Tianmu MVC audit II

This article is edited by Er Nong Xi Zhu

Audit controller

After auditing the entry file and figuring out the routing rules in the previous article , We begin to formally audit the controller .

Home Catalog

from app/home/index.php Start audit , There is nothing to say ahead , But notice here , Although it is judgment, it is not PC Execute when logging in , But we can see the query method it calls , I feel very familiar with , More like think The query method defined in , We recall the last audit , The filtering mechanism of audit , Let's search the whole picture where(, Check one by one , See if there is where The condition is two parameters , perhaps int type .

backstage SQL Inject

Everything comes to him who waits , Here we are , Find out $sid Not wrapped in single quotation marks , And has not been cast int type . The catalogue is admin\controller\special.php, We try to reproduce . Good one SQL Inject holes .

The front desk SQL Inject

Just when I thought there was no front desk SQL At the time of Injection , All of a sudden , I found a location . Suddenly remembered a sentence ： edge , Too wonderful for words .

Look for . have a look $sid How did it get in , Is it controllable

Search this globally get_category_list(), Found in home/controller/special.php in ,category() In this method , adopt GET Incoming sid This value , Although this method is right $sid Protected by single quotation marks , But in calling get_category_list() Time is running naked , well , Repeat it

Completely ok. The audit is completed when the front desk arrives here

The front desk XSS

stay home\controller\articles.php,articles Method this position htmlspecialchars_decode, This function decodes the materialized symbols , It suddenly caught my attention , Because we have audited , It will change the passed in value html Materialized coding , And then put it in the database . In this position, it decodes the data again , Vegetable chicken intuition tells me , There must be something wrong , Let's look for it $data Where does this variable come from

In this 32 OK, we can see that it is queried from this database .

Let's find out how to write , There is too much content here , Use the debug Look at the query statement ："SELECT * FROMtemmoku_articleASAINNER JOINtemmoku_contentASBON A.aid =B.aid WHERE A.aid=3 ORDER BY A.aid DESC LIMIT 1" In retrospect, I made a very uncomfortable mistake , I'll search jab.'content, No search for , Doubt life ing, however , I remembered later , Search for jab."content To position , Uncomfortable .

ad locum ,admin\public_class\article.php in , Find write jab.content database . Keep going back

Find out user\controller\articles.php Call occurs , Look up ,add Method .

Register an account and open the permission to send articles .

Storage type XSS It's a success