ThinkSNS水平权限问题

2014-05-10T00:00:00
ID SSV:94257
Type seebug
Reporter Root
Modified 2014-05-10T00:00:00

Description

简要描述:

ThinkSNS某处存在水平权限问题,未对用户的操作进行权限认证,导致越权访问,删除任意用户信息

详细说明:

看过之前乌云白帽子发的关于水平权限的问题,貌似很多。重新看了下,好多都没修复。发个没有重复的。测试版本:4.18号官网下载的版本。 漏洞文件:/thinksns/apps/weba/Lib/Action/GroupAction.class.php 说明,index文件应该是group文件的完善更新版? 代码:

/** * 执行编辑帖子 * @return void */ //水平权限缺陷02 public function doPostEdit(){ // echo 2;die; $checkContent = str_replace(' ', '', $_POST['content']); $checkContent = str_replace('<br />', '', $checkContent); $checkContent = str_replace('<p>', '', $checkContent); $checkContent = str_replace('</p>', '', $checkContent); $checkContents = preg_replace('/<img(.*?)src=/i','img',$checkContent); $checkContents = preg_replace('/<embed(.*?)src=/i','img',$checkContents); if(strlen(t($_POST['title']))==0) $this->error('帖子标题不能为空'); if(strlen(t($checkContents))==0) $this->error('帖子内容不能为空'); preg_match_all('/./us', t($_POST['title']), $match); if(count($match[0])>30){ //汉字和字母都为一个字 $this->error('帖子标题不能超过30个字'); } $post_id = intval($_POST['post_id']); $data['title'] = t($_POST['title']); $data['content'] = h($_POST['content']); $res = D('weiba_post')->where('post_id='.$post_id)->save($data);//直接提交post_id即可编辑任意帖子,未进行权限认证 if($res!==false){ $post_detail = D('weiba_post')->where('post_id='.$post_id)->find(); if(intval($_POST['log'])==1){ D('log')->writeLog($post_detail['weiba_id'],$this->mid,'编辑了帖子“<a href="'.U('weiba/Index/postDetail',array('post_id'=>$post_id)).'" target="_blank">'.$post_detail['title'].'</a>”','posts'); } //同步到微博 $feedInfo = D('feed_data')->where('feed_id='.$post_detail['feed_id'])->find(); $datas = unserialize($feedInfo['feed_data']); $datas['content'] = '【'.$data['title'].'】'.getShort(t($checkContent),100).' '; $datas['body'] = $datas['content']; $data1['feed_data'] = serialize($datas); $data1['feed_content'] = $datas['content']; $feed_id = D('feed_data')->where('feed_id='.$post_detail['feed_id'])->save($data1); model('Cache')->rm('fd_'.$post_detail['feed_id']); return $this->ajaxReturn($post_id, '编辑成功', 1); }else{ $this->error('编辑失败'); } }

其中doPostEdit操作未对权限认证,导致可以修改微吧里的任意帖子 起始状态如下

<img src="https://images.seebug.org/upload/201405/10014537f2d631355cdb66699f51b4111fc8449d.png" alt="4a32db82-5beb-4b4d-92bc-ec3dcf2724bc.png" width="600" onerror="javascript:errimg(this);">

数据库信息为

<img src="https://images.seebug.org/upload/201405/10014620199e99e317533fa19f8fa849df9c1d44.png" alt="3d360691-fab6-4f95-831a-44b176454bcf.png" width="600" onerror="javascript:errimg(this);">

post_id=5内容为test02的,post_id=4内容为test01的 test02修改自己的帖子,拦截post请求如下

<img src="https://images.seebug.org/upload/201405/10014824960736297688e7f90f639157268c3b82.png" alt="463f10fa-81bd-48ee-8954-893cd81568b6.png" width="600" onerror="javascript:errimg(this);">

修改test01的帖子,即post_id=4如图

<img src="https://images.seebug.org/upload/201405/10014917741f59660496bf968b25fde2688e7846.png" alt="212c021c-3c89-4168-b6f8-e1d687573743.png" width="600" onerror="javascript:errimg(this);">

结果为

<img src="https://images.seebug.org/upload/201405/10015005534e8243ea67e987cdf6eefb3d1f6b46.png" alt="2cdb4753-10a7-4b22-ba02-052d1c9c83fa.png" width="600" onerror="javascript:errimg(this);">

同时有删除任意帖子的漏洞(白帽之前提交的未修复, WooYun: ThinkSNS SQL注入及越权 ) 代码:

``` /* * 删除帖子 * @return void / public function postDel(){ $post_id = intval($_POST['post_id']);//修复了注入问题 // 水平权限缺陷01

    if(D('weiba_post')-&gt;where('post_id='.$post_id)-&gt;setField('is_del',1)){
        if(intval($_POST['log'])==1){
            $post_detail = D('weiba_post')-&gt;where('post_id='.$post_id)-&gt;find();
            D('log')-&gt;writeLog($post_detail['weiba_id'],$this-&gt;mid,'删除了帖子“'.$post_detail['title'].'”','posts');
        }
        D('weiba')-&gt;where('weiba_id='.intval($_POST['weiba_id']))-&gt;setDec('thread_count');
        echo 1;
    }
}

```

初始状态:

<img src="https://images.seebug.org/upload/201405/10015226ef50812184f3d6ede950a3d2afaca5e3.png" alt="4d3a04d0-61bf-4eb9-99c3-b2cafbcf40fd.png" width="600" onerror="javascript:errimg(this);">

越权删除test01的帖子

<img src="https://images.seebug.org/upload/201405/1001524992158313012e3aff5a7a29d795b5cc29.png" alt="7b26c96c-b689-4b6a-98fc-a715904f6f87.png" width="600" onerror="javascript:errimg(this);">

结果为

<img src="https://images.seebug.org/upload/201405/10015336fc1b6db0018a3f29ee973fc2c7ee25bc.png" alt="5972993a-9f53-420a-9a91-01d0ebcab7b5.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

如上详细描述。 同时/thinksns/apps/weba/Lib/Action/LogAction.class.php文件中多处,也未修复(之前白帽白帽提交的 WooYun: ThinkSNS某功能平行权限3 )。