代码审计入门之数字型注入

show0p · 发表于 2019-6-13 22:35:37

代码审计入门之数字型注入

什么是数字型注入？
简单的来说就是未经过滤就直接将参数带入数据库查询的SQL语句，这么说可能有点难以理解，但是我们可以根据代码来讲

PHP Demo代码

<?php
$db_host = 'localhost';
$db_user = 'root';
$db_pass = 'root';
$id = $_REQUEST['sql'];

$link = mysql_connect($db_host, $db_user, $db_pass) or die("DB Connect Error：" . mysql_error());
mysql_select_db('test', $link) or die("Can\'t use sqlinject：" . mysql_error());
$sql = "SELECT * FROM zr WHERE id=$id";
$query = mysql_query($sql) or die("Invalid Query：" . mysql_error());
while ($row = mysql_fetch_array($query))
{
echo "用户ID：" . $row['Id'] . "<br>";
echo "用户账号：" . $row['user'] . "<br>";
echo "用户密码：" . $row['pass'] . "<br>";
}
mysql_close($link);

echo "当前查询语句：".$sql."<br>";
?>
上面的代码中漏洞出现在下面的语句中：

$sql = "SELECT * FROM zr WHERE id=$id";
$query = mysql_query($sql) or die("Invalid Query：" . mysql_error());
而$id变量来自于用户所输入的参数，所以id变量是可控的。：

$id = $_REQUEST['sql'];
S-CMS 漏洞演示：
目标文件：wap-index.php

if ($_GET["action"] == "update_dir") {
mysqli_query($conn, "update SL_config set C_dir='" . splitx( $_SERVER["PHP_SELF"], "wap_index.php",0) . "'");
box("更新成功！", "wap_index.php", "success");
}
if (substr($_SERVER["PHP_SELF"], -13) == "wap_index.php" && $C_dir != splitx( $_SERVER["PHP_SELF"], "wap_index.php",0)) {
echo ("系统检测到您移动了安装目录，是否更新数据库？（<a href='?action=update_dir'>是</a>/否）" . splitx( $_SERVER["PHP_SELF"], "wap_index.php",0));
}
$S_page = $_GET["page"];

if ($_GET["type"] == "") {
$U_type = "index";
} else {
$U_type = $_GET["type"];
}

if(isset($_GET["S_id"])){
$S_id = $_GET["S_id"];
}else{
$S_id = "0";
}

if ($_GET["style"] == "") {
$style = $U_type;
} else {
$style = $_GET["style"];
}

if ($C_close == 1) {
Header("Location: close.html");
}
if ($C_todomain <> "empty" && $C_todomain <> "" && $C_todomain <> $C_domain) {
Header("Location: //" . $C_todomain);
}

switch ($U_type) {
case "index":
      $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateIndex(ReplaceWapPart(LoadWapTemplate($style, 1))))));
      break;

case "contact":
      $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateContact(ReplaceWapPart(LoadWapTemplate($style, 1))))));
      break;

case "guestbook":
      $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateGuestbook(ReplaceWapPart(LoadWapTemplate($style, 1))))));
      break;

case "bbs":
      Header("location:bbs");
      break;

case "member":
      Header("location:member");
      break;

case "text":
      if (getrs("select * from SL_text where T_id=" . $S_id, "T_title") == "") {
         box("菜单指向的简介已被删除，请到“菜单管理”重新编辑", "back", "error");
      } else {
         $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateText(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
      }
      break;

case "form":
      if (getrs("select * from SL_form where F_id=" . $S_id, "F_title") == "") {
         box("菜单指向的简介已被删除，请到“菜单管理”重新编辑", "back", "error");
      } else {
         $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateForm(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
      }
      break;

case "news":
      if (is_numeric($S_id)) {
         if (getrs("select * from SL_nsort where S_id=" . $S_id, "S_title") == "" && $S_id <> 0) {
            box("菜单指向的新闻分类已被删除，请到“菜单管理”重新编辑", "back", "error");
         } else {
            $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
         }
      } else {
         $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
      }
      break;

case "newsinfo":
      if (getrs("select * from SL_news where N_id=" . $S_id, "N_title") == "") {
         box("该新闻不存在或已被删除", "back", "error");
      } else {
         $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsInfo(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
      }
      break;

case "product":
      if (is_numeric($S_id)) {
         if (getrs("select * from SL_psort where S_id=" . $S_id, "S_title") == "" && $S_id > 0) {
            box("菜单指向的产品分类已被删除，请到“菜单管理”重新编辑", "back", "error");
         } else {
            $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateProductList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
         }
      } else {
         $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateProductList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
      }
      break;

case "productinfo":
      if (getrs("select * from SL_product where P_id=" . $S_id, "P_title") == "") {
         box("该产品不存在或已被删除", "back", "error");
      } else {
         $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateProductInfo(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
      }
      break;

default:
      $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateIndex(ReplaceWapPart(LoadWapTemplate($style, 1))))));
}
漏洞代码:

case "text":
if (getrs("select * from SL_text where T_id=" . $S_id, "T_title") == "") {
      box("菜单指向的简介已被删除，请到“菜单管理”重新编辑", "back", "error");
} else {
      $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateText(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;

case "form":
if (getrs("select * from SL_form where F_id=" . $S_id, "F_title") == "") {
      box("菜单指向的简介已被删除，请到“菜单管理”重新编辑", "back", "error");
} else {
      $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateForm(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;

case "news":
if (is_numeric($S_id)) {
      if (getrs("select * from SL_nsort where S_id=" . $S_id, "S_title") == "" && $S_id <> 0) {
         box("菜单指向的新闻分类已被删除，请到“菜单管理”重新编辑", "back", "error");
      } else {
         $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
      }
} else {
      $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
break;

case "newsinfo":
if (getrs("select * from SL_news where N_id=" . $S_id, "N_title") == "") {
      box("该新闻不存在或已被删除", "back", "error");
} else {
      $page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsInfo(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
代码1,$S_id未经过过滤直接进入了getrs函数进行查询：

getrs("select * from SL_text where T_id=" . $S_id, "T_title")
而$s_id变量来自于GET获取：

if(isset($_GET["S_id"])){
$S_id = $_GET["S_id"];
}else{
$S_id = "0";
}
至于getrs函数，更是直接对SQL语句进行了拼接

function getrs($sqlx,$valuex){
global $conn;
$resultx = mysqli_query($conn, $sqlx);
$rowx = mysqli_fetch_assoc($resultx);
if (mysqli_num_rows($resultx) > 0) {
return $rowx[$valuex];
}else{
return "";
}
}

		自动登录	找回密码
密码			注册成为正式会员

[网络安全/渗透测试] 代码审计入门之数字型注入

终身VIP会员