审计4 XSS

Posted 2020-10-02 一手重锤

在sys/libphp中

 1 function get_client_ip(){
 2     if ($_SERVER["HTTP_CLIENT_IP"] && strcasecmp($_SERVER["HTTP_CLIENT_IP"], "unknown")){
 3         $ip = $_SERVER["HTTP_CLIENT_IP"];
 4     }else if ($_SERVER["HTTP_X_FORWARDED_FOR"] && strcasecmp($_SERVER["HTTP_X_FORWARDED_FOR"], "unknown")){
 5         $ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
 6     }else if ($_SERVER["REMOTE_ADDR"] && strcasecmp($_SERVER["REMOTE_ADDR"], "unknown")){
 7         $ip = $_SERVER["REMOTE_ADDR"];
 8     }else if (isset($_SERVER[‘REMOTE_ADDR‘]) && $_SERVER[‘REMOTE_ADDR‘] && strcasecmp($_SERVER[‘REMOTE_ADDR‘], "unknown")){
 9         $ip = $_SERVER[‘REMOTE_ADDR‘];
10     }else{
11         $ip = "unknown";
12     }
13     return($ip);
14 }

在代码段中发现服务器在$_SERVER["HTTP_CLIENT_IP"] 中获取了客户端的ip，然后搜索这个自定义的函数 get_client_ip()看获取iP后，有没有对ip进行过滤。直接将其

带入了数据库，并更新数据库!

 1 <?php
 2 include_once(‘../sys/config.php‘);
 3 
 4 if (isset($_POST[‘submit‘]) && !empty($_POST[‘user‘]) && !empty($_POST[‘pass‘])) {
 5     $clean_name = clean_input($_POST[‘user‘]);
 6     $clean_pass = clean_input($_POST[‘pass‘]);
 7     $query = "SELECT * FROM users WHERE user_name = ‘$clean_name‘ AND user_pass = SHA(‘$clean_pass‘)";
 8     $data = mysql_query($query, $conn) or die(‘Error!!‘);
 9 
10     if (mysql_num_rows($data) == 1) {
11         $row = mysql_fetch_array($data);
12         $_SESSION[‘username‘] = $row[‘user_name‘];
13         $_SESSION[‘avatar‘] = $row[‘user_avatar‘];
14         $ip = sqlwaf(get_client_ip());
15         $query = "UPDATE users SET login_ip = ‘$ip‘ WHERE user_id = ‘$row[user_id]‘";
16         mysql_query($query, $conn) or die("updata error!");
17         header(‘Location: user.php‘);
18         }
19     else {
20         $_SESSION[‘error_info‘] = ‘用户名或密码错误‘;
21         header(‘Location: login.php‘);
22     }
23     mysql_close($conn);
24 }
25 else {
26     not_find($_SERVER[‘PHP_SELF‘]);
27 }
28 ?>

在14行发现只是用sqlwaf()函数对获取的ip进行了过滤。而sqlwaf在前面已经看过只是对sql语句进行了转移，而没有对xss的实体字符进行转义