PHPMyWind绕过过滤SQL注入(限定条件)

时间:2014-12-28    作者:admin    分类: 技术交流


需要register_globals=on。

/include/common.inc.php 注册变量的代码:


foreach(array('_GET','_POST') as $_request)

{

    foreach($$_request as $_k => $_v)

    {

        if(strlen($_k)>0 &&

           preg_match('#^(GLOBALS|_GET|_POST|_SESSION|_COOKIE)#',$_k))

        {

            exit('不允许请求的变量名!');

        }

        ${$_k} = _RunMagicQuotes($_v);

    }

}




看到这里,懂的人就懂了。代码中匹配了GLOBALS来禁止提交全局变量GLOBALS防止变量覆盖,但是只对$_GET和$_POST进行了检查,因此只要在$_COOKIE中提交即可绕过RunMagicQuotes。


注入点可能有很多,举一个例子吧:phpmywind/product.php


<?php

                if(!empty($keyword))

                {

                    $keyword = htmlspecialchars($keyword);

                    $sql = "SELECT * FROM `#@__infoimg` WHERE (classid=$cid OR parentstr LIKE '%,$cid,%') AND title LIKE '%$keyword%' AND delstate='' AND checkinfo=true ORDER BY orderid DESC";//这里拼sql

                }

                else

                {

                    $sql = "SELECT * FROM `#@__infoimg` WHERE (classid=$cid OR parentstr LIKE '%,$cid,%') AND delstate='' AND checkinfo=true ORDER BY orderid DESC";

                }

                $dopage->GetPage($sql,9);

                while($row = $dosql->GetArray())

                {

                    if($row['picurl'] != '') $picurl = $row['picurl'];

                    else $picurl = 'templates/default/images/nofoundpic.gif';

                    if($row['linkurl']=='' and $cfg_isreurl!='Y') $gourl = 'productshow.php?cid='.$row['classid'].'&id='.$row['id'];

                    else if($cfg_isreurl=='Y') $gourl = 'productshow-'.$row['classid'].'-'.$row['id'].'-1.html';

                    else $gourl = $row['linkurl'];

                ?>




这里我们添加一个cookie名字叫GLOBALS[keyword]

Screenshot from 2014-12-05 10:17:14.png



打印一下$keyword:

Screenshot from 2014-12-05 10:18:38.png



绕过了过滤,引入了'

payload:

Screenshot from 2014-12-05 10:22:01.png

标签: sql注入 PHPMyWind