ThinkSAAS SQL注入#6

2013-12-23T00:00:00
ID SSV:94350
Type seebug
Reporter Root
Modified 2013-12-23T00:00:00

Description

简要描述:

ThinkSAAS SQL注入#6

详细说明:

thinksaas在添加标签处,由于不完全的过滤,以及特殊的构造拼接导致sql注入。 在/app/tag/action/add.php文件:

``` case "do": $objname = t($_POST['objname']); $idname = t($_POST['idname']); $objid = intval($_POST['objid']); $tags = t($_POST['tags']);

            $new['tag']->addTag($objname,$idname,$objid,$tags);
            tsNotice('标签添加成功!');
            break;

```

注意这里的$objname参数。然后,跟进t函数:

``` function t($text) { $text = preg_replace ( '/[.?]/is', '', $text ); $text = cleanJs ( $text ); // 彻底过滤空格BY QINIAO $text = preg_replace ( '/\s(?=\s)/', '', $text ); $text = preg_replace ( '/[\n\r\t]/', ' ', $text ); $text = str_replace ( ' ', ' ', $text ); // $text = str_replace ( ' ', '', $text ); $text = str_replace ( ' ', '', $text ); $text = str_replace ( '&', '', $text ); $text = str_replace ( '=', '', $text ); $text = str_replace ( '-', '', $text ); $text = str_replace ( '#', '', $text ); $text = str_replace ( '%', '', $text ); $text = str_replace ( '!', '', $text ); $text = str_replace ( '@', '', $text ); $text = str_replace ( '^', '', $text ); $text = str_replace ( '', '', $text ); $text = str_replace ( 'amp;', '', $text ); $text = str_replace ( 'position', '', $text );

    $text = strip_tags ( $text );
    $text = htmlspecialchars ( $text );
    $text = str_replace ( "'", "", $text );
    return $text;

} ```

然后,跟进addTag函数:

``` $tagIdCount = $this->findCount("tag_".$objname."_index",array( 'tagid'=>$tagData['tagid'], ));

                                            $count_obj = "count_".$objname;

                                            $this->update('tag',array(
                                                    'tagid'=>$tagData['tagid'],
                                            ),array(
                                                    $count_obj=>$tagIdCount,
                                                    'uptime'=>$uptime,
                                            ));

```

看到这里的$objname参数带入了$count_obj中,然后进入了sql语句update中。

`` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "$key` = '$value'"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}";

            return $this->db->query ( $sql );
    }

```

这里在处理sql语句时,在key上使用了反引号。 而这里的key使我们输入的$objname参数拼接起来的,正好从上面的过滤来看,没有过滤掉反引号。 导致在key这里造成注入。

漏洞证明:

构造请求,在$objname处添加反引号,查看sql执行日志:

<img src="https://images.seebug.org/upload/201312/23180410301c0680b7bf779f62c2efefdecf408e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

反引号被成功带入到了update时的key中。