|ThinkSNS水平权限问题 - VULHUB开源网络安全威胁库

ThinkSNS水平权限问题

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： ThinkSNS某处存在水平权限问题，未对用户的操作进行权限认证，导致越权访问，删除任意用户信息 ### 详细说明：看过之前乌云白帽子发的关于水平权限的问题，貌似很多。重新看了下，好多都没修复。发个没有重复的。测试版本：4.18号官网下载的版本。漏洞文件：/thinksns/apps/weba/Lib/Action/GroupAction.class.php 说明，index文件应该是group文件的完善更新版？代码： ``` /** * 执行编辑帖子 * @return void */ //水平权限缺陷02 public function doPostEdit(){ // echo 2;die; $checkContent = str_replace(' ', '', $_POST['content']); $checkContent = str_replace('<br />', '', $checkContent); $checkContent = str_replace('<p>', '', $checkContent); $checkContent = str_replace('</p>', '', $checkContent); $checkContents = preg_replace('/<img(.*?)src=/i','img',$checkContent); $checkContents = preg_replace('/<embed(.*?)src=/i','img',$checkContents); if(strlen(t($_POST['title']))==0) $this->error('帖子标题不能为空'); if(strlen(t($checkContents))==0) $this->error('帖子内容不能为空'); preg_match_all('/./us', t($_POST['title']), $match); if(count($match[0])>30){ //汉字和字母都为一个字 $this->error('帖子标题不能超过30个字'); } $post_id = intval($_POST['post_id']); $data['title'] = t($_POST['title']); $data['content'] = h($_POST['content']); $res = D('weiba_post')->where('post_id='.$post_id)->save($data);//直接提交post_id即可编辑任意帖子，未进行权限认证 if($res!==false){ $post_detail = D('weiba_post')->where('post_id='.$post_id)->find(); if(intval($_POST['log'])==1){ D('log')->writeLog($post_detail['weiba_id'],$this->mid,'编辑了帖子“<a href="'.U('weiba/Index/postDetail',array('post_id'=>$post_id)).'" target="_blank">'.$post_detail['title'].'</a>”','posts'); } //同步到微博 $feedInfo = D('feed_data')->where('feed_id='.$post_detail['feed_id'])->find(); $datas = unserialize($feedInfo['feed_data']); $datas['content'] = '【'.$data['title'].'】'.getShort(t($checkContent),100).' '; $datas['body'] = $datas['content']; $data1['feed_data'] = serialize($datas); $data1['feed_content'] = $datas['content']; $feed_id = D('feed_data')->where('feed_id='.$post_detail['feed_id'])->save($data1); model('Cache')->rm('fd_'.$post_detail['feed_id']); return $this->ajaxReturn($post_id, '编辑成功', 1); }else{ $this->error('编辑失败'); } } ``` 其中doPostEdit操作未对权限认证，导致可以修改微吧里的任意帖子起始状态如下 [<img src="https://images.seebug.org/upload/201405/10014537f2d631355cdb66699f51b4111fc8449d.png" alt="4a32db82-5beb-4b4d-92bc-ec3dcf2724bc.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10014537f2d631355cdb66699f51b4111fc8449d.png) 数据库信息为 [<img src="https://images.seebug.org/upload/201405/10014620199e99e317533fa19f8fa849df9c1d44.png" alt="3d360691-fab6-4f95-831a-44b176454bcf.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10014620199e99e317533fa19f8fa849df9c1d44.png) post_id=5内容为test02的，post_id=4内容为test01的 test02修改自己的帖子，拦截post请求如下 [<img src="https://images.seebug.org/upload/201405/10014824960736297688e7f90f639157268c3b82.png" alt="463f10fa-81bd-48ee-8954-893cd81568b6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10014824960736297688e7f90f639157268c3b82.png) 修改test01的帖子，即post_id=4如图 [<img src="https://images.seebug.org/upload/201405/10014917741f59660496bf968b25fde2688e7846.png" alt="212c021c-3c89-4168-b6f8-e1d687573743.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10014917741f59660496bf968b25fde2688e7846.png) 结果为 [<img src="https://images.seebug.org/upload/201405/10015005534e8243ea67e987cdf6eefb3d1f6b46.png" alt="2cdb4753-10a7-4b22-ba02-052d1c9c83fa.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10015005534e8243ea67e987cdf6eefb3d1f6b46.png) 同时有删除任意帖子的漏洞（白帽之前提交的未修复， [WooYun: ThinkSNS SQL注入及越权](http://www.wooyun.org/bugs/wooyun-2014-050671) ）代码： ``` /** * 删除帖子 * @return void */ public function postDel(){ $post_id = intval($_POST['post_id']);//修复了注入问题 // 水平权限缺陷01 if(D('weiba_post')->where('post_id='.$post_id)->setField('is_del',1)){ if(intval($_POST['log'])==1){ $post_detail = D('weiba_post')->where('post_id='.$post_id)->find(); D('log')->writeLog($post_detail['weiba_id'],$this->mid,'删除了帖子“'.$post_detail['title'].'”','posts'); } D('weiba')->where('weiba_id='.intval($_POST['weiba_id']))->setDec('thread_count'); echo 1; } } ``` 初始状态： [<img src="https://images.seebug.org/upload/201405/10015226ef50812184f3d6ede950a3d2afaca5e3.png" alt="4d3a04d0-61bf-4eb9-99c3-b2cafbcf40fd.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10015226ef50812184f3d6ede950a3d2afaca5e3.png) 越权删除test01的帖子 [<img src="https://images.seebug.org/upload/201405/1001524992158313012e3aff5a7a29d795b5cc29.png" alt="7b26c96c-b689-4b6a-98fc-a715904f6f87.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1001524992158313012e3aff5a7a29d795b5cc29.png) 结果为 [<img src="https://images.seebug.org/upload/201405/10015336fc1b6db0018a3f29ee973fc2c7ee25bc.png" alt="5972993a-9f53-420a-9a91-01d0ebcab7b5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10015336fc1b6db0018a3f29ee973fc2c7ee25bc.png) ### 漏洞证明：如上详细描述。同时/thinksns/apps/weba/Lib/Action/LogAction.class.php文件中多处，也未修复（之前白帽白帽提交的 [WooYun: ThinkSNS某功能平行权限3](http://www.wooyun.org/bugs/wooyun-2014-049172) ）。

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™