Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

修复SQL注入漏洞 #237

Merged
merged 3 commits into from Jul 11, 2021
Merged

修复SQL注入漏洞 #237

merged 3 commits into from Jul 11, 2021

Conversation

yumusb
Copy link
Contributor

@yumusb yumusb commented Jul 11, 2021

修复未经验证的IP地址导致的SQL注入漏洞

@naog
Copy link

naog commented Jul 11, 2021

怪不得前两天被注入了一个管理员账号,偷偷更改了当面付密钥,略有损失

@naog
Copy link

naog commented Jul 11, 2021

请其他用户检查自己的t_admin_user和t_admin_login_log表
被注入的会被添加一个新的管理用户,IP为219.77开头
同时看一下自己支付设置的当面付密钥是否被替换
我两天内被替换了3次

@insoxin
Copy link

insoxin commented Jul 11, 2021

无法复现

@yumusb
Copy link
Contributor Author

yumusb commented Jul 11, 2021

无法复现

已成功复现。

@w7oamie
Copy link

w7oamie commented Jul 11, 2021

修复数码验证的IP地址导致的SQL注入漏洞

大佬求个exp

@yumusb
Copy link
Contributor Author

yumusb commented Jul 11, 2021

攻击演示 请看截图 攻击演示

@zlkbdotnet zlkbdotnet merged commit 290c020 into zfaka-plus:master Jul 11, 2021
@w7oamie
Copy link

w7oamie commented Jul 12, 2021

攻击演示请看截图演示演示

漏洞修复了,可否发个exp或者日志学习一下呢

@yumusb
Copy link
Contributor Author

yumusb commented Jul 12, 2021

攻击演示请看截图演示演示

漏洞修复了,可否发个exp或者日志学习一下呢

目前刚发布补丁,影响较大。考虑晚点会发布。

@w7oamie
Copy link

w7oamie commented Jul 12, 2021

攻击演示请看截图演示演示

漏洞修复了,可否发个经验日志或者学习一下呢

暂未发布,可能会发布。

有相关日志可以提供研究一下吗

@basicbh
Copy link

basicbh commented Jul 12, 2021

zfaka真良心软件,赞赞赞

@qishaobuluo
Copy link

升级完之后,支付宝收款报错!
cURL error 35: OpenSSL SSL_connect: Connection reset by peer in connection to openapi.alipay.com:443 (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

@yumusb
Copy link
Contributor Author

yumusb commented Jul 21, 2021

升级完之后,支付宝收款报错!
cURL error 35: OpenSSL SSL_connect: Connection reset by peer in connection to openapi.alipay.com:443 (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

出现此问题与本次修复没有任何关联。如果真的确定和本次修复有关,那么建议你取消修复后再试。

@qishaobuluo
Copy link

qishaobuluo commented Jul 21, 2021

出现问题的不止我一个,支付宝5次支付有2次能弹出来二维码3次报错,好多站都出现这种问题,应该不是我VPS的问题,并且我也升级了CURL还是不行,联系了支付宝也不是支付宝的问题。估计也是个大面积出现的问题。经过测试发现应该是网络问题。电信的163

@J0o1ey
Copy link

J0o1ey commented Jan 2, 2022

In zfaka version 1.4.3,

application / modules / product / admin / Controllers / product / imgurlajax php involed a SQL injection Vuln

Found the following paragraph

image-20210526025356848

PDO is the default configuration, and stack injection is immediately thought of

After testing, the OrderID user is controllable. The global search for OrderID shows that OrderID is processed into a pure string by the function method, and there is no room for injection, so we choose another way

It is found that the IP parameters are also controllable by the user, and no processing is done before calling the select method.

The IP parameter calls the getclientip method. Let's follow the getclientip method

image-20210526030817917

It is easy to understand that it is to obtain the client IP from the common HTTP header

However, I am very glad that the IP parameters are not processed. We can implement Stack Injection by constructing XFF header

Because of CSRF_ For the verification of token, we must arbitrarily enter an order number on the order query page, and then enter the correct verification code, and then the query is valid

Then, the XFF header is manually constructed for Stack Injection for PDO

Because the PDO is closed with double quotation marks and belongs to stack injection without echo

Therefore, the payload structure is

X-FORWARDED-For:1'; select sleep(5)#

image-20210526202008945

The injection was successful after a delay of 5S.

For this stack injection without echo, blind injection is too slow, and it is too slow to use dnslog OOB, so we choose to construct an insert statement to add a background administrator

Using prepare statement


X-FORWARDED-For:1"; set@a =0x696E7365727420696E746F20745F61646D696E5F757365722076616C7565732839392C227465737440746573742E74657374222C223736623138303766633163393134663135353838353230623038333366626333222C22373865303535222C30293B; PREPARE a FROM @a; execute a; select sleep(3);#

//Sleep is used to judge whether the injection is successful

Successfully added a background account with user name test@test.test , password 123456

You can directly log in to the target background / Admin
image-20210526202209072

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

8 participants