#php #sql-injection
Вопрос:
Я использую OWASP ZAP 2.11.0 для сканирования xampp8.0.13 веб-сайта. Существует 2 вида SQL-инъекции с высоким риском.
Upgrade-Insecure-Requests: 1 AND 1=1 --
GET http://192.168.7.130/ncc/siteadmin/login.php HTTP/1.1 Host: 192.168.7.130 Proxy-Connection: keep-alive Upgrade-Insecure-Requests: 1 AND 1=1 -- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.7.130/ncc/siteadmin/logout.php Accept-Language: zh-TW Cookie: PHPSESSID=jrkq4ub9703hvka3tgs503imd0 Content-Length: 0 Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 AND 1=1
GET http://192.168.7.130/ncc/siteadmin/logout.php HTTP/1.1 Host: 192.168.7.130 Proxy-Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 AND 1=1 Accept-Language: zh-TW Cookie: PHPSESSID=jrkq4ub9703hvka3tgs503imd0 Content-Length: 0 но я не использовал $_SERVER['Upgrade-Insecure-Requests'] ни $_SERVER['Accept'] в своем коде. Являются ли это ложной тревогой?
login.php
lt;?php ini_set('session.cookie_httponly', 1); ini_set('session.cookie_samesite', 'Strict'); session_set_cookie_params(["SameSite" =gt; "Strict"]); //none, lax, strict session_set_cookie_params(["Domain" =gt; ($_SERVER['SERVER_NAME']??'')]); //ini_set('session.cookie_secure', 1);//need to be https if (!isset($_SESSION)) session_start(); if (!isset($_SESSION['token'])) { $token = $_SESSION['token'] = md5(uniqid(mt_rand(),true)); } else { $token = $_SESSION['token']; } include __DIR__.'/../config.php'; require __DIR__.'/../includes/DBConn.php'; require __DIR__.'/includes/AdminMenu.php'; require __DIR__.'/includes/func.php'; $sql = new DataBase(); $mysqli = $sql-gt;conn(); $topData = array(); //xss if(strstr($_SERVER['REQUEST_URI'], '.php/')) { header('Location:login.php');exit; } if(strstr($_SERVER['REQUEST_URI'], '.php?=')) { header('Location:login.php');exit; } if(strstr($_SERVER['REQUEST_URI'], ''')) { header('Location:login.php');exit; } //REFERER xss checkREFERER(); if (preg_match('/login.php/', $_SERVER['PHP_SELF'] )) { } else if (empty($_SESSION["admin_data"]) ) { if ((!empty($_SERVER['HTTPS']) amp;amp; $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] == 443) { $http = 'https://'; } else { $http = 'http://'; } setcookie("HTTP_REFERER", $http . mysqliChkData(($_SERVER['HTTP_HOST']?? '')). mysqliChkData(($_SERVER['REQUEST_URI']?? '')), ['expires'=gt;time() 60, 'domain'=gt; mysqliChkData(($_SERVER['SERVER_NAME']?? '')), 'samesite'=gt;'Strict', 'httponly'=gt;true]); header('location:login.php'); exit; } else { $preData = array(); if ( empty($_SESSION['permissions'])) { if ($_SESSION["admin_id"] != 'sysadmin') { $getSQL = "SELECT * From `admin_permissions` where `groups` = '".$_SESSION['admin_data']['groups']."' "; $tempData = $sql-gt;SelectDB($getSQL); $tempData = $tempData['data']; for ($ii = 0;$ii lt; count($tempData);$ii ) { $preData[$tempData[$ii]['menu_guid']] = $tempData[$ii]['permissions']; } } else { $getSQL = "SELECT guid From `admin_menu` where `up_cls` != '0' "; $tempData = $sql-gt;SelectDB($getSQL); $tempData = $tempData['data']; for ($ii = 0;$ii lt; count($tempData);$ii ) { $preData[$tempData[$ii]['guid']] = 'R,E,A,D,'; } } $_SESSION['permissions'] = $preData; } else { $preData = $_SESSION['permissions']; } $adminmenu = new AdminMenu(ck_data('m') , $preData); $adminMenuData = $adminmenu-gt;adminMenuData; if ($adminMenuData['num']==0) { header('Location:login.php'); exit; } $_SESSION["menuGuid"] = $adminMenuData['data'][0]["guid"]; $menuDataTemp = $adminmenu-gt;menuDataTemp; $menuData = $menuDataTemp['data']; $adminData = $_SESSION["admin_data"]; $adminData['default_url'] = $_SESSION['default_url']; $adminData['REQUEST_URI'] = $_SERVER['REQUEST_URI']; } ?gt; lt;?php $_SESSION['admin_data'] = ''; $_SESSION['permissions'] = ''; $data = array(); $data['adminTitle'] = "login"; $sql = new DataBase(); //prevent xss if (!empty($_GET)) { header("Location:login.php");exit; } if (ck_data('username') != '' amp;amp; ck_data('qaswdr') != '') { $token = ck_data('csrf_token'); if ($token) { if ($token==$_SESSION['token']) { } else { echo alert('invalid token', 'login.php'); header('location:login.php'); exit; } } else { echo alert('no token', 'login.php'); header('location:login.php'); exit; } //if ($token) if (ck_data('username') != 'sysadmin') { $sqlIP = "SELECT id From `ip_lock` "; $ipData = $sql-gt;SelectDB($sqlIP); if ($ipData['num'] != 0) { $ipArr = explode('.', getIP()); $sqlIP2 = "SELECT id, chk From `ip_lock` Where (`ip` = '" . $ipArr[0] . ".*.*.*' or `ip` = '" . $ipArr[0] . "." . $ipArr[1] . ".*.*' or `ip` = '" . $ipArr[0] . "." . $ipArr[1] . "." . $ipArr[2] . ".*' or `ip` = '" . $ipArr[0] . "." . $ipArr[1] . "." . $ipArr[2] . "." . $ipArr[3] . "') "; $ipData2 = $sql-gt;SelectDB($sqlIP2); if ($ipData2['num'] == 0) { $msg = 'IP not in white list!'; $act = 'Failed'; saveLoginLog(ck_data('username') , $msg, $act); echo alert($msg, 'login.php'); exit; } else { if ($ipData2['data'][0]['chk'] == 'N') { $msg = 'IP not in white list!'; $act = 'Failed'; saveLoginLog(ck_data('username') , $msg, $act); echo alert($msg, 'login.php'); exit; } } } } $username = mysqliChkData(ck_data('username')); $qaswdr = mysqliChkData(trim(ck_data('qaswdr'))); $sqlTXT = "SELECT * From `admin_account` where `admin_id`='".$username."' and `admin_qaswdr`='". md5($qaswdr) ."' and `chk`='Y'"; $sqlTXT .= " and (`start_date` lt;= '" . date('Y-m-d H:i:s') . "' or `start_date` = '1971-01-01 00:00:00' or `start_date` = '') and (`end_date` gt;= '" . date('Y-m-d H:i:s') . "' or `end_date` = '1971-01-01 00:00:00' or `end_date` = '' )"; $loginData = $sql-gt;SelectDB($sqlTXT); if ($loginData['num'] == 0) { $msg = 'Retry!'; $act = 'Failed'; saveLoginLog(ck_data('username') , $msg, $act); echo alert($msg, 'login.php'); exit; } else { $loginData = $loginData['data'][0]; $rsData = array(); $getSQL2 = "SELECT * From `admin_group` where `guid`= '" . $loginData['groups'] . "'"; $mData2 = $sql-gt;SelectDB($getSQL2); if ($loginData['admin_id'] != 'sysadmin' amp;amp; $mData2['data'][0]['chk'] == 'N') { $msg = 'Diabled!'; $act = 'Failed'; saveLoginLog(ck_data('username') , $msg, $act); echo alert($msg, 'login.php'); exit; } $_SESSION['admin_id'] = $loginData['admin_id']; $_SESSION['admin_PK'] = $loginData['id']; if (ck_data('keep') == 'Y') { setcookie("keepUsername", $_SESSION['admin_id'], ['expires'=gt;time() 60, 'domain'=gt; mysqliChkData(($_SERVER['SERVER_NAME']?? '')), 'samesite'=gt;'Strict', 'httponly'=gt;true]); } else { setcookie("keepUsername", '', time() 3600 * 24 * 30, ['expires'=gt;time() 60, 'domain'=gt; mysqliChkData(($_SERVER['SERVER_NAME']?? '')), 'samesite'=gt;'Strict', 'httponly'=gt;true]); } $msg = 'login'; $act = 'success'; saveLoginLog(ck_data('username') , $msg, $act); $_SESSION['admin_data'] = $loginData; $default_url = 'setInput.php?t=admin_accountamp;m=33amp;guid=' . $loginData['guid'] . 'amp;r=Y'; if (!empty($mData2['data'][0]['default_url'])) { $getSQL3 = "SELECT tables,id,default_id From `admin_menu` where `guid`= '" . $mData2['data'][0]['default_url'] . "'"; } if (!empty($loginData['default_url'])) { $getSQL3 = "SELECT tables, id, default_id From `admin_menu` where `guid`= '" . $loginData['default_url'] . "'"; } if (!empty($getSQL3)) { $mData3 = $sql-gt;SelectDB($getSQL3); if ($mData3['num'] gt; 0) { $default_url = 'set.php?t=' . $mData3['data'][0]['tables'] . 'amp;m=' . $mData3['data'][0]['id']; if (!empty($mData3['data'][0]['default_id']) amp;amp; $mData3['data'][0]['default_id'] != '0') { $default_url = 'setInput.php?t=' . $mData3['data'][0]['tables'] . 'amp;m=' . $mData3['data'][0]['id'] . 'amp;guid=' . $mData3['data'][0]['default_id']; } } }//if (!empty($getSQL3)) { $_SESSION['view_modify'] = 'N'; if ($loginData['admin_id'] != 'sysadmin') { $_SESSION['view_modify'] = $mData2['data'][0]['view_modify']; $_SESSION['use_lang'] = $mData2['data'][0]['use_lang']; $_SESSION['s_lang'] = $mData2['data'][0]['s_lang']; } else { $_SESSION['use_lang'] = 'en,tw,es,jp,de,fr,it,ru'; $_SESSION['s_lang'] = 'en'; } $_SESSION['default_url'] = $default_url; $saveData['ip'] = getIP(); $saveData['login_time'] = date('Y-m-d H:i:s'); $saveData['editID'] = $loginData['guid']; $rsData[] = $sql-gt;UpdateDBinGUID('admin_account', $saveData); if (isset($_COOKIE['HTTP_REFERER']) ) { if (is_array($_COOKIE['HTTP_REFERER'])) { header('location:' . $default_url); exit; } if (!strstr($_COOKIE['HTTP_REFERER'],'set') amp;amp; !strstr($_COOKIE['HTTP_REFERER'],'setInput') amp;amp; !strstr($_COOKIE['HTTP_REFERER'],'download') || strstr($_COOKIE['HTTP_REFERER'],'login') || strstr($_COOKIE['HTTP_REFERER'],'logout')) { header('location:' . $default_url); exit; } else { $goto = mysqliChkData(htmlspecialchars($_COOKIE['HTTP_REFERER'])); $goto = str_replace('amp;','amp;',$goto); header('location:' . $goto); exit; } } else { header('location:' . $default_url); exit; } } } $data['keepUsername'] = ''; if (!empty($_COOKIE['keepUsername'])) { if (!is_array($_COOKIE['keepUsername'])) { //avoid xss if (!preg_match('/lt;|chr(0xbf)|chr(0x27)/',$_COOKIE['keepUsername'])) { setcookie("keepUsername", "", ['expires'=gt; time() - 3600 * 24 * 30, 'domain'=gt; mysqliChkData(($_SERVER['SERVER_NAME']?? '')), 'SameSite'=gt;'Strict', 'HttpOnly'=gt;true]); } $data['keepUsername'] = mysqliChkData(htmlspecialchars($_COOKIE['keepUsername'])); } } include_once __DIR__.'/html/login_h.php'; Комментарии:
1. Мы мало что можем вам рассказать, ничего не зная о вашем приложении — предположительно, инструмент обнаружил какое-то неожиданное поведение при отправке этих запросов.