Study of injection safety problem replace.
Sql injection generally is a reference to the filtering function addslashes filtered.
He will be converted into single quotes injected \ ', converting into double quote \ "\\ converted to other backslash
Write a php code:
<!DOCTYPE html>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
</head>
<body>
<?php
$x=$_GET['x'];
$id=str_replace(addslashes($_GET['y']),'',addslashes($x));
echo "过滤后:".addslashes($x)."<br/>";
echo "replace替换绕过:".$id."<br/>";
$conn = mysql_connect ( '127.0.0.1', 'the root', 'the root'); // connect mysql database
the mysql_select_db ( 'test', $ Conn ); // Select the name of the test database at the request of the connection Conn $
$ SQL = "SELECT * WHERE ID = user1 from ' $ ID ' "; // definition of variable composition and sql statement ID
$ Result = the mysql_query ( $ sql ); // execute sql statement and returns to the variable Result
the while ( $ Row = the mysql_fetch_array ( $ Result )) { // loop through the array data and display
echo "ID." $ Row [ 'ID'] "</ br>." ;
echo "Username."Row $ . [ 'name'] "</ br>" ;
}
mysql_close ( $ Conn ); // close the connection
echo "<HR>" ;
echo "current statement:" ;
echo $ SQL ;
>?
</ body >
</ HTML>
Found to be quoted addslashes function:
A single or double quotes escaped directly, where the string is injected into the substantially gg. Gone.
addslashes questions:
addslashes 00% will be converted into \ 0
will addslashes single quote ( ') into \'
Because of the use str_replace function, then the input will replace 00% 'is automatically added addslashes function \ 0 \', then we match 0, it becomes a \\ 'again converted \' single quotation marks successful escape.
<?php echo str_replace("0","","\0\'") ?>
\0\'就是我们输入的%00'
会输出:
那么知道了原理根据上面的php代码构造合适的sql语句绕过addslashes过滤
单引号成功逃逸,这里不能用单引号闭合了,后门闭合会被过滤那么直接:
返回真:
返回假
那么想出数据就很方便。这里不演示了常规语句就行了。
模拟环境没啥意思,去网上找了个别人的代码审计文章,找到了一个雨牛挖的cmseasy的str_replace绕过注入的真实案例
2014年的漏洞,cmseasy相关版本网上已经找不到了,我改写了个cmseasy,方便测试这个replace注入:
cmseasy环境下载:链接:https://pan.baidu.com/s/1w-knpeOp8D4AuWe3N5U1vA 密码:jk1a
存在问题的目录lib/plugins/pay/alipay.php
第87行用了str_replace替换
替换后的内容赋值给了$order_sn
往下看发现调用了check_money函数,跟踪下这个函数查看内部实现:
uploads/lib/table/pay.php
先是赋值然后调用了getrow函数,跟进去看看:
uploads/lib/inc/table.php
condition没有啥数据库操作后跟下面那个函数,跟踪下rec_select_one:
还在table.php文件下:
跟下sql_select函数:
被带入数据库查询:
默认echo $sql;是被注释的,解除注释方便查看sql语句:
因为str_replace的缘故,可以被绕过进行sql注入:
去除注释符,构造poc:
http://localhost/CmsEasy/uploads/index.php/?case=archive&act=respond&code=alipay&trade_status=WAIT_SELLER_SEND_GOODS
POST:out_trade_no=11111%00'&subject=0
sql语句报错存在sql注入
那么修复方案是什么呢?
回到刚开始的alipay.php
第79行
正则匹配下\'
然后再次访问:
直接跳转了不再停留了。
修复方案:
function respond() {
if (!empty($_POST)) {
foreach($_POST as $key =>$data) {
if(preg_match('/(=|<|>|\')/', $data)){
return false;
}
$_GET[$key] = $data;
}
}
参考文章:https://wizardforcel.gitbooks.io/php-common-vulnerability/content/23.html