"PHP code Audit" Those years we dug together SQL injection-7. Global Protection Blind Spot summary

0x01 background

The current Web application's protection against SQL injection is basically to determine if the GPC is turned on, and then use the Addlashes function to escape special characters such as single quotes. But the only use of such protection is a lot of blind spots, such as the most classic integer parameter transfer, which is brought into the database query parameters are integer, the key in the array is not filtered into the query and the global filter get, post but not filter server or cookie-induced injection. So there seems to be a global protection, but actually hides a lot of "back door" ~
The blind spots are as follows:
① injection point similar to id=1 this integer parameter will completely ignore the GPC filter;
② injection point contains key value pairs, then only the value is detected here, the filter on key is not protected;
③ Sometimes the global filter only filters out get, post, and cookie, but does not filter the server.
With common server variables (the specific meaning of self-Baidu): Query_string,x_forwarded_for,client_ip,http_host,accept_language

0X02 Environment Construction

Environment please self-search and build it, starting from this article only do analysis does not provide vulnerability test environment ~ ~

0X03 vulnerability analysis completely disregard the GPC digital injection, in fact, carefully summed up the discovery is still a lot of places to learn.

1. Incoming parameters are not intval converted, constructed SQL statements are not single-quote protected

This is still relatively common, the original author dug some, dark cloud case http://www.wooyun.org/bugs/wooyun-2010-065605

<?php Require_once"Admin/common.php"; Require_once (MOBAN_PATH_QZ."Header.html"); Here typeid did not do plastic conversion $typeid =isset ($_get[' typeid ')? $_get[' typeid ': 1; SQL statement does not have single quote protection $type =$db->fetch_array (mysql_query ($sql ="select * from". $db->tablepre. "Newstype where newstypeid=". $typeid)); //typeid parameters exist injection, digital type; ?>

Get the POC for the Administrator account password:

SELECT NULL,(select concat(username,0x23,password) from jdy_admin limit 1),NULL,

2. The same parameter is protected by single quotation marks in the first SQL, followed by the second forgotten plus single quote

Lucky to see this kind of problem on the discuz!, worship the loophole of the Rain ox http://www.wooyun.org/bugs/wooyun-2014-079045
Simple analysis under the principle of vulnerability
The first SQL statement passed $itemid first is as follows

$query = $_SGLOBAL[‘db‘]->query(‘SELECT * FROM ‘.tname(‘spacetags‘).‘ WHERE itemid=\‘‘.$itemid.‘\‘ AND status=\‘‘.$status.‘\‘‘)

The $itemid is single-quote-protected and makes a select query, which is brought into the delete if the query has results, and the delete is not executed if there is no result. In the database Itemid is the type of int storage, so it is intended to only submit a numeric type to query the results, if it is not the number of submissions, then the query does not come out of the results, do not go to execute the following DELETE statement. But because of the MySQL type conversion, because here is the int type, so 1xxxxx and 1 query results are the same, as follows:

Then the SQL statement for the second delete is as follows

$_SGLOBAL[‘db‘]->query(‘DELETE FROM ‘.tname(‘spacetags‘).‘ WHERE itemid=‘.$itemid.‘ AND tagid IN (‘.simplode($deletetagidarr).‘) AND status=\‘‘.$status.‘\‘‘);

Here we forget to add single quotes, according to which we can construct the POC that gets the database user:

http://localhost/sup/dan/supesite/cp.php?ac=news&op=view&itemid=4 and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))#

3.php Weak type language, Judgment logic error trigger injection

Or the case of the Rain bull http://www.wooyun.org/bugs/wooyun-2010-088872
This is just about the principle of the loophole.

For example, weakly typed languages 0<1 and 0 Union select 1<1 are equivalent in logical judgment and return true.

Array type, global protection only filters the Value,key not filtered into the query

Programmers often in the processing of the array is not rigorous, resulting in such a loophole, the author was fortunate to have dug the Shopex under the ecmall existence of such loopholes, Link: http://www.wooyun.org/bugs/wooyun-2010-065284.
Since the case above is related to serialization and the process is complicated, here's a black cloud. Another case: http://www.wooyun.org/bugs/wooyun-2010-069746, a brief analysis of this case, we first look at the function of the array processing:

$_post=add_s ($_post); $_get=add_s ($_get); $_cookie=add_s ($_cookie); ... ... functionadd_s($array) { foreach$arrayAs$key =$value) { if (!is_array ($value)) { $value =str_replace ("& #x","& # X",$value);//filter some unsafe characters $value =preg_replace ( "/eval/i", $value); !GET_MAGIC_QUOTES_GPC () && $value =addslashes ( span class= "variable" > $value); $array [ $key]=$ Value }else{ $array [ $key]=add_s ( $array [ $key]); return $array; /span>

You can see that the value of the array is strictly filtered and addlashes escaped, but there is no filtering operation on the key, then we search the keyword "$key = = $value", and found the following code $key was brought into the query

ElseIf$job = =' Manage ') { if (!$ATC _power) Showerr ("You have no authority"); If$rsdb [pages]<2) { Header"Location:post.php?job=edit&aid= $aid &mid= $mid &only= $only");Exit } $erp =get_id_table ($aid); if ($step = =2) { Asort ($orderDB); $i =0; foreach ( $orderDB as $key = =$value) { $i + +; $db->query ("UPDATE {$pre}reply$erp SET orderid= $i WHERE aid= ' $aid ' and rid= ' $key '"); }

Constructs a POC that gets the administrator account password, such as:

Other cases: http://www.wooyun.org/bugs/wooyun-2014-071516

Server variable not filtered

Often occurs on a function that obtains a user's IP and is in storage, similar to the following code:

Get visitor IP (PHP code/function) functionGet_ip(){ if (getenv ("Http_client_ip") && strcasecmp (getenv ("Http_client_ip"),"Unknown")) { $ip =getenv ("Http_client_ip"); }Elseif (getenv ("Http_x_forwarded_for") && strcasecmp (getenv ("Http_x_forwarded_for"),"Unknown")) { $ip =getenv ("Http_x_forwarded_for"); }Elseif (getenv ("REMOTE_ADDR") && strcasecmp (getenv ("REMOTE_ADDR"),"Unknown")) { $ip =getenv ( "REMOTE_ADDR"); }else if (isset ($_server[ ' REMOTE_ADDR ']) && $_server[ ' REMOTE_ADDR '] && strcasecmp ($_server[ "REMOTE _addr '], "Unknown") { $IP = $_server[ ' remote_addr ']; }else{ $IP = "Unknown"; return $ip; } /span>

Found through the $_server variable to obtain the client IP and can be forged through x_forwarded_for, then there is no regular processing of x_forwarded_for, so we global search under the GET_IP function found there are some calls and storage place.
program/index/receive/login.php Code for example:

Here we use the GET_IP function to get the client IP $ip =get_ip (); Storage here, so you can inject the $sql ="Update".$pdo->index_pre."User set ' last_time ' = ' $time ', ' last_ip ' = ' $ip ' where ' id ' = '".$_session[' Monxin ' [' ID ']."‘"; $pdo->exec ($SQL); $sql ="SELECT COUNT (ID) as C from".$pdo->index_pre."User_login where ' userid ' = '".$_session[' Monxin ' [' ID ']."‘"; $stmt =$pdo->query ($sql,2); $v =$stmt->fetch (2); If$v [' C ']<Self::$config [' Other ' [' User_login_log ']) { $sql ="INSERT into".$pdo->index_pre."User_login (' userid ', ' IP ', ' time ', ' position ') VALUES ('").$_session[' Monxin ' [' ID ']."', ' $ip ', ' $time ', '". Get_ip_position ($IP)."‘)"; }else{ $sql ="Select ' id ' from '.$pdo->index_pre."User_login where ' userid ' = '".$_session[' monxin ' [' id ']."ORDER by time ASC limit 0,1"; $stmt =$pdo->query ($sql,2); $v =$stmt->fetch (2); $sql ="Update". $pdo->index_pre. "user_login set ' ip ' = ' $ip ', ' time ' = ' $time ' where ' id ' = '". $v [' id ']."'"; } $pdo->exec ($sql);

Case: http://www.wooyun.org/bugs/wooyun-2010-0173485

Original link: http://www.cnbraid.com/2016/05/10/sql6/, please contact the author if you need to reprint.

"PHP code Audit" Those years we dug together SQL injection-7. Global Protection Blind Spot summary