### 简要描述:
ThinkSNS某处存在水平权限问题,未对用户的操作进行权限认证,导致越权访问,删除任意用户信息
### 详细说明:
看过之前乌云白帽子发的关于水平权限的问题,貌似很多。重新看了下,好多都没修复。发个没有重复的。测试版本:4.18号官网下载的版本。
漏洞文件:/thinksns/apps/weba/Lib/Action/GroupAction.class.php
说明,index文件应该是group文件的完善更新版?
代码:
```
/**
* 执行编辑帖子
* @return void
*/
//水平权限缺陷02
public function doPostEdit(){
// echo 2;die;
$checkContent = str_replace(' ', '', $_POST['content']);
$checkContent = str_replace('<br />', '', $checkContent);
$checkContent = str_replace('<p>', '', $checkContent);
$checkContent = str_replace('</p>', '', $checkContent);
$checkContents = preg_replace('/<img(.*?)src=/i','img',$checkContent);
$checkContents = preg_replace('/<embed(.*?)src=/i','img',$checkContents);
if(strlen(t($_POST['title']))==0) $this->error('帖子标题不能为空');
if(strlen(t($checkContents))==0) $this->error('帖子内容不能为空');
preg_match_all('/./us', t($_POST['title']), $match);
if(count($match[0])>30){ //汉字和字母都为一个字
$this->error('帖子标题不能超过30个字');
}
$post_id = intval($_POST['post_id']);
$data['title'] = t($_POST['title']);
$data['content'] = h($_POST['content']);
$res = D('weiba_post')->where('post_id='.$post_id)->save($data);//直接提交post_id即可编辑任意帖子,未进行权限认证
if($res!==false){
$post_detail = D('weiba_post')->where('post_id='.$post_id)->find();
if(intval($_POST['log'])==1){
D('log')->writeLog($post_detail['weiba_id'],$this->mid,'编辑了帖子“<a href="'.U('weiba/Index/postDetail',array('post_id'=>$post_id)).'" target="_blank">'.$post_detail['title'].'</a>”','posts');
}
//同步到微博
$feedInfo = D('feed_data')->where('feed_id='.$post_detail['feed_id'])->find();
$datas = unserialize($feedInfo['feed_data']);
$datas['content'] = '【'.$data['title'].'】'.getShort(t($checkContent),100).' ';
$datas['body'] = $datas['content'];
$data1['feed_data'] = serialize($datas);
$data1['feed_content'] = $datas['content'];
$feed_id = D('feed_data')->where('feed_id='.$post_detail['feed_id'])->save($data1);
model('Cache')->rm('fd_'.$post_detail['feed_id']);
return $this->ajaxReturn($post_id, '编辑成功', 1);
}else{
$this->error('编辑失败');
}
}
```
其中doPostEdit操作未对权限认证,导致可以修改微吧里的任意帖子
起始状态如下
[<img src="https://images.seebug.org/upload/201405/10014537f2d631355cdb66699f51b4111fc8449d.png" alt="4a32db82-5beb-4b4d-92bc-ec3dcf2724bc.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10014537f2d631355cdb66699f51b4111fc8449d.png)
数据库信息为
[<img src="https://images.seebug.org/upload/201405/10014620199e99e317533fa19f8fa849df9c1d44.png" alt="3d360691-fab6-4f95-831a-44b176454bcf.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10014620199e99e317533fa19f8fa849df9c1d44.png)
post_id=5内容为test02的,post_id=4内容为test01的
test02修改自己的帖子,拦截post请求如下
[<img src="https://images.seebug.org/upload/201405/10014824960736297688e7f90f639157268c3b82.png" alt="463f10fa-81bd-48ee-8954-893cd81568b6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10014824960736297688e7f90f639157268c3b82.png)
修改test01的帖子,即post_id=4如图
[<img src="https://images.seebug.org/upload/201405/10014917741f59660496bf968b25fde2688e7846.png" alt="212c021c-3c89-4168-b6f8-e1d687573743.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10014917741f59660496bf968b25fde2688e7846.png)
结果为
[<img src="https://images.seebug.org/upload/201405/10015005534e8243ea67e987cdf6eefb3d1f6b46.png" alt="2cdb4753-10a7-4b22-ba02-052d1c9c83fa.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10015005534e8243ea67e987cdf6eefb3d1f6b46.png)
同时有删除任意帖子的漏洞(白帽之前提交的未修复, [WooYun: ThinkSNS SQL注入及越权](http://www.wooyun.org/bugs/wooyun-2014-050671) )
代码:
```
/**
* 删除帖子
* @return void
*/
public function postDel(){
$post_id = intval($_POST['post_id']);//修复了注入问题
// 水平权限缺陷01
if(D('weiba_post')->where('post_id='.$post_id)->setField('is_del',1)){
if(intval($_POST['log'])==1){
$post_detail = D('weiba_post')->where('post_id='.$post_id)->find();
D('log')->writeLog($post_detail['weiba_id'],$this->mid,'删除了帖子“'.$post_detail['title'].'”','posts');
}
D('weiba')->where('weiba_id='.intval($_POST['weiba_id']))->setDec('thread_count');
echo 1;
}
}
```
初始状态:
[<img src="https://images.seebug.org/upload/201405/10015226ef50812184f3d6ede950a3d2afaca5e3.png" alt="4d3a04d0-61bf-4eb9-99c3-b2cafbcf40fd.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10015226ef50812184f3d6ede950a3d2afaca5e3.png)
越权删除test01的帖子
[<img src="https://images.seebug.org/upload/201405/1001524992158313012e3aff5a7a29d795b5cc29.png" alt="7b26c96c-b689-4b6a-98fc-a715904f6f87.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1001524992158313012e3aff5a7a29d795b5cc29.png)
结果为
[<img src="https://images.seebug.org/upload/201405/10015336fc1b6db0018a3f29ee973fc2c7ee25bc.png" alt="5972993a-9f53-420a-9a91-01d0ebcab7b5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10015336fc1b6db0018a3f29ee973fc2c7ee25bc.png)
### 漏洞证明:
如上详细描述。
同时/thinksns/apps/weba/Lib/Action/LogAction.class.php文件中多处,也未修复(之前白帽白帽提交的 [WooYun: ThinkSNS某功能平行权限3](http://www.wooyun.org/bugs/wooyun-2014-049172) )。
京公网安备 11010502034610号
暂无评论