大佬 能说一下 上面用的代码审计工具的名字马
最近在secquan看到皮师傅写的代码审计,觉得还阔以,下载源码下来看看,审计了一下午,也发现了几个辣鸡漏洞,写下文章,记录下第一次代码审计。
文件读取(鸡肋)
like.php
位置:data/like.php
关键代码
$fang=$_GET['play'];
$jmfang=base64_decode($fang);
$like=file_get_contents($jmfang);
$likezz="/<ul class='s-guess-list g-clear js-list' data-block='tj-guess' monitor-desc=\"猜你喜欢\">(.*?)<\/ul>/is";
$kikez1="/ <img src=\"(.*?)\" data-src='(.*?)'>
<\/a>
<div class='s-guess-right'>
<p class='title'><a href='(.*?)' data-index=(.*?)>(.*?)<\/a><\/p>
<\/div>
/is";
preg_match_all($likezz, $like,$likearr);
preg_match_all($kikez1, $likearr['1']['0'],$liketitle);
...........略.........
直接传play参数,然后读取
读取文件
可以读取只是没有显示,因为like.php中对于读取的文件会自己进行处理,按一定的格式进行输出。另外皮师傅发现的fenlei.php的文件读取更好,这里就不再说明了。
相同的还有play.php
<?php
error_reporting(0);
$player = base64_decode($_GET['play']);
$tvinfo = file_get_contents($player);
SQL
agent/index.php
<?php
require dirname(__FILE__) . "/dzsck.php";
if($_GET['type']=='Sell' and $_GET['id']!=''){
$cm->query("UPDATE d_kami SET km_sell=1 WHERE km_id ='".$_GET['id']."'");
echo tiao("已复制好,可贴粘。", "index.php");
exit();
}
if($_GET['type']=='close' and $_GET['id']!=''){
$cm->query("UPDATE d_kami SET km_sell=0 WHERE km_id ='".$_GET['id']."'");
echo backs("卡密取消复制成功!");
exit();
}
$cm->query("SELECT * FROM d_adminuser where admin_id='" . $_SESSION["adminid"] . "' order by admin_id asc");
$adminuser = $cm->fetch_array($rs);
$cm->query("SELECT * FROM d_kami where km_uid='" . $_SESSION["adminid"] . "' order by km_type asc");
$mypagesnum = $cm->db_num_rows();
?>
............略...............
可以看到id参数没有任何过滤带入sql语句,盘他,因为这里是代理的功能,所以要先注册一个代理,直接注册就行
Payload:http://192.168.0.100/tuana/agent/index.php?type=Sell&id=123
时间盲注
类似的注入还有
http://192.168.0.100/tuana/agent/index.php?type=close&id=123
XSS
payreturn.php
$orderid = $_GET["orderid"];
//$isql="update d_ddcenter set dd_type=1 where dd_order='".$orderid."'";
//$ddinfo=mysql_query($isql);
//$cm->query("SELECT * FROM d_ddcenter where dd_order='" . $orderid . "'");
//$row = $cm->fetch_array($rs);
//$dd_adminid=$row['dd_adminid'];
echo $orderid;
$cm->query("SELECT * FROM d_ddcenter where dd_order='" . $orderid . "' order by dd_id desc");
$km_number = $cm->fetch_array($rs);
$cm->query("SELECT * FROM d_adminuser where admin_id='" . $km_number["dd_adminid"] . "' ");
$km_number3 = $cm->fetch_array($rs);
if($km_number["dd_vip"]==1){
if( $km_number3['admin_endtime']<time())$ddvip = $cm->query("UPDATE d_adminuser SET admin_endtime=".time()."+2678400,admin_level=1,admin_opentime='".$nowtime."' WHERE admin_id='" . $km_number["dd_adminid"] . "'");
else $ddvip = $cm->query("UPDATE d_adminuser SET admin_endtime=admin_endtime+2678400,admin_level=1,admin_opentime='".$nowtime."' WHERE admin_id='" . $km_number["dd_adminid"] . "'");
}
.............略....................
将传入的orderid参数直接输出,很明显的xss
XSS2
admin/edituser.php
<?php
require dirname(__FILE__) . "/dzsck.php";
if (($_GET["type"] == "edit") && $_POST) {
$date = array("admin_aglevel" => $_POST["admin_aglevel"]);
$updates = $cm->cmupdate($date, "admin_id='" . $_POST["id"] . "'", "d_adminuser");
if($updates)
{echo tiao("修改成功!", "edituser.php?id=" . $_POST["id"]);
exit();
}
else{echo tiao("修改失败,请重新修改!", "edituser.php?id=" . $_POST["id"]);
exit();
}
}
这里POST
的id
没有任何处理就直接输出,看起来是个xss,那就试试
直接插入xss,发现并不行,代码直接变成这样了
<script type='text/javascript'>alert('修改成功!');location.replace('edituser.php?id=<script>alert(/xss/)</script>');</script>
仔细观察,发现edituser.php?id
会把$_POST["id"]
的内容直接连接,并且添加了一些其他的东西);</script>
,像个办法绕过,尝试将POST的内容改成admin_aglevel=1&id=123</script>');<script>alert(/xss/)</script>('
成功xss
文件上传
跟进index.php看看,
<?php
if(is_array($_FILES["upfile"])){
$i=0;
if($_POST['pwd'] != $passwd){
echo '<script>alert("��û��Ȩ��")</script>';
exit;
}
while($i<count($_FILES["upfile"])){
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
if (!is_uploaded_file($_FILES["upfile"][tmp_name][$i]))
//�Ƿ�����ļ�
{
// echo $_FILES["upfile"][tmp_name][$i];
echo "<font color='red'>�ļ�Ԥ����</font>";
exit;
}
// echo $_FILES["upfile"][tmp_name][$i];
$file = $_FILES["upfile"];
if($max_file_size < $file["size"][$i])
//����ļ���С
{
echo "<font color='red'>�ļ�̫��</font>";
exit;
}
if(!in_array($file["type"][$i], $uptypes))
//��������
{
echo "<font color='red'>�����ϴ��������ļ���</font>";
exit;
}
if(!file_exists($destination_folder))
if(!mkdir($destination_folder,0777,true)){
echo "<font color='red'>������Ŀ¼ʧ��,���ֶ�������</a>";
}
$filename=$file["tmp_name"][$i];
$image_size = getimagesize($filename);
$pinfo=pathinfo($file["name"][$i]);
$ftype=$pinfo[extension];
$destination = $destination_folder.$i.time().".".$ftype;
if (file_exists($destination) && $overwrite != true)
{
echo "<font color='red'>ͬ���ļ��Ѿ������ˣ�</a>";
exit;
}
echo $destination;
if(!move_uploaded_file ($filename, $destination))
{
echo "<font color='red'>�ƶ��ļ�����</a>";
exit;
}
$pinfo=pathinfo($destination);
$fname=$pinfo[basename];
这里要注意的是,我们直接上传的话提示输入密码,还好密码就在inc/aik.config.php
里
tu_pass=123456
上传phpinfo试试,很明显,类型不正确,尝试修改Content-Type
上传成功!
试试一句话
成功getshell