"PHP code Audit" Those years we dug together SQL injection-4. Global Protection Bypass Secondary injection

Source: Internet
Author: User

0x01 background

Today's web programs basically have a global filter for SQL injection, like PHP to open the GPC or on the global file common.php using the Addslashes () function to filter the received parameters, especially single quotes. Two injections is also a more common injection, it involves warehousing and out of the library. Because there is a global escape, when the storage:

Insert into table (username) VALUES (' hack\ ');

After this, the escape character disappears into hack ' so that if hack ' out of the library is brought into the query, it will successfully introduce a single quotation mark to cause injection.
The loophole comes from dark clouds: http://www.wooyun.org/bugs/wooyun-2014-068362

0X02 Environment Construction

Look at the background we used the lower version of the 74CMS program, version 3.4 (20140310)
① Source online can search, I packed a copy: Http://pan.baidu.com/s/1c1mLCru
② Extract to www 74cms (20140310) directory, browser access to Http://localhost/74cms (20140310)), and then follow the prompts step by step installation, installation encountered problems please Baidu or Google, after successful visit such as:

0X03 Vulnerability Analysis

PART1: Source Structure

The structure of the source code is clear, should be the most clear audit structure, mainly has the following three pieces of content:

Index.php introduced the common.inc.php file, we followed common.inc.php, found the function of processing GPC:

 <?php 
if (!< span class= "keyword" >empty ($_get))
{
$_get = Addslashes_deep ($_get);
if (!$_post))
{
$_ POST = Addslashes_deep ($_post);
$_cookie = Addslashes_deep ( $_cookie);
$_request = Addslashes_deep ($_request);

As you can see, the server handles the variables for Get and POST requests as addslashes processing.

Part2: Audit process

1. First in the personal release of the resume:

ElseIf ($act = =' Make4_save ') {
$resume _education = get_resume_education ($_session[' UID '],$_request[' PID ']);
if (COUNT ($resume _education) >=6) ShowMsg (' No more than 6 educational experiences! ‘,1,$link);
$setsqlarr [' uid '] = intval ($_session[' UID ']);
$setsqlarr [' pid '] = Intval ($_request[' PID ']);
if ($setsqlarr [' UID '] = =0 | |$setsqlarr [' pid '] = =0) ShowMsg (' Parameter Error! ‘,1);
$setsqlarr [' Start ' = Trim ($_post[' Start '])?$_post[' Start ': showmsg (' Please fill in the start time! ‘,1,$link);
$setsqlarr [' endtime '] = Trim ($_post[' Endtime '])?$_post[' Endtime ']: showmsg (' Please fill in the end time! ‘,1,$link);
$setsqlarr [' School '] = Trim ($_post[' School '])?$_post[' School ']: showmsg (' Please fill in the school name! ‘,1,$link);
$setsqlarr [' speciality '] = trim ($_post[' Speciality '])?$_post[' Speciality ']: showmsg (' Please fill in the Professional name! ‘,1,$link);
$setsqlarr [' education '] = Trim ($_post[' Education '])?$_post[' Education ']: showmsg (' Please choose to get education! ‘,1, $link);
$setsqlarr [' education_cn '] = Trim ($_post[' education_cn ')? $_post[' education_cn ': showmsg (' Please choose to get education! ', 1, $link);
//See here is an Insert table "qs_resume_education" operation, the educational background related to the field of storage
if (inserttable (' resume_education '), $setsqlarr)) {
Check_resume ($_session[' uid '), Intval ($_request[' pid '));

2. Here you see Insert storage, you can try to add a single quotation mark, after the storage will eliminate the escape character. Let's go ahead and follow Inserttables's Check_resume function.

Check the completion level of your CV
functionCheck_resume($uid,$PID)
{
Global$db,$timestamp,$_cfg;
$uid = Intval ($UID);
$pid = Intval ($PID);
$percent =0;
$resume _basic = Get_resume_basic ($uid,$PID);
$resume _intention =$resume _basic[' Intention_jobs '];
$resume _specialty =$resume _basic[' Specialty '];
Get the education experience, out of the database
$resume _education = get_resume_education ($uid,$PID);
if (!Empty$resume _basic))$percent =$percent +15;
if (!Empty$resume _intention))$percent =$percent +15;
if (!Empty$resume _specialty))$percent =$percent +15;
if (!Empty$resume _education))$percent =$percent +15;
if ($resume _basic[' Photo_img '] &&$resume _basic[' Photo_audit '] = ="1" &&$resume _basic[' Photo_display '] = ="1") {
$setsqlarr [' Photo '] =1;
}else {
$setsqlarr [' Photo '] =0;
}
if ($percent <60) {
$setsqlarr [' complete_percent '] =$percent;
$setsqlarr [' Complete '] =2;
}else {
$resume _work = Get_resume_work ($uid,$PID);
$resume _training = get_resume_training ($uid,$PID);
$resume _photo =$resume _basic[' Photo_img '];
if (!Empty$resume _work))$percent =$percent +13;
if (!Empty$resume _training))$percent =$percent +13;
if (!Empty$resume _photo))$percent =$percent +14;
$setsqlarr [' Complete '] =1;
$setsqlarr [' complete_percent '] =$percent;
Require_once (Qishi_root_path.' include/splitword.class.php ');
$SP =New Spword ();
$setsqlarr [' key '] =$resume _basic[' Intention_jobs '].$resume _basic[' Recentjobs '].$resume _basic[' Specialty '];
$setsqlarr [' key '] ="{$resume _basic[' fullname '}".$SP->extracttag ($setsqlarr [' key ']);
$setsqlarr [' key '] = Str_replace (","," ",$resume _basic[' Intention_jobs '])."{$setsqlarr [' key '}} {$resume _basic[' education_cn ']}";
$setsqlarr [' key '] =$SP->pad ($setsqlarr [' key ']);
if (!Empty$resume _education)) {
Traverse education experience all fields, add to array
foreach ($resume _educationas $li) {
$setsqlarr [ Span class= "string" > ' key ') = $setsqlarr [ ' refreshtime '] = $timestamp;
//here's an update on the educational experience, two injections from it!
updatetable (table ( $setsqlarr, Span class= "string" > "uid= ' {$uid} ' and id= ' {$pid} ');
updatetable (table ( $setsqlarr, "uid= ' {$uid} ' and id= ' {$pid} '");
/span>

3. We fill out a resume simple test, in the education experience of the school name field to fill AA '

After saving found Error statement:

0x04 Vulnerability Proof

To construct a POC that obtains information about a database user:

Check your CV to find your resume name becomes [email protected]:

Review the SQL statement to discover that the UPDATE statement was executed successfully:

Finally, interested students can continue to get information about other related fields such as admin account.

Original link: http://www.cnbraid.com/2016/02/19/sql3/, please contact the author if you need to reprint.

"PHP code Audit" Those years we dug together SQL injection-4. Global Protection Bypass Secondary injection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.