0x01 background
Today's web programs basically have a global filter for SQL injection, like PHP to open the GPC or on the global file common.php using the Addslashes () function to filter the received parameters, especially single quotes. Two injections is also a more common injection, it involves warehousing and out of the library. Because there is a global escape, when the storage:
Insert into table (username) VALUES (' hack\ ');
After this, the escape character disappears into hack ' so that if hack ' out of the library is brought into the query, it will successfully introduce a single quotation mark to cause injection.
The loophole comes from dark clouds: http://www.wooyun.org/bugs/wooyun-2014-068362
0X02 Environment Construction
Look at the background we used the lower version of the 74CMS program, version 3.4 (20140310)
① Source online can search, I packed a copy: Http://pan.baidu.com/s/1c1mLCru
② Extract to www 74cms (20140310) directory, browser access to Http://localhost/74cms (20140310)), and then follow the prompts step by step installation, installation encountered problems please Baidu or Google, after successful visit such as:
0X03 Vulnerability Analysis
PART1: Source Structure
The structure of the source code is clear, should be the most clear audit structure, mainly has the following three pieces of content:
Index.php introduced the common.inc.php file, we followed common.inc.php, found the function of processing GPC:
<?php
if (!< span class= "keyword" >empty ($_get))
{
$_get = Addslashes_deep ($_get);
if (!$_post))
{
$_ POST = Addslashes_deep ($_post);
$_cookie = Addslashes_deep ( $_cookie);
$_request = Addslashes_deep ($_request);
|
As you can see, the server handles the variables for Get and POST requests as addslashes processing.
Part2: Audit process
1. First in the personal release of the resume:
ElseIf ($act = =' Make4_save ') {
$resume _education = get_resume_education ($_session[' UID '],$_request[' PID ']);
if (COUNT ($resume _education) >=6) ShowMsg (' No more than 6 educational experiences! ‘,1,$link);
$setsqlarr [' uid '] = intval ($_session[' UID ']);
$setsqlarr [' pid '] = Intval ($_request[' PID ']);
if ($setsqlarr [' UID '] = =0 | |$setsqlarr [' pid '] = =0) ShowMsg (' Parameter Error! ‘,1);
$setsqlarr [' Start ' = Trim ($_post[' Start '])?$_post[' Start ': showmsg (' Please fill in the start time! ‘,1,$link);
$setsqlarr [' endtime '] = Trim ($_post[' Endtime '])?$_post[' Endtime ']: showmsg (' Please fill in the end time! ‘,1,$link);
$setsqlarr [' School '] = Trim ($_post[' School '])?$_post[' School ']: showmsg (' Please fill in the school name! ‘,1,$link);
$setsqlarr [' speciality '] = trim ($_post[' Speciality '])?$_post[' Speciality ']: showmsg (' Please fill in the Professional name! ‘,1,$link);
$setsqlarr [' education '] = Trim ($_post[' Education '])?$_post[' Education ']: showmsg (' Please choose to get education! ‘,1, $link);
$setsqlarr [' education_cn '] = Trim ($_post[' education_cn ')? $_post[' education_cn ': showmsg (' Please choose to get education! ', 1, $link);
//See here is an Insert table "qs_resume_education" operation, the educational background related to the field of storage
if (inserttable (' resume_education '), $setsqlarr)) {
Check_resume ($_session[' uid '), Intval ($_request[' pid '));
|
2. Here you see Insert storage, you can try to add a single quotation mark, after the storage will eliminate the escape character. Let's go ahead and follow Inserttables's Check_resume function.
Check the completion level of your CV
functionCheck_resume($uid,$PID)
{
Global$db,$timestamp,$_cfg;
$uid = Intval ($UID);
$pid = Intval ($PID);
$percent =0;
$resume _basic = Get_resume_basic ($uid,$PID);
$resume _intention =$resume _basic[' Intention_jobs '];
$resume _specialty =$resume _basic[' Specialty '];
Get the education experience, out of the database
$resume _education = get_resume_education ($uid,$PID);
if (!Empty$resume _basic))$percent =$percent +15;
if (!Empty$resume _intention))$percent =$percent +15;
if (!Empty$resume _specialty))$percent =$percent +15;
if (!Empty$resume _education))$percent =$percent +15;
if ($resume _basic[' Photo_img '] &&$resume _basic[' Photo_audit '] = ="1" &&$resume _basic[' Photo_display '] = ="1") {
$setsqlarr [' Photo '] =1;
}else {
$setsqlarr [' Photo '] =0;
}
if ($percent <60) {
$setsqlarr [' complete_percent '] =$percent;
$setsqlarr [' Complete '] =2;
}else {
$resume _work = Get_resume_work ($uid,$PID);
$resume _training = get_resume_training ($uid,$PID);
$resume _photo =$resume _basic[' Photo_img '];
if (!Empty$resume _work))$percent =$percent +13;
if (!Empty$resume _training))$percent =$percent +13;
if (!Empty$resume _photo))$percent =$percent +14;
$setsqlarr [' Complete '] =1;
$setsqlarr [' complete_percent '] =$percent;
Require_once (Qishi_root_path.' include/splitword.class.php ');
$SP =New Spword ();
$setsqlarr [' key '] =$resume _basic[' Intention_jobs '].$resume _basic[' Recentjobs '].$resume _basic[' Specialty '];
$setsqlarr [' key '] ="{$resume _basic[' fullname '}".$SP->extracttag ($setsqlarr [' key ']);
$setsqlarr [' key '] = Str_replace (","," ",$resume _basic[' Intention_jobs '])."{$setsqlarr [' key '}} {$resume _basic[' education_cn ']}";
$setsqlarr [' key '] =$SP->pad ($setsqlarr [' key ']);
if (!Empty$resume _education)) {
Traverse education experience all fields, add to array
foreach ($resume _educationas $li) {
$setsqlarr [ Span class= "string" > ' key ') = $setsqlarr [ ' refreshtime '] = $timestamp;
//here's an update on the educational experience, two injections from it!
updatetable (table ( $setsqlarr, Span class= "string" > "uid= ' {$uid} ' and id= ' {$pid} ');
updatetable (table ( $setsqlarr, "uid= ' {$uid} ' and id= ' {$pid} '");
/span> |
3. We fill out a resume simple test, in the education experience of the school name field to fill AA '
After saving found Error statement:
0x04 Vulnerability Proof
To construct a POC that obtains information about a database user:
Check your CV to find your resume name becomes [email protected]:
Review the SQL statement to discover that the UPDATE statement was executed successfully:
Finally, interested students can continue to get information about other related fields such as admin account.
Original link: http://www.cnbraid.com/2016/02/19/sql3/, please contact the author if you need to reprint.
"PHP code Audit" Those years we dug together SQL injection-4. Global Protection Bypass Secondary injection
