He began to practice [red] team of PHP-Audit-Labs code audit Day12
link: https://github.com/hongriSec/PHP-Audit-Labs
interested students can go to Exercise
Prior knowledge:
content title comes from PHP SECURITY 2017 CALENDAR
Day 12 - String Lights code is as follows:
$sanitized = [];
foreach ($_GET as $key => $value) {
$sanitized[$key] = intval($value);
}
$queryParts = array_map(function ($key, $value) {
return $key . '=' . $value;
}, array_keys($sanitized), array_values($sanitized));
$query = implode('&', $queryParts);
echo "<a href='/images/size.php?" .
htmlentities($query) . "'>link</a>";
Vulnerability Analysis:
According to the meaning of the title, there should be a study of xss漏洞vulnerability should trigger points in the code 第13-14行. These two lines of action is the direct output of a html <a>tag. Code 第3-5行, foreach循环for $_GETincoming parameters have been processed, but there is a problem. We look at 第4行the code for this line of code $valuetype conversion were forced to become int类型. But this part of the code only deals with the $valuevariables, not for $keyprocessing variables. After the 第3-5行following code process, in accordance &split the symbol, and then spliced into 第13行the echostatement, when the output has conducted a htmlentitiesfunction processing. htmlentitiesThe main function is to have some special symbols encode HTML entities.
Defined as follows:
htmlentities () function
Features:
htmlentities () function to convert characters to HTML entities.
definition:
htmlentities(string,flags,character-set,double_encode)
Description:
| parameter | description |
|---|---|
| string | essential. Specifies the string to be converted. |
| flags | Optional. How to deal with the provisions of quotes, invalid encoding and which document types. |
| character-set | Optional. A string that specifies the character set to be used. |
| double_encode | Optional. A Boolean value that specifies whether an existing HTML coding entity. |
- ENT_COMPAT (default): only convert double quotes.
- ENT_QUOTES: two kinds of quotation marks are converted.
- ENT_NOQUOTES: two kinds of quotation marks are not converted.
example:
Here attach a HTML character entities useful in the table
after the above analysis, we go back to the topic, think about how to construct attacks payload. Let's sort out some of the known information:
- Here the
$queryparameters controllable - And the
htmlentitiesfunction can here escape single quotes - xss vulnerabilities trigger point in
<a>the label.
In the <a>middle, we can javascript 事件be performed js代码, such as: onclicktype of event, and therefore the final pocstructure is as follows:
http://10.211.55.2:100/day12/xss.php?a=a'onclick%3dalert(1)%2f%2f=c
Case Analysis:
The case study, DM Build your system v201710 of sql injection vulnerability for analysis.
Vulnerability POC site to provide security tools, procedures (methods) may carry offensive, only for safety research and teaching purposes at your own risk!
Vulnerability Analysis:
First, we can see from the above cnvd some relevant information, as follows:
from vulnerability announcement can find some useful information 漏洞位置在登陆处, when prompted to build the background 登陆口position in admindm-yourname/g.phpthe file
to open the file, find redirected to a admindm-yournamemod_common/login.phpfile, so the vulnerability is triggered it was at this point should file.
打开 admindm-yournamemod_common/login.php这个文件,一眼就看到漏洞位置,截取部分相关代码如下:
第15行很明显存在sql注入漏洞,通过拼接的方式直接插入到select语句中。 第15行中的 $user变量是通过POST 方式提交上来,其值可控。但是上图的 第3行 代码调用 htmlentitiesdm函数,对 POST 数据进行了处理,我们跟进这个 htmlentitiesdm函数。该函数位置在 component/dm-config/global.common.php文件中,截取关键代码如下:
这个函数是调用 htmlentities函数针对输入的数据进行处理。前面我们已经介绍过了这个函数的用法,这里这个函数的可选参数是ENT_NOQUOTES,也就是说两种引号都不转换。下面我们来看个小例子:
这里我猜测开发者应该是考虑到了xss的问题,但是由于htmlentities这个函数选择的参数出现了偏差,导致这里我们可以引入单引号造成注入的问题。
我们看看最新版是怎么修复,使用 beyond compare 对比两个版本代码的差别。
新版修复的时候将可选参数修改为 ENT_QUOTES ,这个参数的作用就是过滤单引号加双引号,我们来看看下面这个例子,就很容易明白了这个参数的作用了。
漏洞利用:
这里因为没有回显,所以是盲注,下面是验证截图:
修复建议:
针对htmlentities这个函数,我们建议大家在使用的时候,尽量加上可选参数,并且选择 ENT_QUOTES参数。
我们看看对比的效果
结语
再次感谢【红日团队】
