PHP 代码审计之 SQL 注入
<div style="color: black; text-align: left; margin-bottom: 10px;">
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15356393409264a6b4c5410~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839082&x-signature=uXzUbNmY00EuF9uyw%2BMSVnIWvok%3D" style="width: 50%; margin-bottom: 20px;"></div>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">点击<strong style="color: blue;">右上角【关注】发哥微课堂头条号,get<span style="color: black;">更加多</span><span style="color: black;">关联</span>技能~</strong></h2>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;">0x00:前言</strong></h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">用 CMS 做例子,今天刚下载安装,<span style="color: black;">由于</span>首页的搜索功能比较显眼,<span style="color: black;">因此</span>看了一下是存在 sql 注入的,基本<span style="color: black;">无</span>防护机制,CMS 比较冷门,不属于热门,<span style="color: black;">因此</span>安全性<span style="color: black;">亦</span>低一点,做审计练手很合适。</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;">0x01:代码<span style="color: black;">跟踪</span></strong></h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">搜索时 URL 如下:/archives/detail.php?name=1,<span style="color: black;">经过</span> URL 可知其相应的 php 文件为 archives 下的 detail.php,打开此文件,内容如下:</p><?php
require_once(include/detail.inc.php);
?>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">仅有</span>一行内容,<span style="color: black;">包括</span>了 include 下的 detail.inc.php 文件,打开这个文件,定位到搜索接收 name 参的代码上,其片段代码如下:</p>$arrWhere = array();
$arrWhere[] = "type_title_english = ".$_GET."";
$strWhere = implode( AND , $arrWhere);
$strWhere = where .$strWhere;
$arrInfo = $objWebInit->getInfoWhere($strWhere);<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">代码中是直接<span style="color: black;">经过</span> $_GET 获取到的搜索内容,<span style="color: black;">这儿</span>并<span style="color: black;">无</span>做<span style="color: black;">关联</span>的防护<span style="color: black;">办法</span>,获取到搜索内容后,直接拼接到了 $strWhere 变量中,<span style="color: black;">亦</span><span style="color: black;">便是</span> sql 语句的 where 部分,<span style="color: black;">而后</span>传递给了 getInfoWhere 函数,初步判定是有 sql 注入危险,随后 ctrl + 左键定位到这个函数查看,其代码如下:</p>public function getInfoWhere($strWhere=null,$field = *,$table=){
try {
$table = $table?$table:$this->tablename1;
$strSQL = "SELECT $field FROM $table $strWhere";
$rs = $this->db->query($strSQL);
$arrData = $rs->fetchall(PDO::FETCH_ASSOC);
if(!empty($arrData)) $arrData = $this->loadTableFieldG($arrData);
if($this->arrGPdoDB) echo $strSQL.<br><br>;
return current($arrData);
} catch (PDOException $e) {
echo Failed: . $e->getMessage().<br><br>;
}
}<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在这个函数中传来的 $strWhere 变量直接拼接到了 $strSQL 中,直至到执行 sql,<span style="color: black;">那样</span><span style="color: black;">能够</span>确定这个搜索功能有 sql 注入问题。前提是程序<span style="color: black;">无</span><span style="color: black;">运用</span>全局过滤器或其他的防护<span style="color: black;">办法</span>。</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;">0x02:渗透验证</strong></h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">经过</span>代码的流程<span style="color: black;">能够</span>看出来搜索功能是存在 sql 注入的,下面<span style="color: black;">经过</span> burp 和 sqlmap 进行验证,结果如下:</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15356390741935b73e96143~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839082&x-signature=nHj43vAzMzOHwa%2BvdZgnbjOV7rI%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">能够</span>证明,搜索功能存在 sql 注入漏洞。</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;">0x03:修复<span style="color: black;">意见</span></strong></h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">一般</span><span style="color: black;">状况</span>下 sql 注入修复方式有两种,<span style="color: black;">第1</span>个是过滤危险的字符,这些字符不止限与单引号双引号,包扩 union、sleep 等数据库的关键字。第二个是<span style="color: black;">运用</span>预编译语句,收到的值<span style="color: black;">运用</span>占位符进行数据库的 CURD,而不是直接拼接到 sql 中。</p>
</div>
楼主继续加油啊!外链论坛加油!
页:
[1]