白帽子分享之代码审计的艺术系列—第五季
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">0x01</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">前言</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">作者:HackBraid,乌云核心白帽子。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">白帽子分享之代码审计的艺术系列(<span style="color: black;">2、</span><span style="color: black;">3、</span>四季)是对绕过全局防护的场景进行的总结。没看前几季的<span style="color: black;">朋友</span>,<span style="color: black;">能够</span>关注下。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">代码审计的艺术系列—<span style="color: black;">第1</span>篇</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">白帽子分享之代码的艺术系列—第二篇</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">白帽子分享之代码审计的艺术系列第三季</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">白帽子分享之代码审计的艺术系列第四季</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">接下来两篇介绍全局防护存在的盲点,<span style="color: black;">首要</span>是上篇:</p><strong style="color: blue;">盲点如下:</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">①注入点类似id=1这种整型的参数就会完全<span style="color: black;">没</span>视GPC的过滤;</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">②注入点<span style="color: black;">包括</span>键值对的,<span style="color: black;">那样</span><span style="color: black;">这儿</span>只检测了value,对key的过滤就<span style="color: black;">无</span>防护;</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">③有时候全局的过滤只过滤掉GET、POST和COOKIE,<span style="color: black;">然则</span>没过滤SERVER等变量。</p>附<span style="color: black;">平常</span>的SERVER变量(<span style="color: black;">详细</span>含义<span style="color: black;">自动</span>百度):QUERY_STRING,X_FORWARDED_FOR,CLIENT_IP,HTTP_HOST,ACCEPT_LANGUAGE
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">0x01</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">准备</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">知识<span style="color: black;">贮存</span>:php<span style="color: black;">基本</span>、MySql入门</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">工具</span>:notepad++</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 服务器环境:wamp</p><strong style="color: blue;">测试代码和sql的链接:</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><a style="color: black;"><span style="color: black;">http://</span><span style="color: black;">pan.baidu.</span></a>com/s/1cq<span style="color: black;">公斤</span>7G</strong><strong style="color: blue;"><span style="color: black;">暗码</span>: nesy</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">0x02</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">全局防护盲点总结上篇的脑图</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">0x03</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">数字型注入</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">完全<span style="color: black;">没</span>视GPC的数字型的注入,其实仔细总结下<span style="color: black;">发掘</span>还是<span style="color: black;">非常多</span><span style="color: black;">能够</span>学习的<span style="color: black;">地区</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1.</strong><strong style="color: blue;">传入的参数未做intval转换、构造的sql语句<span style="color: black;">无</span>单引号<span style="color: black;">守护</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">缺陷代码:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这种数字型的注入是全局防护的盲点,构造注入语句完全不<span style="color: black;">必须</span>单引号的支持,<span style="color: black;">因此</span><span style="color: black;">亦</span>就不存在转义了。例如<span style="color: black;">咱们</span>直接构造获取管理员账户<span style="color: black;">暗码</span>的POC:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">http://localhost/sqltest/mangdian/int1.php?id=-1 union select 1,2,concat(name,0x23,pass) from admin%23</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2.php</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">弱类型语言,判断<span style="color: black;">规律</span>错误<span style="color: black;">诱发</span>注入</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">缺陷代码:当然前提是数字型的注入,<span style="color: black;">这儿</span>特殊之处在于<span style="color: black;">增多</span>了个if($id<1)的<span style="color: black;">规律</span>判断,但PHP弱类型语言在<span style="color: black;">规律</span>判断上0<1和0 union select 1<1是等价的,都返回True。<span style="color: black;">因此</span>构造获取管理员账户<span style="color: black;">暗码</span>的POC:http://localhost/sqltest/mangdian/int2.php?id=0 union select 1,2,concat(name,0x23,pass) from admin%23</p><strong style="color: blue;">3.</strong><strong style="color: blue;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">过程中不全是数字型,忘记加单引号</p>
</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这种<span style="color: black;">状况</span>是在<span style="color: black;">第1</span>条sql语句里是有单引号<span style="color: black;">守护</span>的,紧接着第二条sql语句<span style="color: black;">无</span>单引号<span style="color: black;">守护</span><span style="color: black;">诱发</span>的注入,缺陷的代码如下:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">第一条sql语句有单引号<span style="color: black;">守护</span>,第二条sql语句<span style="color: black;">无</span>了单引号<span style="color: black;">守护</span>从而<span style="color: black;">能够</span>进一步注入。构造获取管理员账户<span style="color: black;">暗码</span>的POC:http://localhost/sqltest/mangdian/int3.php?id=0 union select 1,2,concat(name,0x23,pass) from admin%23</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">0x04</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">数组类型,全局防护只过滤了value/key,未过滤代入<span style="color: black;">查找</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">全局防护的代码只对数组中的vaule进行了过滤,key未过滤<span style="color: black;">诱发</span>注入,全局防护缺陷代码如下:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">能够</span>看到,对GET、POST和COOKIE传递的数组参数只过滤了value,<span style="color: black;">忽略</span>了key,漏洞代码如下:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">虽然<span style="color: black;">查找</span>语句中WHERE id=’”.$key.”‘有单引号<span style="color: black;">守护</span>,<span style="color: black;">然则</span>全局防护代码就没过滤key就存在注入了,<span style="color: black;">首要</span>POST请求下:http://localhost/sqltest/mangdian/array.php title=news title<span style="color: black;">发掘</span><span style="color: black;">能够</span>获取正常内容:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">查找</span>语句为:SELECT * FROM news WHERE id=’1’ and title=’news title’</p>构造获取管理员账户<span style="color: black;">暗码</span>的POST请求:http://localhost/sqltest/mangdian/array title[-1’ union select 1,2,concat(name,0x23,pass
感谢楼主的分享!我学到了很多。 在遇到你之前,我对人世间是否有真正的圣人是怀疑的。 说得好啊!我在外链论坛打滚这么多年,所谓阅人无数,就算没有见过猪走路,也总明白猪肉是啥味道的。 感谢你的精彩评论,为我的思绪打开了新的窗口。 期待你更多的精彩评论,一起交流学习。
页:
[1]