|
|
代碼審計(jì)入門之?dāng)?shù)字型注入
什么是數(shù)字型注入�����?
簡單的來說就是未經(jīng)過濾就直接將參數(shù)帶入數(shù)據(jù)庫查詢的SQL語句���,這么說可能有點(diǎn)難以理解���,但是我們可以根據(jù)代碼來講
PHP Demo代碼
<?php
$db_host = 'localhost';
$db_user = 'root';
$db_pass = 'root';
$id = $_REQUEST['sql'];
$link = mysql_connect($db_host, $db_user, $db_pass) or die("DB Connect Error:" . mysql_error());
mysql_select_db('test', $link) or die("Can\'t use sqlinject:" . mysql_error());
$sql = "SELECT * FROM zr WHERE id=$id";
$query = mysql_query($sql) or die("Invalid Query:" . mysql_error());
while ($row = mysql_fetch_array($query))
{
echo "用戶ID:" . $row['Id'] . "<br>";
echo "用戶賬號(hào):" . $row['user'] . "<br>";
echo "用戶密碼:" . $row['pass'] . "<br>";
}
mysql_close($link);
echo "當(dāng)前查詢語句:".$sql."<br>";
?>
上面的代碼中漏洞出現(xiàn)在下面的語句中:
$sql = "SELECT * FROM zr WHERE id=$id";
$query = mysql_query($sql) or die("Invalid Query:" . mysql_error());
而$id變量來自于用戶所輸入的參數(shù)��,所以id變量是可控的��。:
$id = $_REQUEST['sql'];
S-CMS 漏洞演示:
目標(biāo)文件:wap-index.php
if ($_GET["action"] == "update_dir") {
mysqli_query($conn, "update SL_config set C_dir='" . splitx( $_SERVER["PHP_SELF"], "wap_index.php",0) . "'");
box("更新成功�!", "wap_index.php", "success");
}
if (substr($_SERVER["PHP_SELF"], -13) == "wap_index.php" && $C_dir != splitx( $_SERVER["PHP_SELF"], "wap_index.php",0)) {
echo ("系統(tǒng)檢測到您移動(dòng)了安裝目錄�,是否更新數(shù)據(jù)庫?(<a href='?action=update_dir'>是</a>/否)" . splitx( $_SERVER["PHP_SELF"], "wap_index.php",0));
}
$S_page = $_GET["page"];
if ($_GET["type"] == "") {
$U_type = "index";
} else {
$U_type = $_GET["type"];
}
if(isset($_GET["S_id"])){
$S_id = $_GET["S_id"];
}else{
$S_id = "0";
}
if ($_GET["style"] == "") {
$style = $U_type;
} else {
$style = $_GET["style"];
}
if ($C_close == 1) {
Header("Location: close.html");
}
if ($C_todomain <> "empty" && $C_todomain <> "" && $C_todomain <> $C_domain) {
Header("Location: //" . $C_todomain);
}
switch ($U_type) {
case "index":
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateIndex(ReplaceWapPart(LoadWapTemplate($style, 1))))));
break;
case "contact":
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateContact(ReplaceWapPart(LoadWapTemplate($style, 1))))));
break;
case "guestbook":
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateGuestbook(ReplaceWapPart(LoadWapTemplate($style, 1))))));
break;
case "bbs":
Header("location:bbs");
break;
case "member":
Header("location:member");
break;
case "text":
if (getrs("select * from SL_text where T_id=" . $S_id, "T_title") == "") {
box("菜單指向的簡介已被刪除,請到“菜單管理”重新編輯", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateText(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
case "form":
if (getrs("select * from SL_form where F_id=" . $S_id, "F_title") == "") {
box("菜單指向的簡介已被刪除���,請到“菜單管理”重新編輯", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateForm(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
case "news":
if (is_numeric($S_id)) {
if (getrs("select * from SL_nsort where S_id=" . $S_id, "S_title") == "" && $S_id <> 0) {
box("菜單指向的新聞分類已被刪除,請到“菜單管理”重新編輯", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
break;
case "newsinfo":
if (getrs("select * from SL_news where N_id=" . $S_id, "N_title") == "") {
box("該新聞不存在或已被刪除", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsInfo(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
case "product":
if (is_numeric($S_id)) {
if (getrs("select * from SL_psort where S_id=" . $S_id, "S_title") == "" && $S_id > 0) {
box("菜單指向的產(chǎn)品分類已被刪除�����,請到“菜單管理”重新編輯", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateProductList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateProductList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
break;
case "productinfo":
if (getrs("select * from SL_product where P_id=" . $S_id, "P_title") == "") {
box("該產(chǎn)品不存在或已被刪除", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateProductInfo(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
default:
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateIndex(ReplaceWapPart(LoadWapTemplate($style, 1))))));
}
漏洞代碼:
case "text":
if (getrs("select * from SL_text where T_id=" . $S_id, "T_title") == "") {
box("菜單指向的簡介已被刪除����,請到“菜單管理”重新編輯", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateText(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
case "form":
if (getrs("select * from SL_form where F_id=" . $S_id, "F_title") == "") {
box("菜單指向的簡介已被刪除�,請到“菜單管理”重新編輯", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateForm(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
case "news":
if (is_numeric($S_id)) {
if (getrs("select * from SL_nsort where S_id=" . $S_id, "S_title") == "" && $S_id <> 0) {
box("菜單指向的新聞分類已被刪除,請到“菜單管理”重新編輯", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
break;
case "newsinfo":
if (getrs("select * from SL_news where N_id=" . $S_id, "N_title") == "") {
box("該新聞不存在或已被刪除", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsInfo(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
代碼1,$S_id未經(jīng)過過濾直接進(jìn)入了getrs函數(shù)進(jìn)行查詢:
getrs("select * from SL_text where T_id=" . $S_id, "T_title")
而$s_id變量來自于GET獲�����。
if(isset($_GET["S_id"])){
$S_id = $_GET["S_id"];
}else{
$S_id = "0";
}
至于getrs函數(shù),更是直接對(duì)SQL語句進(jìn)行了拼接
function getrs($sqlx,$valuex){
global $conn;
$resultx = mysqli_query($conn, $sqlx);
$rowx = mysqli_fetch_assoc($resultx);
if (mysqli_num_rows($resultx) > 0) {
return $rowx[$valuex];
}else{
return "";
}
}
|
|
發(fā)表于 2019-6-13 22:35:37
收藏