PHPYUN最新版SQL注入二处（绕过防御）

### 简要描述： PHPYUN最新版（phpyun_v3.1.0604_gbk）SQL注入二处，无视GPC（绕过防御） ### 详细说明： PHPYUN最新版（phpyun_v3.1.0604_gbk）SQL注入二处 第一处SQL注入： 文件/member/model/com.class.php ``` function job(){ if($_GET['p_uid']){ $data['p_uid']=(int)$_GET['p_uid']; $data['inputtime']=mktime(); $data['c_uid']=$this->uid; $data['usertype']=$_COOKIE['usertype']; $haves=$this->obj->DB_select_once("blacklist","`p_uid`=".$data['c_uid']." and `c_uid`=".$data['c_uid']." and `usertype`=".$data['usertype'].""); if(is_array($haves)){ $this->obj->layer_msg("该用户已在您黑名单中！",8,0,$_SERVER['HTTP_REFERER']); }else{ $nid=$this->obj->insert_into("blacklist",$data); $num=$this->obj->DB_select_num("userid_job","`uid`=".$data['p_uid']." and `com_id`=".$data['c_uid'].""); $this->obj->DB_delete_all("userid_job","`uid`=".$data['p_uid']." and `com_id`=".$data['c_uid'].""," "); $this->obj->DB_update_all("member_statis","`sq_jobnum`=`sq_jobnum`-$num","`uid`='".$data['p_uid']."'"); $nid?$this->layer_msg('删除成功！',9,0,$_SERVER['HTTP_REFERER']):$this->layer_msg('删除失败！',8,0,$_SERVER['HTTP_REFERER']); } } ``` $data['usertype']=$_COOKIE['usertype']; 这里没有经过任何包含直接进入了DB_select_once 跟进DB_select_once函数： ``` function DB_select_once($tablename, $where = 1, $select = "*") { $cachename=$tablename.$where; if(!$return=$this->Memcache_set($cachename)){ $SQL = "SELECT $select FROM " . $this->def . $tablename . " WHERE $where limit 1"; $query = $this->db->query($SQL); $return=$this->db->fetch_array($query); $this->Memcache_set($cachename,$return); } return $return; } ``` 依然没有处理，所以，这里导致注入。 第二处SQL注入 文件/member/model/com.class.php ``` function job(){ ...... if($_GET['r_uid']){ if($_GET['r_reason']=="") { $this->obj->ACT_layer_msg("举报内容不能为空！",8,"index.php?c=down"); } $data['p_uid']=(int)$_GET['r_uid']; $data['inputtime']=mktime(); $data['c_uid']=$this->uid; $data['eid']=$_GET['eid']; $data['r_name']=$_GET['r_name']; $data['usertype']=$_COOKIE['usertype']; $data['username']=$this->username; $data['r_reason']=$_GET['r_reason']; $haves=$this->obj->DB_select_once("report","`p_uid`=".$data['p_uid']." and `c_uid`=".$data['c_uid']." and `usertype`=".$data['usertype']."","id"); if(is_array($haves)) { $this->obj->ACT_layer_msg("您已经举报过该用户！",8,"index.php?c=down"); }else{ $nid=$this->obj->insert_into("report",$data); $nid?$this->obj->ACT_layer_msg("操作成功！",9,"index.php?c=down"):$this->obj->ACT_layer_msg("操作失败！",8,"index.php?c=down"); } } ``` 也是$data['usertype']=$_COOKIE['usertype']; 没有经过任何保护，直接进入了SQL语句 因为PHPYUN使用了360webscan的规则等一些防御措施 文件/data/db.safety.php： ``` function gpc2sql($str) { if(preg_match("/select|insert|update|delete|union|into|load_file|outfile/is", $str)) { exit(safe_pape()); } $arr=array(" and "=>" an d "," or "=>" Ｏr ","%20"=>"","select"=>"Ｓelect","update"=>"Ｕpdate","count"=>"Ｃount","chr"=>"Ｃhr","truncate"=>"Ｔruncate","union"=>"Ｕnion","delete"=>"Ｄelete","insert"=>"Ｉnsert"); foreach($arr as $key=>$v){ $str = preg_replace('/'.$key.'/isU',$v,$str); } return $str; } function safesql($StrFiltKey,$StrFiltValue,$type){ $getfilter = "\\<.+javascript:window\\[.{1}\\\\x|<.*=(&#\\d+?;?)+?>|<.*(data|src)=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\\(\d+?|sleep\s*?\\([\d\.]+?\\)|load_file\s*?\\()|<[a-z]+?\\b[^>]*?\\bon([a-z]{4,})\s*?=|^\\+\\/v(8|9)|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; $postfilter = "<.*=(&#\\d+?;?)+?>|<.*data=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\\(\d+?|sleep\s*?\\([\d\.]+?\\)|load_file\s*?\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; $cookiefilter = "benchmark\s*?\\(\d+?|sleep\s*?\\([\d\.]+?\\)|load_file\s*?\\(|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; ``` 像 and 1=1等这些会被过滤 那么使用/**/and 1+1=1和/**/and 1+1=2就能搞定了 ### 漏洞证明： 我们以第二个SQL注入为例： 通过代码逻辑我们知道，当返回错误时，进入insert_into操作，会返回信息：“操作成功！”或者“操作成功！” [<img src="https://images.seebug.org/upload/201406/101120347f28828b5a814f772e432204b98beac5.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/101120347f28828b5a814f772e432204b98beac5.png) [<img src="https://images.seebug.org/upload/201406/10112154b7e5a80f9a314c9035845d36c1d8a13d.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/10112154b7e5a80f9a314c9035845d36c1d8a13d.png) 当返回为真时，会返回信息：“您已经举报过该用户！” [<img src="https://images.seebug.org/upload/201406/1011205069c968b730d8a89c1bbabac207e65208.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/1011205069c968b730d8a89c1bbabac207e65208.png) 通过一直遍历char值得到user（）的第一位字符为r 继续遍历得到user（）=root