Simple Client Management System未授权的注入漏洞

0x00简介

感觉这个是一个比较小众的模版，看了下Fofa搜索的结果，结果只有不多的网站。

感兴趣的可以自己去分析一下源代码

https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip

0x01:分析与复现

1、内网搭建查看  

2、首页就是一个登陆框，看下代码

<?php session_start();
require_once('dbconnection.php');

//Code for Registration 
if(isset($_POST['signup']))
{
  $fname=$_POST['fname'];
  $lname=$_POST['lname'];
  $email=$_POST['email'];
  $password=$_POST['password'];
  $contact=$_POST['contact'];
  $enc_password=md5($password);
  $a=date('Y-m-d');
  $msg=mysqli_query($con,"insert into users(fname,lname,email,password,contactno,posting_date) values('$fname','$lname','$email','$enc_password','$contact','$a')");
if($msg)
{
  echo "<script>alert('Register successfully');</script>";
}
}

// Code for login system
if(isset($_POST['login']))
{
$password=$_POST['password'];
$dec_password=md5($password);
$useremail=$_POST['uemail'];
$ret= mysqli_query($con,"SELECT * FROM users WHERE email='$useremail' and password='$dec_password'");
$num=mysqli_fetch_array($ret);
if($num>0)
{
$extra="welcome.php";
$_SESSION['login']=$_POST['uemail'];
$_SESSION['id']=$num['id'];
$_SESSION['name']=$num['fname'];
$host=$_SERVER['HTTP_HOST'];
$uri=rtrim(dirname($_SERVER['PHP_SELF']),'/\\');
header("location:http://$host$uri/$extra");
exit();
}
else
{
echo "<script>alert('Invalid username or password');</script>";
$extra="index.php";
$host  = $_SERVER['HTTP_HOST'];
$uri  = rtrim(dirname($_SERVER['PHP_SELF']),'/\\');
header("location:http://$host$uri/$extra");
exit();
}
}

//Code for Forgot Password

if(isset($_POST['send']))
{
$row1=mysqli_query($con,"select email,password from users where email='".$_POST['femail']."'");
$row2=mysqli_fetch_array($row1);
if($row2>0)
{
$email = $row2['email'];
$subject = "Information about your password";
$password=$row2['password'];
$message = "Your password is ".$password;
mail($email, $subject, $message, "From: $email");
echo  "<script>alert('Your Password has been sent Successfully');</script>";
}
else
{
echo "<script>alert('Email not register with us');</script>";  
}
}

?>
<!DOCTYPE html>
<html>
<head>
<title>Login System</title>
<link href="css/style.css" rel='stylesheet' type='text/css' />
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="keywords" content="Elegent Tab Forms,Login Forms,Sign up Forms,Registration Forms,News latter Forms,Elements"./>
<script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLbar, 0); }, false); function hideURLbar(){ window.scrollTo(0,1); } </script>
</script>
<script src="js/jquery.min.js"></script>
<script src="js/easyResponsiveTabs.js" type="text/javascript"></script>
        <script type="text/javascript">
          $(document).ready(function () {
            $('#horizontalTab').easyResponsiveTabs({
              type: 'default',       
              width: 'auto', 
              fit: true 
            });
          });
</script>
<link href='http://fonts.googleapis.com/css?family=Source+Sans+Pro:200,400,600,700,200italic,300italic,400italic,600italic|Lora:400,700,400italic,700italic|Raleway:400,500,300,600,700,200,100' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO" crossorigin="anonymous">
</head>
<body>
<div class="main">
    
             <div class="facts" style="margin-top: 100px;margin-left: 20%;margin-right: 20%;" align="center">
               <div class="login">
                 <h2 style="color: #fff;">Users Login here</h2>
            
              <form name="login" action="" method="post">
                <input type="text" class="text" name="uemail" value="" placeholder="Enter your registered email"  ><a href="#" class=" icon email"></a>

                <input type="password" value="" name="password" placeholder="Enter valid password"><a href="#" class=" icon lock"></a>

                <div class="p-container" style="margin-right: 48px;">
                
                  <div class="submit two">
                  <input type="submit" name="login" value="LOG IN" >
                  </div>
                  <div class="clear"> </div>
                </div>

              </form>
          </div>
        </div> 
      
       </div>

</body>
</html>

3、查看其中登陆所需要输入的uemail参数

这里没有过滤，跟踪一下 确认一下

4、直接到dbconnection.php文件

5、再看下dbconnection.php文件

What???

(黑人抬棺音乐响起)

6、登陆抓包测试

7、sqlmap 制定参数测试

sqlmap -r /Users/apple/Desktop/log.log --dbs --random-agent -p uemail --flush-session

最后的跑数据测试

避免误报

确认无误了

看下权限

看下管理员的账户密码

0x02:总结

1、这个模版比较简单，我也是萌新，分析有错的话，大佬勿喷

2、在这个EXP满天飞的时代，想真的学习的话，还真的需要看下漏洞的原理的。

3、我是萌新，我今天下午**1点30分23秒**才学习的网络安全，大佬们带带我。

扫码二维码

获取更多精彩

洛米唯熊