BiWEB最新门户版多处越权打包

### 简要描述： BiWEB最新门户版多处越权打包 ### 详细说明： 在wooyun上看到了有人把biweb的shell拿到了： [WooYun: BIWEB门户版Getwebshell漏洞](http://www.wooyun.org/bugs/wooyun-2014-049746) ，也有人提了其他漏洞，我也来找找它的漏洞吧。去官网下BiWEB门户版最新的5.8.3来看看。 这里提一个越权删除任意用户发布的供求信息、资讯信息、产品信息、企业信息、会展信息、招聘信息、问题信息、视频信息…… 这些地方都存在这个漏洞 ``` /ask/adminu/index.php /company/adminu/index.php /exhibition/adminu/index.php /job/adminu/index.php /links/adminu/index.php /news/adminu/index.php /product/adminu/index.php /trade/adminu/index.php /video/adminu/index.php ``` 以/trade/adminu/index.php进行证明，看看/trade/adminu/index.php吧 ``` 无关代码 $arrWhere = array(); $arrLink = array(); if(isset($_GET['action'])){ if($_GET['action']=='search') { // 构造搜索条件和翻页参数 $arrLink[] = 'action=search'; if (!empty($_GET['title'])) { $strKeywords = strval(urldecode($_GET['title'])); if($strKeywords[0] == '/'){ //精确查询ID $strKeywords = substr($strKeywords,1); if(is_numeric($strKeywords)) $arrWhere[] = "id = '" . $strKeywords . "'"; }else{ $arrWhere[] = "tag LIKE '%" . $_GET['title'] . "%'"; } $arrLink[] = 'title=' . $_GET['title']; } if ($_GET['pass'] == '1' || $_GET['pass'] == '0') { $arrWhere[] = "pass='".$_GET['pass']."'"; $arrLink[] = 'pass=' . $_GET['pass']; } if (!empty($_GET['type_id'])) { $intTypeID = intval($_GET['type_id']); $arrWhere[] = "type_id='".$intTypeID."' or type_roue_id like '%:$intTypeID:%'"; $arrLink[] = 'type_id='.$intTypeID; } } else { $objWebInit->doInfoAction($_GET['action'],$_POST['select']); } } 无关代码 ``` 当$_GET['action']=’del’时，则执行这条语句$objWebInit->doInfoAction($_GET['action'],$_POST['select'])，我们再去看看doInfoAction()， 在/web_common5.8/php_common.php中 ``` 无关代码 function doInfoAction($strAction=null,$arrData=null,$arrFile=array('photo')){ switch ($strAction){ case 'del': foreach ($arrData as $key=>$val){ $this->deleteInfo($val,$arrFile); } break; case 'delpic': foreach ($arrData as $key=>$val){ $this->deleteInfoPic($val,$arrFile); } break; case 'moveup': foreach ($arrData as $key=>$val){ $this->moveupInfo($val); } break; case 'check': foreach ($arrData as $key=>$val){ $this->passInfo($val,1); } break; case 'uncheck': foreach ($arrData as $key=>$val){ $this->passInfo($val,0); } break; case 'settop': foreach ($arrData as $key=>$val){ $this->topInfo($val,1); } break; case 'unsettop': foreach ($arrData as $key=>$val){ $this->topInfo($val,0); } break; case 'setrecommend': foreach ($arrData as $key=>$val){ $this->recommendInfo($val,1); } break; case 'unsetrecommend': foreach ($arrData as $key=>$val){ $this->recommendInfo($val,0); } break; } return true; } 无关代码 ``` 再去看看相同文件中的deleteInfo() ``` function deleteInfo($intInfoID,$arrFile=array('photo')){ if($arr = $this->getInfo($intInfoID)){ if(!empty($this->arrGPic['FileSavePath'])){ foreach($arrFile as $val){ if(!empty($arr[$val]) && is_array($arr[$val])){ foreach($arr[$val] as $v){ if(is_string($v)) { @unlink($this->arrGPic['FileSavePath'].$v); @unlink($this->arrGPic['FileSavePath'].'s/'.$v); @unlink($this->arrGPic['FileSavePath'].'b/'.$v); @unlink($this->arrGPic['FileSavePath'].'f/'.$v); } if(is_array($v)){ @unlink($this->arrGPic['FileSavePath'].$v[$val]); @unlink($this->arrGPic['FileSavePath'].'s/'.$v[$val]); @unlink($this->arrGPic['FileSavePath'].'b/'.$v[$val]); @unlink($this->arrGPic['FileSavePath'].'f/'.$v[$val]); } } }elseif(!empty($arr[$val]) && is_string($arr[$val])){ @unlink($this->arrGPic['FileSavePath'].$arr[$val]); @unlink($this->arrGPic['FileSavePath'].'s/'.$arr[$val]); @unlink($this->arrGPic['FileSavePath'].'b/'.$arr[$val]); @unlink($this->arrGPic['FileSavePath'].'f/'.$arr[$val]); } } } }else{ check::AlertExit('ID号为 '.$intInfoID.' 的记录并不存在！',-1); } $strWhere = " WHERE `id` = $intInfoID"; return $this->deleteDataG($this->tablename2,$strWhere); } ``` 可以看到，在删除的整个过程中没有对用户的属性进行判断，直接构造了$strWhere = " WHERE `id` = $intInfoID"并执行，这就造成了越权删除。而且无论哪个用户发表的各类信息，其id全都是统一从1开始编号，如果要全部删除，只要遍历就可以了，如果要删除哪条，直接删除其id对应的内容即可。 测试时，注册一个用户，访问 www.xxxx.com/trade/adminu/index.php?action=del，然后修改POST提交的内容为select[]=3,即可供求信息中id为3的供求信息删除。 ### 漏洞证明： 见 详细说明