• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

ThinkPHP历史漏洞分析


Recommended Posts

老洞分析,本文章将会对 ThinkPHP 中出现过的多个漏洞进行分析,提高自己的 PHP 代码审计能力

ThinkPHP5 SQL注入1

影响版本:5.0.13<=ThinkPHP<=5.0.155.1.0<=ThinkPHP<=5.1.5,根据官方的安全更新,进行 Compare

 

https://cdn.bingbingzi.cn/blog/20211214114356.png
Picture

 

查询 Commit 记录,发现 Builder.php 的更新比较可疑,打开 PHPStorm 配置好 xdebug,在 119 和 122 出下断点进行调试

 

https://cdn.bingbingzi.cn/blog/20211214114532.png
Picture

 

根据代码执行流程,需要传入一个不为空的数组,当传入数组的第一位为inc时,执行断点 119 的语句,那么就构造一个username/a传入username[0]=inc成功触发断点

 

https://cdn.bingbingzi.cn/blog/20211214115521.png
Picture

 

将剩下的请求补充完整,传入?username[0]=inc&username[1]=hello&username[2]=world

 

https://cdn.bingbingzi.cn/blog/20211214120608.png
Picture

 

也就是说,username[1]会成功传入到 $sql变量中,被execute函数执行。传入一个报错注入语句,则被解析执行如图:

 

https://cdn.bingbingzi.cn/blog/20211214121200.png
Picture

 

开启 Debug 情况下将会输出 MySQL 执行后的结果

 

https://cdn.bingbingzi.cn/blog/20211214121234.png
Link to comment
Share on other sites