>백엔드 개발 >PHP 튜토리얼 >求分析个php代码

求分析个php代码

WBOY
WBOY원래의
2016-06-06 20:29:321269검색

<code><?php @session_start();                           // Start a new Session, if not already created (tracking later?)
  @set_time_limit(0);                         // May run long at times, remove time limits on script execution time
  $sess = session_id();                       // Current Session ID, use tbd...

  if($_SESSION['authenticated'] != true) {
    header("Location: /sqlmap/admin/login.php");
  }

  // Establish Admin ID to manage tasks
  if((isset($_POST['myAdminID'])) && (strlen(trim($_POST['myAdminID'])) == 32)) {
    $_SESSION['myAdminID'] = trim($_POST['myAdminID']);
  }

  include("../inc/config.php");
  include("../inc/SQLMAPClientAPI.class.php");

  $salt = "!SQL!";                            // Salt for form token hash generation
  $token = sha1(mt_rand(1, 1000000) . $salt); // Generate CSRF Token Hash
  $_SESSION['token'] = $token;                // Set CSRF Token for Form Submit Verification

  $taskConfig = array();
  if(isset($_SESSION['myAdminID'])) { 
    $sqlmap = new SQLMAPClientAPI();

    if((isset($_GET['task'])) && (trim($_GET['task']) != "")) {
      $actionTaskId = trim($_GET['task']);
      if(isset($_GET['action'])) {
        switch(trim($_GET['action'])) {
          case "conf": // Show Config for specified Task ID
            $taskConfig = $sqlmap->listOptions($actionTaskId); // We will actually store it for use in a second...
            break;

          case "stop": // Stop a specified running Task ID
            $sqlmap->stopScan($actionTaskId);
            break;

          case "kill": // Forcefully Kill a specified running Task ID
            $sqlmap->killScan($actionTaskId);
            break;

          case "del": // Delete a specified running Task ID
            $sqlmap->deleteTaskID($actionTaskId);
            break;

          default: // Do Nothing if nothing is specified...
            break;
        }
      }
    }
  }
?>



  
    <title id="ttl">SQLMAP Web GUI - Admin Panel</title>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="stylesheet" href="/sqlmap/css/bootstrap.min.css">
    <link rel="stylesheet" href="/sqlmap/css/css.css">
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
    <script src="/sqlmap/js/bootstrap.min.js"></script>
    <script src="/sqlmap/js/sqlmap.js"></script>
  
  
    <br>

<?php /*
    Need ability to set Admin level taskID
      Need ability to change during session if desired (reboot/restarts)

    Admin Functionality Needed:
      List all available tasks
      List Configuration Options for Task by Task ID
      Stop scan by Task ID
      Kill scan by task ID
      Delete task by task ID
      Delete ALL tasks
  */

  echo "<h1 align=\"center\">SQLMAP Web GUI - Admin Panel";
  if(isset($_SESSION['myAdminID'])) { 
    $taskList = $sqlmap->adminListTasks(trim($_SESSION['myAdminID']));
    if(!$taskList) {
?>

    <br>
    <div class="container">
      <div class="row">
        <div class="col-md-3"></div>
        <div class="col-md-6">
          <div class="epic_fail">[WARNING] '<?php echo htmlentities(trim($_SESSION['myAdminID']), ENT_QUOTES, 'UTF-8'); ?>' - Appears to be an Invalid Admin ID!</div>
<br>
          <form class="form-horizontal" role="form" id="myAdminID" action="/sqlmap/admin/index.php" method="POST">
            <input type="hidden" name="token" value="<?php echo $token; ?>"> 
            <input type="text" name="myAdminID" class="form-control" placeholder="78203fa6630db256fcd7f57ea8420eb8" required autofocus><br>
            <input type="submit" class="btn" name="submit" value="Set Admin ID">
          </form>
<br>
        </div>
        <div class="col-md-3"></div>
      </div>
    </div>

<?php } else {
?>
    <br>
    <div class="container">
      <div class="row">
        <div class="col-md-3"></div>
        <div class="col-md-6">
          <div class="adminIdDisplay" id="adminIdDisplay" align="center">
            <h4>
              <b>Admin ID:</b> <?php echo htmlentities(trim($_SESSION['myAdminID']), ENT_QUOTES, 'UTF-8'); ?><br>
              <b>Total Number of Known Tasks:</b> <?php echo htmlentities($taskList['tasks_num'], ENT_QUOTES, 'UTF-8'); ?><br>
            </h4>
            <br><br>

            <div class="adminTasksDisplay" id="adminTasksDisplay">
              <div class="row">
                <div class="col-md-2"></div>
                <div class="col-md-8">
                  <?php if((isset($_GET['task'])) && (isset($_GET['action'])) && (trim($_GET['action']) == "conf")) {
                    echo '<br /><br>';
                    echo '<label for="results_textarea">ScanID: ' . htmlentities(trim($_GET['task']), ENT_QUOTES, 'UTF-8') . ', API Scan Configuration</label>';
                    echo '<textarea class="form-control" id="task_configuration_textarea" rows="20">';
                    echo "[*] API Scan Configuration:\n";
                    print_r(htmlentities($sqlmap->listOptions(trim($_GET['task']))['options']), ENT_QUOTES, 'UTF-8');
                    echo '</textarea><br>';
                  } else {
                  ?>
                    <table class="table table-hover" id="adminTasksDisplayTable">
                      <thead>
                        <tr>
                          <th>TaskID</th>
                          <th>Target</th>
                          <th>Status</th>
                          <th colspan="5">Options</th>
                        </tr>
                      </thead>
                      <tbody>
                      <?php foreach($taskList['tasks'] as $t) {
                          $status = $sqlmap->checkScanStatus($t);
                          $taskConfig = $sqlmap->listOptions($t);
                          echo "<tr>";
                            echo "<td>";
                            echo htmlentities($t, ENT_QUOTES, 'UTF-8');
                            echo "</td>";
                            if(sizeof($taskConfig) > 0) {
                              $targetHost = parse_url($taskConfig['options']['url'], PHP_URL_HOST);
                              echo "<td>" . htmlentities($targetHost, ENT_QUOTES, 'UTF-8') . "</td>";
                            } else {
                              echo "<td> - </td>";
                            }
                            if(isset($status['status'])) {
                              echo "<td>" . htmlentities($status['status'], ENT_QUOTES, 'UTF-8') . "</td>";
                            } else {
                              echo "<td> - </td>";
                            }
                            echo "<td> <a href="%5C%22/sqlmap/admin/index.php?task=%22" . htmlentities ent_quotes target='\"_blank\"'>Conf</a> </td>";
                            if($status['status'] == 'running') {
                              echo "<td> <a href="%5C%22/sqlmap/admin/index.php?task=%22" . htmlentities ent_quotes>Stop</a> </td>";
                              echo "<td> <a href="%5C%22/sqlmap/admin/index.php?task=%22" . htmlentities ent_quotes>Kill</a> </td>";
                            } else {
                              echo "<td> - </td>";
                              echo "<td> - </td>";
                            }
                            echo "<td> <a href="%5C%22/sqlmap/admin/index.php?task=%22" . htmlentities ent_quotes>Del</a> </td>";
                          echo "</tr>";
                        }
                      ?>
                      </tbody>
                    </table>
                  <?php } ?>
                </div>
                <div class="col-md-2"></div>
              </div>
            </div>

          </div>
        </div>
        <div class="col-md-3"></div>
      </div>
    </div>
<?php }
  } else {

?>
    <br>
    <div class="container">
      <div class="row">
        <div class="col-md-3"></div>
        <div class="col-md-6">
          <div class="epic_fail">[WARNING] NO Admin ID Set!</div>
<br>
          <form class="form-horizontal" role="form" id="myAdminID" action="/sqlmap/admin/index.php" method="POST">
            <input type="hidden" name="token" value="<?php echo $token; ?>"> 
            <input type="text" name="myAdminID" class="form-control" placeholder="78203fa6630db256fcd7f57ea8420eb8" required autofocus><br>
            <input type="submit" class="btn" name="submit" value="Set Admin ID">
          </form>
<br>
        </div>
        <div class="col-md-3"></div>
      </div>
    </div>
<?php }
?>

    <br><br><br>
    <div class="footer" align="center">
        <a href="/sqlmap/admin/logout.php">Logout</a><br>
        Want to learn more about <a href="http://sqlmap.org/" target="_blank">SQLMAP</a>, Visit the <a href="http://sqlmap.org/" target="_blank">Project Page!</a><br>
        SQLMAP Web Operator Copyright © 2015, Coded By: HR, All rights reserved.<br>
    </div>
    <br><br>
  

</code>

这是后台登录首页(index.php)的代码,帐号密码在config.php中写死了,是admin,admin。现在登录后台后,显示[WARNING] NO Admin ID Set!,然后然我输入一串密文token,token密文貌似是

<code>  $salt = "!SQL!";                            // Salt for form token hash generation
  $token = sha1(mt_rand(1, 1000000) . $salt); // Generate CSRF Token Hash
  $_SESSION['token'] = $token;                // Set CSRF Token for Form SubmitVerification</code>

是1-1000000加SALT的sha1加密,然后我在

<code>          <div class="epic_fail">[WARNING] NO Admin ID Set!</div>
<br>
          <form class="form-horizontal" role="form" id="myAdminID" action="/sqlmap/admin/index.php" method="POST">
            <input type="hidden" name="token" value="<?php echo $token; ?>"> </form></code>

看到了输出token的语句,在前台查看源代码后,把密文输入,但是还是不行。求解,怎么才能过去?谢谢!!

回复内容:

<code><?php @session_start();                           // Start a new Session, if not already created (tracking later?)
  @set_time_limit(0);                         // May run long at times, remove time limits on script execution time
  $sess = session_id();                       // Current Session ID, use tbd...

  if($_SESSION['authenticated'] != true) {
    header("Location: /sqlmap/admin/login.php");
  }

  // Establish Admin ID to manage tasks
  if((isset($_POST['myAdminID'])) && (strlen(trim($_POST['myAdminID'])) == 32)) {
    $_SESSION['myAdminID'] = trim($_POST['myAdminID']);
  }

  include("../inc/config.php");
  include("../inc/SQLMAPClientAPI.class.php");

  $salt = "!SQL!";                            // Salt for form token hash generation
  $token = sha1(mt_rand(1, 1000000) . $salt); // Generate CSRF Token Hash
  $_SESSION['token'] = $token;                // Set CSRF Token for Form Submit Verification

  $taskConfig = array();
  if(isset($_SESSION['myAdminID'])) { 
    $sqlmap = new SQLMAPClientAPI();

    if((isset($_GET['task'])) && (trim($_GET['task']) != "")) {
      $actionTaskId = trim($_GET['task']);
      if(isset($_GET['action'])) {
        switch(trim($_GET['action'])) {
          case "conf": // Show Config for specified Task ID
            $taskConfig = $sqlmap->listOptions($actionTaskId); // We will actually store it for use in a second...
            break;

          case "stop": // Stop a specified running Task ID
            $sqlmap->stopScan($actionTaskId);
            break;

          case "kill": // Forcefully Kill a specified running Task ID
            $sqlmap->killScan($actionTaskId);
            break;

          case "del": // Delete a specified running Task ID
            $sqlmap->deleteTaskID($actionTaskId);
            break;

          default: // Do Nothing if nothing is specified...
            break;
        }
      }
    }
  }
?>



  
    <title id="ttl">SQLMAP Web GUI - Admin Panel</title>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="stylesheet" href="/sqlmap/css/bootstrap.min.css">
    <link rel="stylesheet" href="/sqlmap/css/css.css">
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
    <script src="/sqlmap/js/bootstrap.min.js"></script>
    <script src="/sqlmap/js/sqlmap.js"></script>
  
  
    <br>

<?php /*
    Need ability to set Admin level taskID
      Need ability to change during session if desired (reboot/restarts)

    Admin Functionality Needed:
      List all available tasks
      List Configuration Options for Task by Task ID
      Stop scan by Task ID
      Kill scan by task ID
      Delete task by task ID
      Delete ALL tasks
  */

  echo "<h1 align=\"center\">SQLMAP Web GUI - Admin Panel";
  if(isset($_SESSION['myAdminID'])) { 
    $taskList = $sqlmap->adminListTasks(trim($_SESSION['myAdminID']));
    if(!$taskList) {
?>

    <br>
    <div class="container">
      <div class="row">
        <div class="col-md-3"></div>
        <div class="col-md-6">
          <div class="epic_fail">[WARNING] '<?php echo htmlentities(trim($_SESSION['myAdminID']), ENT_QUOTES, 'UTF-8'); ?>' - Appears to be an Invalid Admin ID!</div>
<br>
          <form class="form-horizontal" role="form" id="myAdminID" action="/sqlmap/admin/index.php" method="POST">
            <input type="hidden" name="token" value="<?php echo $token; ?>"> 
            <input type="text" name="myAdminID" class="form-control" placeholder="78203fa6630db256fcd7f57ea8420eb8" required autofocus><br>
            <input type="submit" class="btn" name="submit" value="Set Admin ID">
          </form>
<br>
        </div>
        <div class="col-md-3"></div>
      </div>
    </div>

<?php } else {
?>
    <br>
    <div class="container">
      <div class="row">
        <div class="col-md-3"></div>
        <div class="col-md-6">
          <div class="adminIdDisplay" id="adminIdDisplay" align="center">
            <h4>
              <b>Admin ID:</b> <?php echo htmlentities(trim($_SESSION['myAdminID']), ENT_QUOTES, 'UTF-8'); ?><br>
              <b>Total Number of Known Tasks:</b> <?php echo htmlentities($taskList['tasks_num'], ENT_QUOTES, 'UTF-8'); ?><br>
            </h4>
            <br><br>

            <div class="adminTasksDisplay" id="adminTasksDisplay">
              <div class="row">
                <div class="col-md-2"></div>
                <div class="col-md-8">
                  <?php if((isset($_GET['task'])) && (isset($_GET['action'])) && (trim($_GET['action']) == "conf")) {
                    echo '<br /><br>';
                    echo '<label for="results_textarea">ScanID: ' . htmlentities(trim($_GET['task']), ENT_QUOTES, 'UTF-8') . ', API Scan Configuration</label>';
                    echo '<textarea class="form-control" id="task_configuration_textarea" rows="20">';
                    echo "[*] API Scan Configuration:\n";
                    print_r(htmlentities($sqlmap->listOptions(trim($_GET['task']))['options']), ENT_QUOTES, 'UTF-8');
                    echo '</textarea><br>';
                  } else {
                  ?>
                    <table class="table table-hover" id="adminTasksDisplayTable">
                      <thead>
                        <tr>
                          <th>TaskID</th>
                          <th>Target</th>
                          <th>Status</th>
                          <th colspan="5">Options</th>
                        </tr>
                      </thead>
                      <tbody>
                      <?php foreach($taskList['tasks'] as $t) {
                          $status = $sqlmap->checkScanStatus($t);
                          $taskConfig = $sqlmap->listOptions($t);
                          echo "<tr>";
                            echo "<td>";
                            echo htmlentities($t, ENT_QUOTES, 'UTF-8');
                            echo "</td>";
                            if(sizeof($taskConfig) > 0) {
                              $targetHost = parse_url($taskConfig['options']['url'], PHP_URL_HOST);
                              echo "<td>" . htmlentities($targetHost, ENT_QUOTES, 'UTF-8') . "</td>";
                            } else {
                              echo "<td> - </td>";
                            }
                            if(isset($status['status'])) {
                              echo "<td>" . htmlentities($status['status'], ENT_QUOTES, 'UTF-8') . "</td>";
                            } else {
                              echo "<td> - </td>";
                            }
                            echo "<td> <a href="%5C%22/sqlmap/admin/index.php?task=%22" . htmlentities ent_quotes target='\"_blank\"'>Conf</a> </td>";
                            if($status['status'] == 'running') {
                              echo "<td> <a href="%5C%22/sqlmap/admin/index.php?task=%22" . htmlentities ent_quotes>Stop</a> </td>";
                              echo "<td> <a href="%5C%22/sqlmap/admin/index.php?task=%22" . htmlentities ent_quotes>Kill</a> </td>";
                            } else {
                              echo "<td> - </td>";
                              echo "<td> - </td>";
                            }
                            echo "<td> <a href="%5C%22/sqlmap/admin/index.php?task=%22" . htmlentities ent_quotes>Del</a> </td>";
                          echo "</tr>";
                        }
                      ?>
                      </tbody>
                    </table>
                  <?php } ?>
                </div>
                <div class="col-md-2"></div>
              </div>
            </div>

          </div>
        </div>
        <div class="col-md-3"></div>
      </div>
    </div>
<?php }
  } else {

?>
    <br>
    <div class="container">
      <div class="row">
        <div class="col-md-3"></div>
        <div class="col-md-6">
          <div class="epic_fail">[WARNING] NO Admin ID Set!</div>
<br>
          <form class="form-horizontal" role="form" id="myAdminID" action="/sqlmap/admin/index.php" method="POST">
            <input type="hidden" name="token" value="<?php echo $token; ?>"> 
            <input type="text" name="myAdminID" class="form-control" placeholder="78203fa6630db256fcd7f57ea8420eb8" required autofocus><br>
            <input type="submit" class="btn" name="submit" value="Set Admin ID">
          </form>
<br>
        </div>
        <div class="col-md-3"></div>
      </div>
    </div>
<?php }
?>

    <br><br><br>
    <div class="footer" align="center">
        <a href="/sqlmap/admin/logout.php">Logout</a><br>
        Want to learn more about <a href="http://sqlmap.org/" target="_blank">SQLMAP</a>, Visit the <a href="http://sqlmap.org/" target="_blank">Project Page!</a><br>
        SQLMAP Web Operator Copyright © 2015, Coded By: HR, All rights reserved.<br>
    </div>
    <br><br>
  

</code>

这是后台登录首页(index.php)的代码,帐号密码在config.php中写死了,是admin,admin。现在登录后台后,显示[WARNING] NO Admin ID Set!,然后然我输入一串密文token,token密文貌似是

<code>  $salt = "!SQL!";                            // Salt for form token hash generation
  $token = sha1(mt_rand(1, 1000000) . $salt); // Generate CSRF Token Hash
  $_SESSION['token'] = $token;                // Set CSRF Token for Form SubmitVerification</code>

是1-1000000加SALT的sha1加密,然后我在

<code>          <div class="epic_fail">[WARNING] NO Admin ID Set!</div>
<br>
          <form class="form-horizontal" role="form" id="myAdminID" action="/sqlmap/admin/index.php" method="POST">
            <input type="hidden" name="token" value="<?php echo $token; ?>"> </form></code>

看到了输出token的语句,在前台查看源代码后,把密文输入,但是还是不行。求解,怎么才能过去?谢谢!!

你通过POST传递 myAdminID,但问题是你自己输入的myAdminID是应该怎么产生的?

那个token是防止CSRF的,不是用来产生myAdminID的,至于myAdminID应该怎么产生,你应该看看这段代码:

<code>$sqlmap->adminListTasks(trim($_SESSION['myAdminID']));</code>
성명:
본 글의 내용은 네티즌들의 자발적인 기여로 작성되었으며, 저작권은 원저작자에게 있습니다. 본 사이트는 이에 상응하는 법적 책임을 지지 않습니다. 표절이나 침해가 의심되는 콘텐츠를 발견한 경우 admin@php.cn으로 문의하세요.