代码审计入门之数字型注入
代码审计入门之数字型注入什么是数字型注入?
简单的来说就是未经过滤就直接将参数带入数据库查询的SQL语句,这么说可能有点难以理解,但是我们可以根据代码来讲
PHP Demo代码
<?php
$db_host = 'localhost';
$db_user = 'root';
$db_pass = 'root';
$id = $_REQUEST['sql'];
$link = mysql_connect($db_host, $db_user, $db_pass) or die("DB Connect Error:" . mysql_error());
mysql_select_db('test', $link) or die("Can\'t use sqlinject:" . mysql_error());
$sql = "SELECT * FROM zr WHERE id=$id";
$query = mysql_query($sql) or die("Invalid Query:" . mysql_error());
while ($row = mysql_fetch_array($query))
{
echo "用户ID:" . $row['Id'] . "<br>";
echo "用户账号:" . $row['user'] . "<br>";
echo "用户密码:" . $row['pass'] . "<br>";
}
mysql_close($link);
echo "当前查询语句:".$sql."<br>";
?>
上面的代码中漏洞出现在下面的语句中:
$sql = "SELECT * FROM zr WHERE id=$id";
$query = mysql_query($sql) or die("Invalid Query:" . mysql_error());
而$id变量来自于用户所输入的参数,所以id变量是可控的。:
$id = $_REQUEST['sql'];
S-CMS 漏洞演示:
目标文件:wap-index.php
if ($_GET["action"] == "update_dir") {
mysqli_query($conn, "update SL_config set C_dir='" . splitx( $_SERVER["PHP_SELF"], "wap_index.php",0) . "'");
box("更新成功!", "wap_index.php", "success");
}
if (substr($_SERVER["PHP_SELF"], -13) == "wap_index.php" && $C_dir != splitx( $_SERVER["PHP_SELF"], "wap_index.php",0)) {
echo ("系统检测到您移动了安装目录,是否更新数据库?(<a href='?action=update_dir'>是</a>/否)" . splitx( $_SERVER["PHP_SELF"], "wap_index.php",0));
}
$S_page = $_GET["page"];
if ($_GET["type"] == "") {
$U_type = "index";
} else {
$U_type = $_GET["type"];
}
if(isset($_GET["S_id"])){
$S_id = $_GET["S_id"];
}else{
$S_id = "0";
}
if ($_GET["style"] == "") {
$style = $U_type;
} else {
$style = $_GET["style"];
}
if ($C_close == 1) {
Header("Location: close.html");
}
if ($C_todomain <> "empty" && $C_todomain <> "" && $C_todomain <> $C_domain) {
Header("Location: //" . $C_todomain);
}
switch ($U_type) {
case "index":
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateIndex(ReplaceWapPart(LoadWapTemplate($style, 1))))));
break;
case "contact":
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateContact(ReplaceWapPart(LoadWapTemplate($style, 1))))));
break;
case "guestbook":
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateGuestbook(ReplaceWapPart(LoadWapTemplate($style, 1))))));
break;
case "bbs":
Header("location:bbs");
break;
case "member":
Header("location:member");
break;
case "text":
if (getrs("select * from SL_text where T_id=" . $S_id, "T_title") == "") {
box("菜单指向的简介已被删除,请到“菜单管理”重新编辑", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateText(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
case "form":
if (getrs("select * from SL_form where F_id=" . $S_id, "F_title") == "") {
box("菜单指向的简介已被删除,请到“菜单管理”重新编辑", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateForm(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
case "news":
if (is_numeric($S_id)) {
if (getrs("select * from SL_nsort where S_id=" . $S_id, "S_title") == "" && $S_id <> 0) {
box("菜单指向的新闻分类已被删除,请到“菜单管理”重新编辑", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
break;
case "newsinfo":
if (getrs("select * from SL_news where N_id=" . $S_id, "N_title") == "") {
box("该新闻不存在或已被删除", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsInfo(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
case "product":
if (is_numeric($S_id)) {
if (getrs("select * from SL_psort where S_id=" . $S_id, "S_title") == "" && $S_id > 0) {
box("菜单指向的产品分类已被删除,请到“菜单管理”重新编辑", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateProductList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateProductList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
break;
case "productinfo":
if (getrs("select * from SL_product where P_id=" . $S_id, "P_title") == "") {
box("该产品不存在或已被删除", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateProductInfo(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
default:
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateIndex(ReplaceWapPart(LoadWapTemplate($style, 1))))));
}
漏洞代码:
case "text":
if (getrs("select * from SL_text where T_id=" . $S_id, "T_title") == "") {
box("菜单指向的简介已被删除,请到“菜单管理”重新编辑", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateText(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
case "form":
if (getrs("select * from SL_form where F_id=" . $S_id, "F_title") == "") {
box("菜单指向的简介已被删除,请到“菜单管理”重新编辑", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateForm(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
case "news":
if (is_numeric($S_id)) {
if (getrs("select * from SL_nsort where S_id=" . $S_id, "S_title") == "" && $S_id <> 0) {
box("菜单指向的新闻分类已被删除,请到“菜单管理”重新编辑", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsList(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id, $S_page))));
}
break;
case "newsinfo":
if (getrs("select * from SL_news where N_id=" . $S_id, "N_title") == "") {
box("该新闻不存在或已被删除", "back", "error");
} else {
$page_info = ReplaceLableFlag(ReplaceWapTag(CreateHTMLReplace(CreateNewsInfo(ReplaceWapPart(LoadWapTemplate($style, $S_id)) , $S_id))));
}
break;
代码1,$S_id未经过过滤直接进入了getrs函数进行查询:
getrs("select * from SL_text where T_id=" . $S_id, "T_title")
而$s_id变量来自于GET获取:
if(isset($_GET["S_id"])){
$S_id = $_GET["S_id"];
}else{
$S_id = "0";
}
至于getrs函数,更是直接对SQL语句进行了拼接
function getrs($sqlx,$valuex){
global $conn;
$resultx = mysqli_query($conn, $sqlx);
$rowx = mysqli_fetch_assoc($resultx);
if (mysqli_num_rows($resultx) > 0) {
return $rowx[$valuex];
}else{
return "";
}
}
页:
[1]