Arya

phpok的一次简单审计
过年啦过年啦,祝表哥们新年快乐~新的一年赚个金钵满盆 ~深夜不适合玩阴阳师,连抽了两张R卡之后现在正在怀疑世界中 ...
扫描右侧二维码阅读全文
17
2017/02

phpok的一次简单审计

过年啦过年啦,祝表哥们新年快乐~
新的一年赚个金钵满盆 ~
深夜不适合玩阴阳师,连抽了两张R卡之后现在正在怀疑世界中 T^T
直接上漏洞文件
/framework/www/usercp_control.php
public function info_f()
      {
            $rs = $this->user;
            $group_rs = $this->group_rs;
 
            $condition = 'is_edit=1';
            if($group_rs['fields']){
                  $tmp = explode(",",$group_rs['fields']);
                  $condition .= " AND identifier IN('".(implode("','",$tmp))."')";
            }
            $ext_list = $this->model('user')->fields_all($condition,"id");
            if($ext_list){
                  $tmp_f = $group_rs['fields'] ? explode(",",$group_rs['fields']) : 'all';
                  $extlist = array();
                  foreach($ext_list as $key=>$value){
                        if($value["ext"]){
                              $ext = unserialize($value["ext"]);
                              foreach($ext AS $k=>$v){
                                    $value[$k] = $v;
                              }
                        }
                        $idlist[] = strtolower($value["identifier"]);
                        if($rs[$value["identifier"]]){
                              $value["content"] = $rs[$value["identifier"]];
                        }
                        if($tmp_f == 'all' || (is_array($tmp_f) && in_array($value['identifier'],$tmp_f))){
                              $extlist[] = $this->lib('form')->format($value);
                        }
                  }
                  $this->assign("extlist",$extlist);
            }
            $this->assign("rs",$rs);
            $this->assign("group_rs",$group_rs);
            $this->view("usercp_info");
      }
页面是这样的
Image[1].png
所以可以修改的地方只有姓名和性别,所以$ext_list是包含着两个信息的数组,往下看完能发现,只有 $extlist[] = $this->lib('form')->format($value); 存在过滤输入的函数(当时以为format是内置函数。。。所以一直没找到过滤函数,尴尬癌都要犯了~)
跟踪函数format() --->/framework/init.php
final public function format($msg,$type="safe",$ext="")
    {
        if($msg == ""){
            return '';
        }
        if(is_array($msg)){
            foreach($msg AS $key=>$value){
                if(!is_numeric($key)){
                    $key2 = $this->format($key,"system");
                    if($key2 == ''){
                        unset($msg[$key]);
                        continue;
                    }
                }
                $msg[$key] = $this->format($value,$type,$ext);
            }
            if($msg && count($msg)>0){
                return $msg;
            }
            return false;
        }
        if($type == 'html_js' || ($type == 'html' && $ext)){
            $msg = stripslashes($msg);
            if($this->app_id != 'admin'){
                $msg = $this->lib('string')->xss_clean($msg);
            }
            $msg = $this->lib('string')->clear_url($msg,$this->url);
            return addslashes($msg);
        }
        $msg = stripslashes($msg);
        //格式化处理内容
        switch ($type){
            case 'safe':$msg = str_replace(array("\","'",'"',"<",">"),array("&#92;","&#39;","&quot;","&lt;","&gt;"),$msg);break;
            case 'system':$msg = !preg_match("/^[a-zA-Z][a-z0-9A-Z_-]+$/u",$msg) ? false : $msg;break;
            case 'id':$msg = !preg_match("/^[a-zA-Z][a-z0-9A-Z_-]+$/u",$msg) ? false : $msg;break;
            case 'checkbox':$msg = strtolower($msg) == 'on' ? 1 : $this->format($msg,'safe');break;
            case 'int':$msg = intval($msg);break;
            case 'intval':$msg = intval($msg);break;
            case 'float':$msg = floatval($msg);break;
            case 'floatval':$msg = floatval($msg);break;
            case 'time':$msg = strtotime($msg);break;
            case 'html':$msg = $this->lib('string')->safe_html($msg,$this->url);break;
            case 'func':$msg = function_exists($ext) ? $ext($msg) : false;break;
            case 'text':$msg = strip_tags($msg);break;
        }
        if($msg){
            $msg = addslashes($msg);
        }
        echo 1;
        exit();
        return $msg;
    }
 
因为$msg是数组,进入循环
if(is_array($msg)){
            foreach($msg AS $key=>$value){
                if(!is_numeric($key)){
                    $key2 = $this->format($key,"system");
                    if($key2 == ''){
                        unset($msg[$key]);
                        continue;
                    }
                }
                $msg[$key] = $this->format($value,$type,$ext);
            }
            if($msg && count($msg)>0){
                return $msg;
            }
            return false;
        }

 

执行
$key2 = $this->format($key,"system");
这是一步递归的回溯
进入
switch ($type){
            case 'safe':$msg = str_replace(array("\","'",'"',"<",">"),array("&#92;","&#39;","&quot;","&lt;","&gt;"),$msg);break;
            case 'system':$msg = !preg_match("/^[a-zA-Z][a-z0-9A-Z_-]+$/u",$msg) ? false : $msg;break;   /*---------------执行的是我啦是我啦----------------*/
            case 'id':$msg = !preg_match("/^[a-zA-Z][a-z0-9A-Z_-]+$/u",$msg) ? false : $msg;break;
            case 'checkbox':$msg = strtolower($msg) == 'on' ? 1 : $this->format($msg,'safe');break;
            case 'int':$msg = intval($msg);break;
            case 'intval':$msg = intval($msg);break;
            case 'float':$msg = floatval($msg);break;
            case 'floatval':$msg = floatval($msg);break;
            case 'time':$msg = strtotime($msg);break;
            case 'html':$msg = $this->lib('string')->safe_html($msg,$this->url);break;
            case 'func':$msg = function_exists($ext) ? $ext($msg) : false;break;
            case 'text':$msg = strip_tags($msg);break;
        }
因为现在回溯的是key,但是回溯结束后$type="system";
继续往下执行
$msg[$key] = $this->format($value,$type,$ext);
所以可以看出
这一步执行的也是
case 'system':$msg = !preg_match("/^[a-zA-Z][a-z0-9A-Z_-]+$/u",$msg) ? false : $msg;break;
所以并没有对双引号过滤~
本地测试
直接在input标签里面进行闭合
Imagep1.png
payload:"> onmousemove="alert(1)" "
进入后台的用户管理界面
Imagep2.png
尝试着打了一下cookie
Imagep3.png
如果有不对的地方还请表哥们指出来~新年快乐~ ^_^
后台地址:http://localhost/phpok/admin.php?c=index
Last modification:January 23rd, 2019 at 10:58 pm
If you think my article is useful to you, please feel free to appreciate

Leave a Comment