對VAuditDemo的一次審計
阿新 • • 發佈:2017-08-07
blog 數組 _for string int real 入口 pass 道理
拿到代碼,首先先觀察index.php入口文件。
1 <?php 2 require_once(‘sys/config.php‘); 3 require_once(‘header.php‘); 4 ?> 5 <div class="row"> 6 <?php 7 /* Include */ 8 if (isset($_GET[‘module‘])){ 9 include($_GET[‘module‘].‘.inc‘); 10 }else{ 11 ?> 12 <div class="jumbotron" style="text-align: center;"> 13 <h1><b>VAuditDemo</b></h1> 14 <p>一個簡單的Web漏洞演練平臺</p><br /> 15 </div> 16 <div class="col-lg-12"> 17 <h2>用於演示講解PHP基本漏洞</h2> 18 <p></p> 19 </div> 20<?php 21 } 22 ?> 23 </div> 24 25 <?php 26 require_once(‘footer.php‘); 27 ?>
1 if (isset($_GET[‘module‘])){ 2 include($_GET[‘module‘].‘.inc‘); 3 }
首先這段代碼是判斷是否設置了變量module,如果設置了改變量就去包含$module.ini
因此去構造payload:
127.0.0.1/index.php?module=1.txt);#
按道理應該會變成:
include(1.txt);# . ‘.inc‘);
#後面的全部會被註釋,但是並沒有成功的去包含1.txt文件。(感覺此處的確存在漏洞但是沒有利用成功!)
緊接著發現文件包含了兩個文件
sys/config.php header.php
剩下的是一些html源碼
Header發現全部都是html的源碼直接跳過。
去觀察sys/config.php這個配置文件,畢竟配置文件比較敏感!
1 <?php 2 3 error_reporting(0); 4 5 if (!file_exists($_SERVER["DOCUMENT_ROOT"].‘/sys/install.lock‘)){ 6 header("Location: /install/install.php"); 7 exit; 8 } 9 10 include_once($_SERVER["DOCUMENT_ROOT"].‘/sys/lib.php‘); 11 12 $host="localhost"; 13 $username="root"; 14 $password="root"; 15 $database="vauditdemo"; 16 17 $conn = mysql_connect($host,$username,$password); 18 mysql_query(‘set names utf8‘,$conn); 19 mysql_select_db($database, $conn) or die(mysql_error()); 20 if (!$conn) 21 { 22 die(‘Could not connect: ‘ . mysql_error()); 23 exit; 24 } 25 26 session_start(); 27 28 ?>
首先設置了一個關閉錯誤顯示
error_reporting(0);
一般的話,需要白盒審計的時候需要把錯誤回顯打開,易與觀察函數錯誤提示,易於調試漏洞!
方法:error_reporting(E_ALL);
1 <?php 2 3 date_default_timezone_set(‘UTC‘); #首先先定義了時區 4 5 if( !get_magic_quotes_gpc() ) { #判斷是是否開啟了魔術引號轉義,若果沒有就調用自己定義的sec()去轉義。 6 $_GET = sec ( $_GET ); 7 $_POST = sec ( $_POST ); 8 $_COOKIE = sec ( $_COOKIE ); 9 } 10 $_SERVER = sec ( $_SERVER ); #所有調用server的全局數據進行sec()轉義 11 12 function sec( &$array ) { 13 if ( is_array( $array ) ) { #用is_array()判斷接受的$array是否為數組,如果是就循環遍歷數組中的值,直到array中的值變成字符串或者數字 14 foreach ( $array as $k => $v ) { 15 $array [$k] = sec ( $v ); 16 } 17 } else if ( is_string( $array ) ) { #判斷是否為字符串,如果是字符串就執行addslashes()函數進行轉義 18 $array = addslashes( $array ); 19 } else if ( is_numeric( $array ) ) { #判斷是否為數字,如果位數字就用intval轉為整形。 20 $array = intval( $array ); 21 } 22 return $array; 23 } 24 25 function sqlwaf( $str ) { #自己定義的waaf字符串替換函數,此處有可能去繞過! 26 $str = str_ireplace( "and", "sqlwaf", $str ); 27 $str = str_ireplace( "or", "sqlwaf", $str ); 28 $str = str_ireplace( "from", "sqlwaf", $str ); 29 $str = str_ireplace( "execute", "sqlwaf", $str ); 30 $str = str_ireplace( "update", "sqlwaf", $str ); 31 $str = str_ireplace( "count", "sqlwaf", $str ); 32 $str = str_ireplace( "chr", "sqlwaf", $str ); 33 $str = str_ireplace( "mid", "sqlwaf", $str ); 34 $str = str_ireplace( "char", "sqlwaf", $str ); 35 $str = str_ireplace( "union", "sqlwaf", $str ); 36 $str = str_ireplace( "select", "sqlwaf", $str ); 37 $str = str_ireplace( "delete", "sqlwaf", $str ); 38 $str = str_ireplace( "insert", "sqlwaf", $str ); 39 $str = str_ireplace( "limit", "sqlwaf", $str ); 40 $str = str_ireplace( "concat", "sqlwaf", $str ); 41 $str = str_ireplace( "\\", "\\\\", $str ); 42 $str = str_ireplace( "&&", "", $str ); 43 $str = str_ireplace( "||", "", $str ); 44 $str = str_ireplace( "‘", "", $str ); 45 $str = str_ireplace( "%", "\%", $str ); 46 $str = str_ireplace( "_", "\_", $str ); 47 return $str; 48 } 49 50 function get_client_ip(){ 51 if ($_SERVER["HTTP_CLIENT_IP"] && strcasecmp($_SERVER["HTTP_CLIENT_IP"], "unknown")){ 52 $ip = $_SERVER["HTTP_CLIENT_IP"]; 53 }else if ($_SERVER["HTTP_X_FORWARDED_FOR"] && strcasecmp($_SERVER["HTTP_X_FORWARDED_FOR"], "unknown")){ 54 $ip = $_SERVER["HTTP_X_FORWARDED_FOR"]; 55 }else if ($_SERVER["REMOTE_ADDR"] && strcasecmp($_SERVER["REMOTE_ADDR"], "unknown")){ 56 $ip = $_SERVER["REMOTE_ADDR"]; 57 }else if (isset($_SERVER[‘REMOTE_ADDR‘]) && $_SERVER[‘REMOTE_ADDR‘] && strcasecmp($_SERVER[‘REMOTE_ADDR‘], "unknown")){ 58 $ip = $_SERVER[‘REMOTE_ADDR‘]; 59 }else{ 60 $ip = "unknown"; 61 } 62 return($ip); 63 } 64 65 function clean_input( $dirty ) { 66 return mysql_real_escape_string( stripslashes( $dirty ) ); 67 } 68 69 function is_pic( $file_name ) { 70 $extend =explode( "." , $file_name ); 71 $va=count( $extend )-1; 72 if ( $extend[$va]==‘jpg‘ || $extend[$va]==‘jpeg‘ || $extend[$va]==‘png‘ ) { 73 return 1; 74 } 75 else 76 return 0; 77 } 78 79 function not_find( $page ) { 80 echo "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1> 81 <p>The requested URL ".$page." was not found on this server.</p></body></html>"; 82 } 83 ?>
對VAuditDemo的一次審計