YouYaX_V5.66 SQL注入漏洞(官网躺枪)

  • A+
所属分类:漏洞时代
摘要

/Lib/MessageAction.php行94[php]
public function delMesses()
{
$user = $_SESSION[‘youyax_user’];
if ($user == “” || $user == null)
$this->redirect(“Index” . C(‘default_url’) . “index” . C(‘static_url’));
for ($k = 0; $k < count($_POST[‘cb’]); $k++) {
$id = $_POST[‘cb’][$k];
$result = $this->find(C(‘db_prefix’) . “message”, ‘string’, “mto='” . $_SESSION[‘youyax_user’] . “‘ and id='” . $id . “‘”);
if ($result) {
$this->delete(C(‘db_prefix’) . “message”, “mto='” . $_SESSION[‘youyax_user’] . “‘ and id='” . $id . “‘”);
}
}
$this->assign(‘jumpurl’, $this->youyax_url . “/Message” . C(‘default_url’) . “show” . C(‘static_url’))->assign(‘msgtitle’, ‘操作成功’)->assign(‘message’, ‘消息已删除!’)->success();
}
[/php]


漏洞作者: 索马里的海贼

/Lib/MessageAction.php行94

<br /> public function delMesses()<br /> {<br /> $user = $_SESSION['youyax_user'];<br /> if ($user == "" || $user == null)<br /> $this->redirect("Index" . C('default_url') . "index" . C('static_url'));<br /> for ($k = 0; $k < count($_POST['cb']); $k++) {<br /> $id = $_POST['cb'][$k];<br /> $result = $this->find(C('db_prefix') . "message", 'string', "mto='" . $_SESSION['youyax_user'] . "' and id='" . $id . "'");<br /> if ($result) {<br /> $this->delete(C('db_prefix') . "message", "mto='" . $_SESSION['youyax_user'] . "' and id='" . $id . "'");<br /> }<br /> }<br /> $this->assign('jumpurl', $this->youyax_url . "/Message" . C('default_url') . "show" . C('static_url'))->assign('msgtitle', '操作成功')->assign('message', '消息已删除!')->success();<br /> }<br />

 

$id = $_POST['cb'][$k];未过滤直接进了$this->find();

 

来看find()
/ORG/YouYa.php行356

<br /> public function find($table, $ext = "string", $param)<br /> {<br /> //在 param 中寻找与给定的正则表达式 pattern 所匹配的子串<br /> if (preg_match_all("/=/", $param, $tmp)) {<br /> $sql = "select * from " . $table . " where " . $param;<br /> } else {<br /> $param = "id=".intval($param);<br /> $sql = "select * from " . $table . " where " . $param;<br /> }<br /> $result = mysql_query($sql);<br />

 

只要$parm里面有“=” 就不会intval了,这个点一样没输出 只能基于时间注入 跟
WooYun: YouYaX_V5.47 SQL注入漏洞(官网躺枪) 这个一样
附送一个鸡肋的本地文件包含
/ORG/YouYa.php 行107

 

<br /> private function deal($tp)<br /> {<br /> if (isset($_COOKIE['youyax_lang'])) {<br /> $this->lang = require("lang/" . $_COOKIE['youyax_lang'] . "/lang.php"); //不太安全吧<br /> $this->array_array['lang'] = $this->lang;<br />

 

在当前mysql用户有file权限 但是对web目录不可写的情况下,可以用注入写一个lang.php到/tmp 然后设置cookie youyax_lang为../../../tmp 就可以成功包含shell了

 POST http://bbs.youyax.com/Message-delMesses.aspx HTTP/1.1 Host: bbs.youyax.com dropdown=del&cb[]=1'  就能看到报错信息  具体注入方法与 WooYun: YouYaX_V5.47 SQL注入漏洞(官网躺枪) 一致就不用sqlmap来演示了 

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: