转自:http://fuck.0day5.com/archives/1337.html
我为什么要去找社工裤源码呢,我也忘记了,但是就是去找了。
找到之后就看了下别人的查询语句,好吧,想起来了,主要是因为要优化sql语句才去找的。
拿到之后,没有立即搭建,看了下语句也不是我想要的那种。
function get_sql_results($keyword) {
$return = array();
$link = mysql_connect("localhost", "root", "root");
mysql_select_db("sj") or die('数据库连接失败!');
mysql_query("SET names UTF8");
if (!$link) die('数据库连接失败!');
$keyword = urldecode($keyword);
$results = mysql_query('SHOW TABLES');
while ($tbrow = mysql_fetch_array($results)) {
if (strlen($keyword) < 1) return null;
//$sqlb="SELECT * FROM $tbrow[0] WHERE name like '%$keyword%' or email like '%$keyword%'";
$sqlb = "SELECT * FROM $tbrow[0] WHERE pass like '" . $keyword . "%' or uname like '" . $keyword . "%' or email like '" . $keyword . "%' or salt like '" . $keyword . "%' ";
//echo $sqlb ."<br/>";
$query = mysql_query($sqlb);
while ($row = mysql_fetch_assoc($query)) {
$return[] = array(
'name' => highLightKeyword($row['uname'], $keyword) ,
'pass' => highLightKeyword($row['pass'], $keyword).is_md5($row['pass']),
'salt' => $row['salt'],
'email' => highLightKeyword($row['email'], $keyword) ,
'site' => $row['site'],
'ip' => is_ip($row['ip']),
);
$count++;
}
}
mysql_close($link);
return $return;
}
不过却给我提供了思路
把全部的的表存放到一个字段,然后利用php foreach来遍历后输出结果,或许也是一种办法。
不过看到他的注册页面了
case "regMethod":
$name = trim(mysql_real_escape_string($_POST['name']));
$pass = trim(mysql_real_escape_string($_POST['pass']));
$mail = trim(mysql_real_escape_string($_POST['mail']));
$passcache = trim(mysql_real_escape_string($_POST['passcache']));
$icode = trim(mysql_real_escape_string($_POST['icode']));
k($name, "用户名为空", "index.php?act=reg");
k($pass, "密码为空", "index.php?act=reg");
k($mail, "邮箱为空", "index.php?act=reg");
k($passcache, "重复密码为空", "index.php?act=reg");
k($icode, "邀请码为空", "index.php?act=reg");
if ($pass != $passcache) {
k($kong, "两个密码不一样哦", "index.php?act=reg");
}
$sql = $mysql->select("*", "user", "name", "'" . $name . "'"); //选择数据
if (!empty($sql)) {
k($kong, "抱歉哦,此用户名已经有人注册啦", "index.php?act=reg");
}
$yqm = $mysql->select("*", "code", "code", "'" . $icode . "'"); //选择数据
if (empty($yqm) || $yqm['mid'] == '1') {
k($kong, "邀请码不存在或已使用", "index.php?act=reg");
}
$mid = $yqm['mid'];
if ($mid == 1) {
k($kong, "邀请码不存在或已使用", "index.php?act=reg");
}
$pass = pass($pass);
$mysql->insert("user", "name,pass,mail,time,ip", "'" . $name . "','" . $pass . "','" . $mail . "','" . time() . "','" . getIP() . "'"); //直接就执行了插入语句
$mysql->update("code", "mid", "1", "code", "'" . $icode . "'");
$_SESSION['name'] = $name;
$_SESSION['pass'] = $pass;
$_SESSION['mail'] = $mail;
$_SESSION['ip'] = getIP();
k($kong, "注册成功", "index.php");
exit;
在各种验证匹配后就直接进入了insert阶段,再看看这个getIP()为何物,直接再config.php里面找到了
function getIP() {
if (getenv('HTTP_CLIENT_IP')) {
$ip = getenv('HTTP_CLIENT_IP');
}
elseif (getenv('HTTP_X_FORWARDED_FOR')) {
$ip = getenv('HTTP_X_FORWARDED_FOR');
}
elseif (getenv('HTTP_X_FORWARDED')) {
$ip = getenv('HTTP_X_FORWARDED');
}
elseif (getenv('HTTP_FORWARDED_FOR')) {
$ip = getenv('HTTP_FORWARDED_FOR');
}
elseif (getenv('HTTP_FORWARDED')) {
$ip = getenv('HTTP_FORWARDED');
}
else {
$ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}
然后,想起了上次某个团购的也是酱紫的~
设置X-Forwarded-For为xx’打破insert语句,就会报错了,然后慢慢的注入。估计人家注册一次,整个裤子都得贡献出去啊!
修复方法参考某CMS想到了一个折中的办法
//参数处理函数
function RepPostVar($val){
$val=str_replace(" ","",$val);
$val=str_replace("'","",$val);
$val=str_replace("\"","",$val);
$val=addslashes(stripSlashes($val));
return $val;
}
/**
* 获得用户的真实IP地址
*
* @access public
* @return string
*/
function real_ip(){
if(getenv('HTTP_CLIENT_IP')&&strcasecmp(getenv('HTTP_CLIENT_IP'),'unknown'))
{
$ip=getenv('HTTP_CLIENT_IP');
}
elseif(getenv('HTTP_X_FORWARDED_FOR')&&strcasecmp(getenv('HTTP_X_FORWARDED_FOR'),'unknown'))
{
$ip=getenv('HTTP_X_FORWARDED_FOR');
}
elseif(getenv('REMOTE_ADDR')&&strcasecmp(getenv('REMOTE_ADDR'),'unknown'))
{
$ip=getenv('REMOTE_ADDR');
}
elseif(isset($_SERVER['REMOTE_ADDR'])&&$_SERVER['REMOTE_ADDR']&&strcasecmp($_SERVER['REMOTE_ADDR'],'unknown'))
{
$ip=$_SERVER['REMOTE_ADDR'];
}
$ip=RepPostVar(preg_replace("/^([\d\.]+).*/","\\1",$ip));
return $ip;
}
转载请注明:jinglingshu的博客 » 小审计一个社工裤源码