[公开漏洞]EasyTalk Sql Injection 11-15

EasyTalk Sql Injection 11-15 相关厂商： nextsns.com 漏洞作者：′ 雨。提交时间：2014-02-09 10:39 公开时间：2014-05-10 10:39 漏洞类型：SQL注射漏洞危害等级：高自评Rank：20 漏洞状态：厂商已经确认漏洞来源：http://www.wooyun.org Tags标签：无漏洞详情披露状态：

2014-02-09：细节已通知厂商并且等待厂商处理中
2014-02-09：厂商已经确认，细节仅向厂商公开
2014-02-12：细节向第三方安全合作伙伴开放
2014-02-19：细节向核心白帽子及相关领域专家公开
2014-03-01：细节向普通白帽子公开
2014-03-21：细节向实习白帽子公开
2014-05-10：细节向公众公开

简要描述：

过滤不严。

详细说明：

注入11：

在friendsaction.class.php中

public function _initialize() {

parent::init();

parent::tologin();

import("@.ORG.Page");

$this->fModel=D('Friend');

$this->uModel=D('Users');

$username=$this->_get('username');

$this->keyword=trim($this->_get('keyword'));

$this->keyword=$this->keyword==L('inputfollowaccount')?'':$this->keyword;

if (!$username || $username==$this->my['user_name']) {

$this->user=$this->my;

} else {

$this->user=$this->uModel->where("user_name='$username'")->find();

}

$username=$this->_get('username'); 未过滤

$this->user=$this->uModel->where("user_name='$username'")->find();

查询。

所执行的语句。

延时成功

注入12：

在Imaction.class.php中

public function getDayRecord() {

$uid=$_POST['user_id'];

$user=M('Users')->where("user_id='$uid'")->find();



if ($user) {

$info=getsubstr($user['user_info'],0,50);

$info=$info?$info:L('nothing_write');



$data = D('MessagesView')->where("(senduid='".$this->my['user_id']."' AND sendtouid='$uid') OR (senduid='$uid' AND sendtouid='".$this->my['user_id']."')")->order("message_id DESC")->limit(10)->select();

无过滤。$uid=$_POST['user_id'];

$user=M('Users')->where("user_id='$uid'")->find();

带入查询。

延时注入。

同文件一样的

//定时获得最新内容

public function timeResponse() {

if ($this->my['priread']>0) {

$data = D('MessagesView')->where("sendtouid='".$this->my['user_id']."' AND isread=0")->select();

if ($data) {

$aCent=A('Content');

foreach ($data as $val) {

$val['messagebody']=$aCent->ubb($val['messagebody']);

$val['sendtime']=timeop($val['sendtime']);

$newMessage[]=$val;

}

}



//标记已读

$currentuid=$_POST['currentuid'];

M('Messages')->where("senduid='$currentuid' AND sendtouid='".$this->my['user_id']."'")->setField('isread',1);

$count=M('Messages')->where("sendtouid='".$this->my['user_id']."' AND isread=0")->count();

if ($count==0) {

M('Users')->where("user_id='".$this->my['user_id']."'")->setField('priread',0);

}

        }

echo json_encode(array('newMessage'=>$newMessage));

img src="/upload/201402/061735055282f7ea9fe907392a6c191d77c96243.jpg" alt="1.jpg" />

所执行的语句

延时

注入13：

在indexaction.class.php中

public function checkreset() {

        $uModel=D('Users');



        $urldata=$_REQUEST['urldata'];

parse_str(base64_decode($urldata));//变量覆盖

        if (time()-$dateline>3600*5) {

            setcookie('setok', json_encode(array('lang'=>L('reset3'),'ico'=>2)),0,'/');//该地址已经过期，请重新“找回密码”

            header('location:'.SITE_URL.'/?m=index&a=reset');

            exit;

        } else {

            $user=$uModel->getUser("user_id='$user_id' AND user_name='$user_name' AND mailadres='$mailadres'");



            if (!$user['user_id']) {

                setcookie('setok', json_encode(array('lang'=>L('reset4'),'ico'=>2)),0,'/');//地址验证失败，请重新“找回密码”

                header('location:'.SITE_URL.'/?m=index&a=reset');

                exit;

            }

        }

time()-$dateline>3600*5 这里做了验证。

那么就直接覆盖掉$dataline 然后让他小于3600*5

就让$dataline越大越好。

$user=$uModel->getUser("user_id='$user_id' AND user_name='$user_name' AND mailadres='$mailadres'");

这里带入了查询干脆就来覆盖掉$user_id 来形成注入

这里变量覆盖。

所执行的语句

延时成功可注入

注入14：

public function showmore() {

$nowpage=$_GET['nowpage'];

$oricid=$_GET['oricid'];

$uid=$_GET['uid'];



if ($nowpage) {

$photos=M('Content')->where("user_id='$uid' AND FIND_IN_SET('p',filetype)")->order('content_id ASC')->limit(($nowpage*9-9).',9')->select();

if ($photos) {

如果$nowpage 为true 则带入查询无过滤。

SELECT * FROM `et_content` WHERE user_id='aa' AND FIND_IN_SET('p',filetype) ORDER BY content_id ASC LIMIT 1098,9

所执行的语句构造之

PHUY61@KJRJOZDOXB%D{DZC.jpg

Success。

注入15：

在spaceaction.class.php中

public function home(){

        $cview=D('ContentView');

        $t=$_GET['t']?$_GET['t']:'a';

        $type=$_GET['type']?$_GET['type']:'home';

        $group=$_GET['group']?$_GET['group']:'0';

        $gid=$_GET['gid'];

        $hq=$_GET['hq'];//无过滤

        $dt=$_GET['dt'];



        //搜索条件

        $condition=' AND replyid=0';

if (in_array($t,array('p','m','v'))) {

$condition=" AND FIND_IN_SET('{$t}',filetype)";

} else if ($t=='o') {

            $condition=' AND retid=0';

        } else if ($t=='r') {

            $condition=' AND retid!=0';

        }

        if ($hq) {//关键词搜索

            $condition.=' AND content_body LIKE "%'.$hq.'%"';

        }

        if ($dt) {//时间搜索

            $stime=strtotime($dt.' 00:00:00');

            $condition.=' AND posttime>='.$stime.' AND posttime<='.($stime+86400);

带入条件。

if ($hq) {//关键词搜索

$condition.=' AND content_body LIKE "%'.$hq.'%"';

然后查询。

执行的时候

SELECT Content.content_id AS content_id,Content.content_body AS content_body,Content.posttime AS posttime,Content.type AS type,Content.filetype AS filetype,Content.retid AS retid,Content.replyid AS replyid,Content.replytimes AS replytimes,Content.zftimes AS zftimes,Content.pinbi AS pinbi,Content.zhiding AS zhiding,Content.praisetimes AS praisetimes,Plugins.name AS appname,Plugins.directory AS directory,Plugins.available AS available,Plugins.type AS apptype,Users.user_id AS user_id,Users.user_name AS user_name,Users.nickname AS nickname,Users.user_head AS user_head,Users.user_auth AS user_auth,Users.provinceid AS provinceid,Users.cityid AS cityid FROM et_content Content ignore index(replyid) LEFT JOIN et_plugins Plugins ON Content.type=Plugins.directory LEFT JOIN et_users Users ON Content.user_id=Users.user_id LEFT JOIN et_friend Friend ON Content.user_id=Friend.fid_jieshou AND Friend.fid_fasong=2 WHERE (Content.user_id='2' OR fid_fasong='2') AND replyid=0 AND content_body LIKE "%a%" ORDER BY Content.posttime DESC LIMIT 0,20

构造一下