最新消息:

小审计一个社工裤源码

PHP代码审计 admin 1569浏览 0评论

转自:http://fuck.0day5.com/archives/1337.html

我为什么要去找社工裤源码呢,我也忘记了,但是就是去找了。

找到之后就看了下别人的查询语句,好吧,想起来了,主要是因为要优化sql语句才去找的。

拿到之后,没有立即搭建,看了下语句也不是我想要的那种。

function get_sql_results($keyword) {

    $return = array();
    $link = mysql_connect("localhost", "root", "root");
    mysql_select_db("sj") or die('数据库连接失败!');
    mysql_query("SET names UTF8");
    if (!$link) die('数据库连接失败!');
    $keyword = urldecode($keyword);
    $results = mysql_query('SHOW TABLES');
    while ($tbrow = mysql_fetch_array($results)) {
        if (strlen($keyword) < 1) return null;
        //$sqlb="SELECT * FROM $tbrow[0] WHERE name like '%$keyword%' or email like '%$keyword%'";
        $sqlb = "SELECT * FROM $tbrow[0] WHERE pass like '" . $keyword . "%' or uname like '" . $keyword . "%' or email like '" . $keyword . "%' or salt like '" . $keyword . "%' ";
        //echo $sqlb ."<br/>";
        $query = mysql_query($sqlb);
        while ($row = mysql_fetch_assoc($query)) {
            $return[] = array(
                'name' => highLightKeyword($row['uname'], $keyword) ,
                'pass' => highLightKeyword($row['pass'], $keyword).is_md5($row['pass']),
                'salt' => $row['salt'],
                'email' => highLightKeyword($row['email'], $keyword) ,
                'site' => $row['site'],
                'ip' => is_ip($row['ip']),
            );
            $count++;
        }
    }
    mysql_close($link);
    return $return;
	
}

不过却给我提供了思路
把全部的的表存放到一个字段,然后利用php foreach来遍历后输出结果,或许也是一种办法。

不过看到他的注册页面了

    case "regMethod":
        $name = trim(mysql_real_escape_string($_POST['name']));
        $pass = trim(mysql_real_escape_string($_POST['pass']));
        $mail = trim(mysql_real_escape_string($_POST['mail']));
        $passcache = trim(mysql_real_escape_string($_POST['passcache']));
        $icode = trim(mysql_real_escape_string($_POST['icode']));
        k($name, "用户名为空", "index.php?act=reg");
        k($pass, "密码为空", "index.php?act=reg");
        k($mail, "邮箱为空", "index.php?act=reg");
        k($passcache, "重复密码为空", "index.php?act=reg");
        k($icode, "邀请码为空", "index.php?act=reg");
        if ($pass != $passcache) {
            k($kong, "两个密码不一样哦", "index.php?act=reg");
        }
        $sql = $mysql->select("*", "user", "name", "'" . $name . "'"); //选择数据
        if (!empty($sql)) {
            k($kong, "抱歉哦,此用户名已经有人注册啦", "index.php?act=reg");
        }
        $yqm = $mysql->select("*", "code", "code", "'" . $icode . "'"); //选择数据
        if (empty($yqm) || $yqm['mid'] == '1') {
            k($kong, "邀请码不存在或已使用", "index.php?act=reg");
        }
        $mid = $yqm['mid'];
        if ($mid == 1) {
            k($kong, "邀请码不存在或已使用", "index.php?act=reg");
        }
        $pass = pass($pass);
        $mysql->insert("user", "name,pass,mail,time,ip", "'" . $name . "','" . $pass . "','" . $mail . "','" . time() . "','" . getIP() . "'"); //直接就执行了插入语句
        $mysql->update("code", "mid", "1", "code", "'" . $icode . "'");
        $_SESSION['name'] = $name;
        $_SESSION['pass'] = $pass;
        $_SESSION['mail'] = $mail;
        $_SESSION['ip'] = getIP();
        k($kong, "注册成功", "index.php");
        exit;

在各种验证匹配后就直接进入了insert阶段,再看看这个getIP()为何物,直接再config.php里面找到了

function getIP() { 
if (getenv('HTTP_CLIENT_IP')) { 
$ip = getenv('HTTP_CLIENT_IP'); 
} 
elseif (getenv('HTTP_X_FORWARDED_FOR')) { 
$ip = getenv('HTTP_X_FORWARDED_FOR'); 
} 
elseif (getenv('HTTP_X_FORWARDED')) { 
$ip = getenv('HTTP_X_FORWARDED'); 
} 
elseif (getenv('HTTP_FORWARDED_FOR')) { 
$ip = getenv('HTTP_FORWARDED_FOR'); 

} 
elseif (getenv('HTTP_FORWARDED')) { 
$ip = getenv('HTTP_FORWARDED'); 
} 
else { 
$ip = $_SERVER['REMOTE_ADDR']; 
} 
return $ip; 
}

然后,想起了上次某个团购的也是酱紫的~
设置X-Forwarded-For为xx’打破insert语句,就会报错了,然后慢慢的注入。估计人家注册一次,整个裤子都得贡献出去啊!
修复方法参考某CMS想到了一个折中的办法

//参数处理函数
function RepPostVar($val){
        $val=str_replace(" ","",$val);
        $val=str_replace("'","",$val);
        $val=str_replace("\"","",$val);
        $val=addslashes(stripSlashes($val));
        return $val;
}
/**
 * 获得用户的真实IP地址
 *
 * @access  public
 * @return  string
 */
function real_ip(){
	if(getenv('HTTP_CLIENT_IP')&&strcasecmp(getenv('HTTP_CLIENT_IP'),'unknown')) 
	{
		$ip=getenv('HTTP_CLIENT_IP');
	} 
	elseif(getenv('HTTP_X_FORWARDED_FOR')&&strcasecmp(getenv('HTTP_X_FORWARDED_FOR'),'unknown'))
	{
		$ip=getenv('HTTP_X_FORWARDED_FOR');
	}
	elseif(getenv('REMOTE_ADDR')&&strcasecmp(getenv('REMOTE_ADDR'),'unknown'))
	{
		$ip=getenv('REMOTE_ADDR');
	}
	elseif(isset($_SERVER['REMOTE_ADDR'])&&$_SERVER['REMOTE_ADDR']&&strcasecmp($_SERVER['REMOTE_ADDR'],'unknown'))
	{
		$ip=$_SERVER['REMOTE_ADDR'];
	}
	$ip=RepPostVar(preg_replace("/^([\d\.]+).*/","\\1",$ip));
	return $ip;
}

 

转载请注明:jinglingshu的博客 » 小审计一个社工裤源码


Warning: Use of undefined constant PRC - assumed 'PRC' (this will throw an Error in a future version of PHP) in /usr/share/nginx/html/wp-content/themes/d8/comments.php on line 17
发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址