"PHP Code Audit Example Tutorial" SQL injection-3. Global Protection Bypass Base64decode

Source: Internet
Author: User

0x01 background

Today's web programs basically have a global filter for SQL injection, like PHP to open the GPC or on the global file common.php using the Addslashes () function to filter the received parameters, especially single quotes. In the same article, we need to find some encoding and decoding functions to bypass the global protection, this article describes the case of Base64decode ().

The loophole comes from dark clouds: http://www.wooyun.org/bugs/wooyun-2014-050338

0X02 Environment Construction

Look at the background we used the lower version of the Easytalk program, the version is X2.4

① source I packed a copy: Http://pan.baidu.com/s/1bopOFNL

② Extract to www easytalk directory, follow the prompts step by step installation can, encounter problems themselves Baidu or Google, after successful visits such as:

0X03 Vulnerability Analysis

First look at the source structure, with the thinkphp framework, more complex:

Interested can go to study and then continue to look down, the novice can know that the thinkphp to receive the parameters are filtered, and depending on whether your server open GPC will do the appropriate processing:

1./thinkphp/extend/library/org/util/input.class.php file Line No. 266:

/** +----------------------------------------------------------* If MAGIC_QUOTES_GPC is off, this function can escape the string +----------- -----------------------------------------------* @access public +------------------------------------------------ ----------* @param string $string strings to be processed +----------------------------------------------------------* @return string +----------------------------------------------------------*/static Public Function addslashes ($string) {    if (! GET_MAGIC_QUOTES_GPC ()) {        $string = addslashes ($string);    }    return $string;}

2. Use the global search function of the Seay code audit system to search for files containing the keyword "Base64_decode", and find SettingAction.class.php contains a place to base64_decode the received parameters Auth:

3. We followed up this PHP file and found that although the Daddslashes function was used for injection filtering, the Base64_decode function was used to transcode the parameter auth so that the filter could be bypassed to inject:

Authentication e-Mail public Function Doauth () {    $_authmsg=daddslashes ($_get[' auth '));//re-determine if GPC is open and inject filter    $authmsg = Base64_decode ($_authmsg)//base64_decode function to transcode parameters    $tem =explode (":", $authmsg),//to the decoded parameters authmsg in accordance with ":" The    $send _id= $tem [0] are divided into the array tem;    $user =m (' Users ');    $row = $user->field (' Mailadres,auth_email ')->where ("user_id= ' $send _id '")->find ();//Bring into query, in the WHERE clause, causing injection    if ($_authmsg== $row [' Auth_email ']) {        $user->where ("user_id= ' $send _id '")->setfield (' Auth_email ', 1) ;        Setcookie (' Setok ', Json_encode (' Lang ' =>l (' mail6 '), ' ico ' =>1), 0, '/');    } else {        Setcookie (' Setok ', Json_encode (' Lang ' =>l (' mail7 '), ' ico ' =>2), 0, '/');    }    Header (' Location: '. Site_url. ' /?m=setting&a=mailauth ');}

0x04 Vulnerability Proof

To construct a POC that obtains information about the database:


View SQL statement Discovery successful execution:

Found here is a blind note, and there is no output, so we use the SQL Blinds statement. Gets the first character of the current database user name that is not a POC of ' R ' (ASCII value 114):

Http://localhost/eazytalk/?m=index&a=mailactivity&auth= micgyw5kichzzwxly3qgawyokgfzy2lpkhn1ynn0cmluzygoc2vszwn0ihvzzxioksksmswxkskgpsaxmtqplhnszwvwkdupldapksm=

The page lasted 5 seconds, stating that the first character of user () was ' r ', and the view of the SQL statement found successfully executed:

Finally, interested students can write a PY script to run the blind.

Original address:


  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.