注入漏洞

<p>因为不完整地过滤导致了SQL注入, 通过HTTP GET方式传递的server参数给了 /monitor/show_sys_state.php页面</p><p>攻击者可以传入任意恶意SQL命令并在数据库中执行</p><p>该漏洞的成功的利用可以让攻击者获得数据库的读写权限甚至危机整个web应用</p><p>但是该漏洞此时仍然是一个鸡肋漏洞, 因为攻击者要进行此攻击必须是认证通过的用户而且还需要有monitor权限</p><p>然而, 结合CSRF (Cross-Site Request Forgery) in ISPConfig: CVE-2015-4119则将让这个漏洞变成高危漏洞</p><p>.</p><p>在interface/web/monitor/show_sys_state.php文件中</p><p>Line 37 ~ 41:</p><p> <pre class="lang-php" data-lang="php"> ``` if (isset($_GET['server'])) { $server = explode('|', $_GET['server'], 2); $_SESSION['monitor']['server_id'] = $server[0]; $_SESSION['monitor']['server_name'] = $server[1]; } ``` </pre> </p><p>可以看到这里直接将GET到的server参数存入$_SESSION['monitor']中</p><p>Line 56 ~ 61:</p><p> <pre class="lang-php" data-lang="php"> ``` if ($_GET['state'] == 'server') { $res = _getServerState($_SESSION['monitor']['server_id'], $_SESSION['monitor']['server_name'], true); $output = $res['html_verbose'];] $title = $app->lng("monitor_general_serverstate_txt"); $stateType = 'server'; } ``` </pre> </p><p>这里将$_SESSION['monitor']当做参数传入_getServerState()函数</p> <p>Line 179 ~ 194:</p><p> <pre class="lang-php" data-lang="php"> ```function _getServerState($serverId, $serverName) { global $app;</p><p> /* &nbsp;The State of the server */ $serverState = 'ok'; /** The messages */ $messages = array(); /** The Result of the function */ $res = ''; /* * Get all monitoring-data from the server and process then */ $records = $app->db->queryAllRecords("SELECT DISTINCT type, data FROM monitor_data WHERE server_id = " . $serverId); ``` </pre></p><p>可以看到$serverId即对应的是$_SESSION['monitor']['server_id']直接进入数据库 并且这个位置没有用引号包含</p><p>导致了SQL注入</p>