ThinkSAAS SQL注入漏洞

2014-01-06T00:00:00
ID SSV:94348
Type seebug
Reporter Root
Modified 2014-01-06T00:00:00

Description

简要描述:

ThinkSAAS SQL注入漏洞

详细说明:

问题在上传附件处,/app/photo/action/do.php:

``` //上传 $arrUpload = tsUpload($_FILES['Filedata'],$photoid,'photo',array('jpg','gif','png'));

    if($arrUpload){
        $new['photo']->update('photo',array(
            'photoid'=>$photoid,
        ),array(
            'photoname'=>tsClean($arrUpload['name']),//没有过滤,导致SQL注入
            'phototype'=>tsClean($arrUpload['type']),
            'path'=>tsClean($arrUpload['path']),
            'photourl'=>tsClean($arrUpload['url']),
            'photosize'=>tsClean($arrUpload['size']),
        ));

    }

```

然后我们我们看到photoname等都没有过滤。 跟进tsUpload函数,/thinksaas/tsFunction.php:

``` function tsUpload($files, $projectid, $dir, $uptypes) { if ($files ['size'] > 0) {

    $menu2 = intval ( $projectid / 1000 );

    $menu1 = intval ( $menu2 / 1000 );

    $path = $menu1 . '/' . $menu2;

    $dest_dir = 'uploadfile/' . $dir . '/' . $path;

    createFolders ( $dest_dir );

    $arrType = explode ( '.', strtolower ( $files ['name'] ) ); // 转小写一下

    $type = array_pop ( $arrType );

    if (in_array ( $type, $uptypes )) {

        $name = $projectid . '.' . $type;

        $dest = $dest_dir . '/' . $name;

        // 先删除
        unlink ( $dest );
        // 后上传
        move_uploaded_file ( $files ['tmp_name'], mb_convert_encoding ( $dest, "gb2312", "UTF-8" ) );

        chmod ( $dest, 0777 );

        $filesize = filesize ( $dest );
        if (intval ( $filesize ) > 0) {
            return array (
                    'name' => $files ['name'],
                    'path' => $path,
                    'url' => $path . '/' . $name,
                    'type' => $type,
                    'size' => $files ['size'] 
            );
        } else {
            return false;
        }
    } else {
        return false;
    }
}

} ```

看到传入的$files ['name']没有过滤,人后就return了。 最后看看update的处理:

`` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "$key` = '$value'"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}";

    return $this->db->query ( $sql );
}

```

全程没有过滤,导致SQL注入。

漏洞证明:

我们在资料处,新建一个资料库。 然后再次资料库上传文件,抓包,修改文件名字为:

123.jpg',`attachtype`=user()#a.txt

或者新建一个以上面内容为文件名的文件,直接上传即可。 看看结果:

<img src="https://images.seebug.org/upload/201401/06185918f67bad88dd7626a07ab66b89440ca1e7.png" alt="w5.png" width="600" onerror="javascript:errimg(this);">

attachtype参数,即类型被修改了。