qzmjef 发表于 2024-10-4 15:51:55

PHP代码审计实战思路浅析


    <h2 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;">战略性的思考而非战术</strong></h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">针对</span>面向过程写法的程序<span style="color: black;">来讲</span>,最快的审计<span style="color: black;">办法</span>可能时直接丢seay审计系统里,但<span style="color: black;">针对</span>基于mvc模式的程序<span style="color: black;">来讲</span>,你直接丢seay审计系统的话,那不是给自己找麻烦吗?</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">像面向过程写法的程序,<span style="color: black;">能够</span>找下它的公共函数文件有啥<span style="color: black;">能够</span>利用的不,<span style="color: black;">而后</span><span style="color: black;">便是</span>丢seay审计系统。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">而<span style="color: black;">针对</span>基于mvc写法的程序<span style="color: black;">来讲</span>,跟读他的入口文件,<span style="color: black;">认识</span><span style="color: black;">全部</span>程序的运行流程跟目录结构,之后再深入去<span style="color: black;">认识</span>它的核心类库,<span style="color: black;">倘若</span>核心类库存在漏洞的话,那在这套程序中找出个漏洞的<span style="color: black;">期盼</span>那不是<span style="color: black;">通常</span>的大啊!<span style="color: black;">认识</span>了<span style="color: black;">全部</span>框架运行流程后,<span style="color: black;">亦</span>没从核心类库中<span style="color: black;">发掘</span>什么可利用的点的话,<span style="color: black;">此时</span>就<span style="color: black;">能够</span>从功能点入手了(<span style="color: black;">此时</span><span style="color: black;">能够</span>把源码丢进seay源代码审计系统了)。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">一套组合拳打下了后还是没找到漏洞咋办?没事,换套程序继续。<span style="color: black;">倘若</span>换了n套程序都找不出来,那就换个人吧……</p>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;">实战环节</strong></h2><span style="color: black;">目的</span>:某开源cms(icms)
    环境:win+phpstudy+sublime<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">大概目录结构长<span style="color: black;">这般</span></p>├── app &nbsp; &nbsp;&nbsp;&nbsp;&nbsp;应用
    ├── cache&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;缓存
    ├── core&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;icms程序入口
    ├── iPHP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;iphp框架文件
    ├── public&nbsp;&nbsp;&nbsp;&nbsp;公共资源
    ├── res &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;用户资源
    └── template&nbsp;&nbsp;模板<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">打开index.php</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqFUKiaLheqtUsTTcYicOkXXfPprdT0njhtAzJ3aiacz6GoZbSlhOTUgDqw/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">发掘</span>载入了一个icms.php,<span style="color: black;">而后</span>调用了iCMS::run()<span style="color: black;">办法</span>(<span style="color: black;">倘若</span>你<span style="color: black;">第1</span>反应是以为iCMS.php是个类文件,那你后面的审计估计有点难受。)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">跟进iCMS.php</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqdjEyrpbcqwibNatakaZib09geTOXCs9e0q72v0r4MFZ6JCPpWuR1RzAA/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">该处载入了配置跟框架文件,继续跟进iPHP.php</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczq79uR9WrdEBI0ictCM0jEh3TWut9oUKZK4rG6icUcfv8IAktpa4BIrfqw/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">载入几个框架文件,<span style="color: black;">而后</span>调用iPHP::bootstrap()<span style="color: black;">办法</span>,这回差不多了,继续跟进iPHP::bootstrap()</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqxQKaiaSyTxK8RhZDkuzWQibwMDm4WDgxDsl3KBupwBZzl0ko7lgBd5vg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">该处做了些环境配置,<span style="color: black;">而后</span><span style="color: black;">便是</span>调用核心的iWAF、iSecurity类来一下全局过滤(iWAF这些先跟),看到这可有有的小伙伴又有疑惑了,iWAF什么时候加载进来了啊?</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">看到48行的splautoloadregister函数了没,再<span style="color: black;">详细</span>点,看到56行那个autoload了没</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqboNGIQyr1K7T36mEzaTtKzndZqJuusyBY5ibKxs3sx33cvcOEjvxw1A/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">这<span style="color: black;">亦</span>没看到哪有include、require之类的啊,怎么加载进来的?别急,继续跟进57行的self::auto_require</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqicU7Rzmxictast1Sv8GCkprSx9kxocFD1iatUACN5yz8gRNDyeBOtP9ibg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">没错<span style="color: black;">便是</span>这了,<span style="color: black;">不外</span>代码太长了就不贴了,大概<span style="color: black;">便是</span>判断传来的类名中<span style="color: black;">是不是</span>有Admincp<span style="color: black;">或</span>App,<span style="color: black;">倘若</span><span style="color: black;">无</span>就加载app/xx/xx.class.php,<span style="color: black;">倘若</span>有Admincp则加载app/xx/xx.Admincp.php,<span style="color: black;">倘若</span>有App则加载app/xx/xx.app.php,<span style="color: black;">倘若</span>有Func则加载app/xx/xx.func.php,<span style="color: black;">倘若</span>以上都不满足则去iPHP/core/下找</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqNATaYdOmPf44GqZDNPcxCibBSZmdDEicvc0icMew7ptU4eHDibMx9nbVibg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqrnY42MTYnwA6Fia4RFBibibb7VK7B0YzumLBAgHr7ZMUyWUwBaGoLNMYg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">iPHP::bootstrap()大概<span style="color: black;">晓得</span>它干了什么了,再回头去<span style="color: black;">瞧瞧</span>iCMS::init()</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqCfx9T4dO8ibZAqAGaPzbAbaVf2pGv8cicRKByqs49AHS53lLAw3EHFpg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">大概<span style="color: black;">便是</span>初始化配置信息,继续往回看,跟进iCMS::run()</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczq0ricPBJQJ8zD9a3qicnbkzcbAPKvPrZlgrcqibsVwGA2mibMUlFtUdbp7A/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">继续跟进iPHP::run</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqia8rAxLjhrWoIFu0wRCoMp5Rhr7QFxJgJ27qE95MGUaRMkROaYyQWuQ/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">(代码有点长)大概<span style="color: black;">便是</span>从post或get获取应用名,加载类跟实例化类,调用<span style="color: black;">办法</span>等</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">划重点了(后面会用到),<span style="color: black;">这儿</span>的文件名格式是xx.app.php,类名是xxApp,其实整套程序并不止index.php这一个入口文件,还有admincp.php、user.php等,其中加载的文件名格式跟类名都是不<span style="color: black;">同样</span>的,<span style="color: black;">例如</span>:<span style="color: black;">拜访</span>index.php加载的是xx.app.php的xxApp类,<span style="color: black;">拜访</span>admincp.php加载的xx.admincp.php的xxAdmincp类</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">跟完入口文件后,对<span style="color: black;">全部</span>框架是怎么运行的,都有了个大概的<span style="color: black;">认识</span>,接下来<span style="color: black;">能够</span>去深入<span style="color: black;">认识</span>了</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">我跟啊跟,<span style="color: black;">发掘</span>核心类中的iHttp类的remote<span style="color: black;">办法</span>有点意思,在iPHP/core/iHttp.class.php 130行</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqrESTZH8E7jIBI4CNG4SNibMPx1GFTHU4wPv4TkL0EYQngul1DTZrjtA/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczq57k0HyrLvB78goAmbwgORbeI7wLpAO9ic654Z6DAlA9JIVzUH0vG0tg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">remote<span style="color: black;">办法</span>封装了curl,用来获取远程页面内容,<span style="color: black;">全部</span><span style="color: black;">办法</span>并<span style="color: black;">无</span>对url进行任何限制或过滤,<span style="color: black;">倘若</span>调用这个<span style="color: black;">办法</span>前<span style="color: black;">亦</span>没用对url进行限制的话,那ssrf就跑不了了</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">全局搜索下看哪调用了这个<span style="color: black;">办法</span>,而remote是个静态<span style="color: black;">办法</span>,调用格式为iHttp::remote,<span style="color: black;">因此</span>直接搜这个就<span style="color: black;">能够</span>了</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqjrlhibwSNaRARQ0u9SeMLzcn7SHc9zAO8aDmgBDgAPVbPa110ROMAibA/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">我想找前台的漏洞,so,直接看哪个的文件名格式类似xx.app.php就好啦</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">找啊找,仅<span style="color: black;">发掘</span>前台<span style="color: black;">仅有</span>一处调用了该<span style="color: black;">办法</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczq2lmbRPTVCB0KNGrJib47hvFa9eRJibq0MzgnWocxutJouG1upvL0mh2g/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">找到之后,跟进去<span style="color: black;">瞧瞧</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqNzsvJz0vM5kAS0YGa7ATM2jR5r8lzEic94rtBSQrKwrWQ9doEktv9hg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">把$avatar传了进去,继续往上翻翻,看有<span style="color: black;">无</span>啥过滤</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqmn69hoiaQ212m89rmia12wBmYd82MiaN9obzp5EooiadGiattI6dcYYkETg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"><span style="color: black;">始终</span>往上翻,只看到这句</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">会不会在iSecurity::escapeStr这做了限制呢?继续跟进去<span style="color: black;">瞧瞧</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqABPwvdc3ticDMYuPsd1bTic7ibL6GUpKJBgYXbFAP8dib21hjTLLkX1SDw/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">貌似<span style="color: black;">无</span>对url做限制!!!</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">再往上翻翻,<span style="color: black;">瞧瞧</span>是哪个<span style="color: black;">办法</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqlkVB8SJC3XXrA0QhSVeED8WK1wXHfy1JXq3ZvnzVCvfSPDt57o6xbg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">这回稳了,手动构造数据包</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/qq5rfBadR3icYZAYQGudNWWicKXMeYHczqI2ZWia3BmOK0Gqrku3ia2Ht7YVCQHGn343fqgoeQ4RnU1Fxic7tdPibGtg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">解释下个字段:</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">secode为验证码,可从http://127.0.0.1/icms/public/api.php?app=public&amp;do=seccode<span style="color: black;">得到</span>,验证码信息存在cookie里,只要cookie不变,验证码就可<span style="color: black;">始终</span>用。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">username跟nickname每次请求都要改变,avatar为传入的url,这个漏洞还有两处有点蛋疼的<span style="color: black;">地区</span>,<span style="color: black;">第1</span>,username跟nickname每次都要改变,<span style="color: black;">况且</span>这些值都是会存进数据库的;第二,<span style="color: black;">这儿</span>的ssrf是没有回显。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">运用</span>dict来举个例子,<span style="color: black;">拜访</span>一个未开启端口时如下</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"><span style="color: black;">拜访</span>一个开启的端口时如下</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span><span style="color: black;">以上</span>说的都做完还没<span style="color: black;">发掘</span>漏洞,那<span style="color: black;">能够</span>尝试丢到seay源代码审计系统,<span style="color: black;">或</span><span style="color: black;">按照</span>功能点进行审计,找找<span style="color: black;">规律</span>漏洞</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>做完<span style="color: black;">以上</span>操作后再用软件来辅助,会<span style="color: black;">容易</span>的多,<span style="color: black;">例如</span>,seay源代码审计系统扫出来如下</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">拿第二条距离,漏洞描述是referer伪造会<span style="color: black;">导致</span>sql,点击瞅瞅</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">看到referer先进入了iSecurity::escapeStr,<span style="color: black;">而后</span>再进入iDB::insert,<span style="color: black;">经过</span>前面的审计我<span style="color: black;">晓得</span>iSecurity::escapeStr对单引号等做了过滤,<span style="color: black;">因此</span>普通的sql注入是没<span style="color: black;">期盼</span>了,只能<span style="color: black;">瞧瞧</span>还有<span style="color: black;">无</span>其他方式能结合利用(我记得这是有注入的……)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>我是一上来就用软件的话,那我<span style="color: black;">此刻</span>可能还在<span style="color: black;">循序渐进</span>的追一个函数,<span style="color: black;">这般</span>会<span style="color: black;">增多</span>不少功夫</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">本文到这就结束了,emmm!</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">*</span><strong style="color: blue;">本文原创作者:wnltc0,本文属FreeBuf原创奖励计划,未经许可禁止转载</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>




1fy07h 发表于 2024-10-10 13:02:37

认真阅读了楼主的帖子,非常有益。

nykek5i 发表于 2024-10-17 22:08:08

楼主发的这篇帖子,我觉得非常有道理。

j8typz 发表于 2024-11-9 03:44:34

这夸赞甜到心里,让我感觉温暖无比。
页: [1]
查看完整版本: PHP代码审计实战思路浅析