Table of Contents
0x01 背景
0x02 环境搭建
0x03 漏洞分析
Part1:源码结构
Part2:审计过程
0x04 漏洞证明
Home Backend Development PHP Tutorial 【PHP代码审计实例教程】SQL注入-4.全局防护Bypass之二次注入

【PHP代码审计实例教程】SQL注入-4.全局防护Bypass之二次注入

Jun 23, 2016 pm 01:14 PM

0x01 背景

现在的WEB程序基本都有对SQL注入的全局过滤,像PHP开启了GPC或者在全局文件common.php上使用addslashes()函数对接收的参数进行过滤,尤其是单引号。二次注入也是一种比较常见的注入,它涉及到入库和出库。因为有全局转义所以入库的时候:

Insert into table (username) values (‘hack\’’);

这样入库后转义符就会消失变成了hack’,这样如果hack’出库被带入查询的话就会成功的引入了单引号导致注入。

漏洞来源于乌云:

http://www.wooyun.org/bugs/wooyun-2014-068362

0x02 环境搭建

看背景我们使用了低版本的74cms程序,版本为3.4(20140310)

①源码网上可以搜到,我打包了一份: http://pan.baidu.com/s/1c1mLCru

②解压到www的74cms(20140310)目录下,浏览器访问http://localhost/74cms(20140310)),然后按照提示一步步安装即可,安装遇到问题请自行百度或谷歌,成功后访问如下图:

0x03 漏洞分析

Part1:源码结构

源码的结构比较清晰,应该是审计过最清晰的结构了,主要有下面三块内容:

index.php引入了common.inc.php文件,我们跟进common.inc.php,发现了处理gpc的函数:

if (!empty($_GET)){$_GET  = addslashes_deep($_GET);}if (!empty($_POST)){$_POST = addslashes_deep($_POST);}$_COOKIE   = addslashes_deep($_COOKIE);$_REQUEST  = addslashes_deep($_REQUEST);
Copy after login

可以看到,服务端处理GET和POST请求的变量时都会做addslashes处理。

Part2:审计过程

1.首先在个人发布简历处:

elseif ($act=='make4_save'){$resume_education=get_resume_education($_SESSION['uid'],$_REQUEST['pid']);if (count($resume_education)>=6) showmsg('教育经历不能超过6条!',1,$link);$setsqlarr['uid']=intval($_SESSION['uid']);$setsqlarr['pid']=intval($_REQUEST['pid']);if ($setsqlarr['uid']==0 || $setsqlarr['pid']==0 ) showmsg('参数错误!',1);$setsqlarr['start']=trim($_POST['start'])?$_POST['start']:showmsg('请填写开始时间!',1,$link);$setsqlarr['endtime']=trim($_POST['endtime'])?$_POST['endtime']:showmsg('请填写结束时间!',1,$link);$setsqlarr['school']=trim($_POST['school'])?$_POST['school']:showmsg('请填写学校名称!',1,$link);$setsqlarr['speciality']=trim($_POST['speciality'])?$_POST['speciality']:showmsg('请填写专业名称!',1,$link);$setsqlarr['education']=trim($_POST['education'])?$_POST['education']:showmsg('请选择获得学历!',1,$link);$setsqlarr['education_cn']=trim($_POST['education_cn'])?$_POST['education_cn']:showmsg('请选择获得学历!',1,$link);    //看到这里有个插入表“qs_resume_education”的操作,将教育背景相关的字段入库    if (inserttable(table('resume_education'),$setsqlarr))    {        check_resume($_SESSION['uid'],intval($_REQUEST['pid']));
Copy after login

2.这里看到insert入库了,可以尝试加个单引号,入库后就会消除转义字符。我们先继续跟进inserttables后的check_resume函数

//检查简历的完成程度function check_resume($uid,$pid){global $db,$timestamp,$_CFG;$uid=intval($uid);$pid=intval($pid);$percent=0;$resume_basic=get_resume_basic($uid,$pid);$resume_intention=$resume_basic['intention_jobs'];$resume_specialty=$resume_basic['specialty'];//获取教育经历,出数据库了$resume_education=get_resume_education($uid,$pid);if (!empty($resume_basic))$percent=$percent+15;if (!empty($resume_intention))$percent=$percent+15;if (!empty($resume_specialty))$percent=$percent+15;if (!empty($resume_education))$percent=$percent+15;if ($resume_basic['photo_img'] && $resume_basic['photo_audit']=="1"  && $resume_basic['photo_display']=="1"){$setsqlarr['photo']=1;}else{$setsqlarr['photo']=0;}if ($percent<60){    $setsqlarr['complete_percent']=$percent;    $setsqlarr['complete']=2;}else{    $resume_work=get_resume_work($uid,$pid);    $resume_training=get_resume_training($uid,$pid);    $resume_photo=$resume_basic['photo_img'];    if (!empty($resume_work))$percent=$percent+13;    if (!empty($resume_training))$percent=$percent+13;    if (!empty($resume_photo))$percent=$percent+14;    $setsqlarr['complete']=1;    $setsqlarr['complete_percent']=$percent;    require_once(QISHI_ROOT_PATH.'include/splitword.class.php');    $sp = new SPWord();    $setsqlarr['key']=$resume_basic['intention_jobs'].$resume_basic['recentjobs'].$resume_basic['specialty'];            $setsqlarr['key']="{$resume_basic['fullname']} ".$sp->extracttag($setsqlarr['key']);    $setsqlarr['key']=str_replace(","," ",$resume_basic['intention_jobs'])." {$setsqlarr['key']} {$resume_basic['education_cn']}";    $setsqlarr['key']=$sp->pad($setsqlarr['key']);        if (!empty($resume_education))    {        //遍历教育经历所有字段,加入到数组里        foreach($resume_education as $li)        {        $setsqlarr['key']="{$li['school']} {$setsqlarr['key']} {$li['speciality']}";        }    }    $setsqlarr['refreshtime']=$timestamp;}//这里对教育经历做了次更新操作,二次注入由此产生!updatetable(table('resume'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");updatetable(table('resume_tmp'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");
Copy after login

3.我们填写一份简历简单试验下,在教育经历处学校名称字段填写aa’

保存后发现报错语句:

0x04 漏洞证明

构造获取数据库用户相关信息的POC:

查看简历发现简历姓名变成了root@localhost:

查看sql语句发现更新语句是成功执行的:

最后,有兴趣的同学可以继续获取其它的管理员账户等相关字段的信息。

原文地址:

http://www.cnbraid.com/2016/02/19/sql3/

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Explain JSON Web Tokens (JWT) and their use case in PHP APIs. Explain JSON Web Tokens (JWT) and their use case in PHP APIs. Apr 05, 2025 am 12:04 AM

JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,

Describe the SOLID principles and how they apply to PHP development. Describe the SOLID principles and how they apply to PHP development. Apr 03, 2025 am 12:04 AM

The application of SOLID principle in PHP development includes: 1. Single responsibility principle (SRP): Each class is responsible for only one function. 2. Open and close principle (OCP): Changes are achieved through extension rather than modification. 3. Lisch's Substitution Principle (LSP): Subclasses can replace base classes without affecting program accuracy. 4. Interface isolation principle (ISP): Use fine-grained interfaces to avoid dependencies and unused methods. 5. Dependency inversion principle (DIP): High and low-level modules rely on abstraction and are implemented through dependency injection.

How to automatically set permissions of unixsocket after system restart? How to automatically set permissions of unixsocket after system restart? Mar 31, 2025 pm 11:54 PM

How to automatically set the permissions of unixsocket after the system restarts. Every time the system restarts, we need to execute the following command to modify the permissions of unixsocket: sudo...

Explain the concept of late static binding in PHP. Explain the concept of late static binding in PHP. Mar 21, 2025 pm 01:33 PM

Article discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo

How to send a POST request containing JSON data using PHP's cURL library? How to send a POST request containing JSON data using PHP's cURL library? Apr 01, 2025 pm 03:12 PM

Sending JSON data using PHP's cURL library In PHP development, it is often necessary to interact with external APIs. One of the common ways is to use cURL library to send POST�...

Framework Security Features: Protecting against vulnerabilities. Framework Security Features: Protecting against vulnerabilities. Mar 28, 2025 pm 05:11 PM

Article discusses essential security features in frameworks to protect against vulnerabilities, including input validation, authentication, and regular updates.

How to debug CLI mode in PHPStorm? How to debug CLI mode in PHPStorm? Apr 01, 2025 pm 02:57 PM

How to debug CLI mode in PHPStorm? When developing with PHPStorm, sometimes we need to debug PHP in command line interface (CLI) mode...

See all articles