He began to practice [red] team of PHP-Audit-Labs code audit Day12
link: https://github.com/hongriSec/PHP-Audit-Labs
interested students can go to Exercise
Prior knowledge:
content title comes from PHP SECURITY 2017 CALENDAR
Day 12 - String Lights code is as follows:
$sanitized = [];
foreach ($_GET as $key => $value) {
$sanitized[$key] = intval($value);
}
$queryParts = array_map(function ($key, $value) {
return $key . '=' . $value;
}, array_keys($sanitized), array_values($sanitized));
$query = implode('&', $queryParts);
echo "<a href='/images/size.php?" .
htmlentities($query) . "'>link</a>";
Vulnerability Analysis:
According to the meaning of the title, there should be a study of xss漏洞
vulnerability should trigger points in the code 第13-14行
. These two lines of action is the direct output of a html <a>
tag. Code 第3-5行
, foreach循环
for $_GET
incoming parameters have been processed, but there is a problem. We look at 第4行
the code for this line of code $value
type conversion were forced to become int类型
. But this part of the code only deals with the $value
variables, not for $key
processing variables. After the 第3-5行
following code process, in accordance &
split the symbol, and then spliced into 第13行
the echo
statement, when the output has conducted a htmlentities
function processing. htmlentities
The main function is to have some special symbols encode HTML entities.
Defined as follows:
htmlentities () function
Features:
htmlentities () function to convert characters to HTML entities.
definition:
htmlentities(string,flags,character-set,double_encode)
Description:
parameter | description |
---|---|
string | essential. Specifies the string to be converted. |
flags | Optional. How to deal with the provisions of quotes, invalid encoding and which document types. |
character-set | Optional. A string that specifies the character set to be used. |
double_encode | Optional. A Boolean value that specifies whether an existing HTML coding entity. |
- ENT_COMPAT (default): only convert double quotes.
- ENT_QUOTES: two kinds of quotation marks are converted.
- ENT_NOQUOTES: two kinds of quotation marks are not converted.
example:
Here attach a HTML character entities useful in the table
after the above analysis, we go back to the topic, think about how to construct attacks payload
. Let's sort out some of the known information:
- Here the
$query
parameters controllable - And the
htmlentities
function can here escape single quotes - xss vulnerabilities trigger point in
<a>
the label.
In the <a>
middle, we can javascript 事件
be performed js代码
, such as: onclick
type of event, and therefore the final poc
structure is as follows:
http://10.211.55.2:100/day12/xss.php?a=a'onclick%3dalert(1)%2f%2f=c
Case Analysis:
The case study, DM Build your system v201710 of sql injection vulnerability for analysis.
Vulnerability POC site to provide security tools, procedures (methods) may carry offensive, only for safety research and teaching purposes at your own risk!
Vulnerability Analysis:
First, we can see from the above cnvd some relevant information, as follows:
from vulnerability announcement can find some useful information 漏洞位置在登陆处
, when prompted to build the background 登陆口
position in admindm-yourname/g.php
the file
to open the file, find redirected to a admindm-yournamemod_common/login.php
file, so the vulnerability is triggered it was at this point should file.
打开 admindm-yournamemod_common/login.php
这个文件,一眼就看到漏洞位置,截取部分相关代码如下:
第15行
很明显存在sql注入漏洞
,通过拼接的方式直接插入到select
语句中。 第15行
中的 $user
变量是通过POST
方式提交上来,其值可控。但是上图的 第3行
代码调用 htmlentitiesdm
函数,对 POST 数据进行了处理,我们跟进这个 htmlentitiesdm
函数。该函数位置在 component/dm-config/global.common.php
文件中,截取关键代码如下:
这个函数是调用 htmlentities
函数针对输入的数据进行处理。前面我们已经介绍过了这个函数的用法,这里这个函数的可选参数是ENT_NOQUOTES
,也就是说两种引号都不转换。下面我们来看个小例子:
这里我猜测开发者应该是考虑到了xss
的问题,但是由于htmlentities
这个函数选择的参数出现了偏差,导致这里我们可以引入单引号造成注入的问题。
我们看看最新版是怎么修复,使用 beyond compare 对比两个版本代码的差别。
新版修复的时候将可选参数修改为 ENT_QUOTES
,这个参数的作用就是过滤单引号
加双引号
,我们来看看下面这个例子,就很容易明白了这个参数的作用了。
漏洞利用:
这里因为没有回显,所以是盲注,下面是验证截图:
修复建议:
针对htmlentities
这个函数,我们建议大家在使用的时候,尽量加上可选参数,并且选择 ENT_QUOTES
参数。
我们看看对比的效果
结语
再次感谢【红日团队】