Thinksaas SQL注入#3

2013-12-19T00:00:00
ID SSV:94354
Type seebug
Reporter Root
Modified 2013-12-19T00:00:00

Description

简要描述:

Thinksaas SQL注入#3

详细说明:

在Thinksaas 的小组功能处,发完贴后,可以补贴。 在编辑补贴时,过滤不完整,导致SQL注入,直接可以注入出数据,显示到帖子内容中。 /app/group/action/after.php文件,在边编辑补贴内容时:

``` //编辑执行 case "edo":

            if($_POST['token'] != $_SESSION['token']) {
                    tsNotice('非法操作!');
            }

            $afterid = intval($_POST['afterid']);

            $strAfter = $new['group']->find('group_topic_add',array(
                    'id'=>$afterid,
            ));

            if($strAfter['userid'] == $userid || $TS_USER['user']['isadmin']==1){

                    $content = tsClean($_POST['content']);
                    $title = tsClean($_POST['title']);

                    //过滤内容开始
                    aac('system')->antiWord($title);
                    aac('system')->antiWord($content);
                    //过滤内容结束

                    $new['group']->update('group_topic_add',array(
                            'id'=>$afterid,
                    ),array(
                            'title'=>$title,
                            'content'=>$content,
                            'uptime'=>time(),
                    ));

```

利用tsClean函数过滤,/thinksaas/tsFunction.php:

/** * 过滤脚本代码 * @param unknown $text * @return mixed */ function cleanJs($text) { $text = trim ( $text ); $text = stripslashes ( $text ); // 完全过滤注释 $text = preg_replace ( '/<!--?.*-->/', '', $text ); // 完全过滤动态代码 $text = preg_replace ( '/<\?|\?>/', '', $text ); // 完全过滤js $text = preg_replace ( '/<script?.*\/script>/', '', $text ); // 过滤多余html $text = preg_replace ( '/<\/?(html|head|meta|link|base|body|title|style|script|form|iframe|frame|frameset)[^><]*>/i', '', $text ); // 过滤on事件lang js while ( preg_match ( '/(<[^><]+)(lang|onfinish|onmouse|onexit|onerror|onclick|onkey|onload|onchange|onfocus|onblur)[^><]+/i', $text, $mat ) ) { $text = str_replace ( $mat [0], $mat [1], $text ); } while ( preg_match ( '/(<[^><]+)(window\.|javascript:|js:|about:|file:|document\.|vbs:|cookie)([^><]*)/i', $text, $mat ) ) { $text = str_replace ( $mat [0], $mat [1] . $mat [3], $text ); } return $text; } /** * 输入安全过滤 * @param unknown $text * @return mixed */ function tsClean($text) { $text = cleanJs ( $text ); return $text; }

只是过滤了JS内容,然后带入update语句:

`` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "$key` = '$value'"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}";

            return $this->db->query ( $sql );
    }

```

我们输入的内容带入了update的row中,没有过滤,导致sql注入。

漏洞证明:

先发一个帖子,然后跟一个补贴。 在来编辑方才跟的那个补贴内容:

<img src="https://images.seebug.org/upload/201312/191620278706f21c0c12b9ddfb92ffc9fbcd1ea9.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

看看数据库的执行日志:

<img src="https://images.seebug.org/upload/201312/19162038d95948f61687eb1f02dbaa0214ab0bf7.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

再来看我们跟的那个补贴的内容发生的变化:

<img src="https://images.seebug.org/upload/201312/191620458eb1480782780adea0c5184c4a798694.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

成功注入。