您的位置 » 首页 » 代码审计 » 代码审计:anwsion一个类设置缺陷导致安全过滤失效,附带一个利用案例

代码审计:anwsion一个类设置缺陷导致安全过滤失效,附带一个利用案例

发表于4年前 | 作者: seay | 分类: 代码审计 | 孵化于:2013年01月14日 | 文章热度:6,956 次 全屏阅读

显示不全请点击全屏阅读

anwsion一个类设置缺陷。哎。。。。

 
models/system.php
 
public function analysis_keyword($string)
{
$string = str_replace(array(
“~”, 
“!”, 
“@”, 
“#”, 
“$”, 
“%”, 
“^”, 
“&”, 
“*”, 
“,”, 
“.”, 
“?”, 
“;”, 
“:”, 
“‘”, 
‘”‘, 
“[“, 
“]”, 
“{“, 
“}”, 
“!”, 
” ¥”, 
“……”, 
“…”, 
“、”, 
“,”, 
“。”, 
“?”, 
“;”, 
“:”, 
“‘”, 
““”, 
“””, 
“’”, 
” 【”, 
“】”, 
“~”, 
“!”, 
“@”, 
“#”, 
“$”, 
“%”, 
“^”, 
“&”, 
“*”, 
“,”, 
“.”, 
” <”, 
“>”, 
“;”, 
“:”, 
“'”, 
“"”, 
“[”, 
“]”, 
“{”, 
“}”, 
“/”, 
“\”
), ”, $string);
 
$analysis = new Services_Phpanalysis_Phpanalysis();
 
$analysis->SetSource(strtolower($string));
$analysis->StartAnalysis();
 
$final_result = $analysis->GetFinallyResult(‘,’);
 
$final_result = explode(‘,’, $final_result);
 
if (is_array($final_result))
{
$final_result = array_unique($final_result);
 
foreach ($final_result as $key => $keyword)
{
if (!$this->check_stop_keyword($keyword))
{
unset($final_result[$key]);
}
else
{
$final_result[$key] = trim($keyword);
}
}
}
 
return $final_result;
}
}
 
 
缺陷1:)圆角的。。。。
 
缺陷2:)正则根本没有来匹配。。。
 
你们过滤是这个:
check_stop_keyword类:
public function check_stop_keyword($keyword)
{
if (trim($keyword) == ”)
{
return false;
}
 
if (cjk_strlen($keyword) == 1)
{
return false;
}
 
if (strstr($keyword, ‘了’) OR strstr($keyword, ‘的’) OR strstr($keyword, ‘有’))
{
return false;
}
 
static $stop_words_list;
 
if (!$stop_words_list)
{
$stop_words_list = array(
‘?’, ‘、’, ‘。’, ‘“’, ‘”’, ‘《’, ‘》’, ‘!’, ‘,’, ‘:’, ‘;’, ‘?’, ‘末’, ‘啊’, ‘阿’, ‘哎’, ‘哎呀’, ‘哎哟’, ‘唉’, ‘俺’, ‘俺们’, ‘按’, ‘按照’, ‘吧’, ‘吧哒’, ‘把’, ‘被’, ‘本’, ‘本着’, ‘比’, ‘比方’, ‘比如’, ‘鄙人’, ‘彼’, ‘彼此’, ‘边’, ‘别’, ‘别说’, ‘并’, ‘并且’, ‘不比’, ‘不成’, ‘不单’, ‘不但’, ‘不独’, ‘不管’, ‘不光’, ‘不过’, ‘不仅’, ‘不拘’, ‘不论’, ‘不怕’, ‘不然’, ‘不如’, ‘不特’, ‘不惟’, ‘不问’, ‘不只’, ‘朝’, ‘朝着’, ‘趁’, ‘趁着’, ‘乘’, ‘冲’, ‘除’, ‘除此之外’, ‘除非’, ‘此’, ‘此间’, ‘此外’, ‘从’, ‘从而’, ‘打’, ‘待’, ‘但’, ‘但是’, ‘当’, ‘当着’, ‘到’, ‘得’, ‘等’, ‘等等’, ‘地’, ‘第’, ‘叮咚’, ‘对’, ‘对于’, ‘多’, ‘多少’, ‘而’, ‘而况’, ‘而且’, ‘而是’, ‘而外’, ‘而言’, ‘而已’, ‘尔后’, ‘反过来’, ‘反过来说’, ‘反之’, ‘非但’, ‘非徒’, ‘否则’, ‘嘎’, ‘嘎登’, ‘该’, ‘赶’, ‘个’, ‘各’, ‘各个’, ‘各位’, ‘各种’, ‘各自’, ‘给’, ‘根据’, ‘跟’, ‘故’, ‘故此’, ‘固然’, ‘关于’, ‘管’, ‘归’, ‘果然’, ‘果真’, ‘过’, ‘哈’, ‘哈哈’, ‘呵’, ‘和’, ‘何’, ‘何处’, ‘何况’, ‘何时’, ‘嘿’, ‘哼’, ‘哼唷’, ‘呼哧’, ‘乎’, ‘哗’, ‘还是’, ‘换句话说’, ‘换言之’, ‘或’, ‘或是’, ‘或者’, ‘及’, ‘及其’, ‘及至’, ‘即’, ‘即便’, ‘即或’, ‘即令’, ‘即若’, ‘即使’, ‘几’, ‘几时’, ‘己’, ‘既’, ‘既然’, ‘既是’, ‘继而’, ‘加之’, ‘假如’, ‘假若’, ‘假使’, ‘鉴于’, ‘将’, ‘较’, ‘较之’, ‘叫’, ‘接着’, ‘结果’, ‘借’, ‘紧接着’, ‘进而’, ‘尽’, ‘尽管’, ‘经’, ‘经过’, ‘就’, ‘就是’, ‘就是说’, ‘据’, ‘具体地说’, ‘具体说来’, ‘开始’, ‘开外’, ‘靠’, ‘咳’, ‘可’, ‘可见’, ‘可是’, ‘可以’, ‘况且’, ‘啦’, ‘来’, ‘来着’, ‘离’, ‘例如’, ‘哩’, ‘连’, ‘连同’, ‘两者’, ‘临’, ‘另’, ‘另外’, ‘另一方面’, ‘论’, ‘嘛’, ‘吗’, ‘慢说’, ‘漫说’, ‘冒’, ‘么’, ‘每’, ‘每当’, ‘们’, ‘莫若’, ‘某’, ‘某个’, ‘某些’, ‘拿’, ‘哪’, ‘哪边’, ‘哪儿’, ‘哪个’, ‘哪里’, ‘哪年’, ‘哪怕’, ‘哪天’, ‘哪些’, ‘哪样’, ‘那’, ‘那边’, ‘那儿’, ‘那个’, ‘那会儿’, ‘那里’, ‘那么’, ‘那么些’, ‘那么样’, ‘那时’, ‘那些’, ‘那样’, ‘乃’, ‘乃至’, ‘呢’, ‘能’, ‘你’, ‘你们’, ‘您’, ‘宁’, ‘宁可’, ‘宁肯’, ‘宁愿’, ‘哦’, ‘呕’, ‘啪达’, ‘旁人’, ‘呸’, ‘凭’, ‘凭借’, ‘其’, ‘其次’, ‘其二’, ‘其他’, ‘其它’, ‘其一’, ‘其余’, ‘其中’, ‘起’, ‘起见’, ‘起见’, ‘岂但’, ‘恰恰相反’, ‘前后’, ‘前者’, ‘且’, ‘然而’, ‘然后’, ‘然则’, ‘让’, ‘人家’, ‘任’, ‘任何’, ‘任凭’, ‘如’, ‘如此’, ‘如果’, ‘如何’, ‘如其’, ‘如若’, ‘如上所述’, ‘若’, ‘若非’, ‘若是’, ‘啥’, ‘上下’, ‘尚且’, ‘设若’, ‘设使’, ‘甚而’, ‘甚么’, ‘甚至’, ‘省得’, ‘时候’, ‘什么’, ‘什么样’, ‘使得’, ‘是’, ‘首先’, ‘谁’, ‘谁知’, ‘顺’, ‘顺着’,  ‘虽’, ‘虽然’, ‘虽说’, ‘虽则’, ‘随’, ‘随着’, ‘所’, ‘所以’, ‘他’, ‘他们’, ‘他人’, ‘它’, ‘它们’, ‘她’, ‘她们’, ‘倘’, ‘倘或’, ‘倘然’, ‘倘若’, ‘倘使’, ‘腾’, ‘替’, ‘通过’, ‘同’, ‘同时’, ‘哇’, ‘万一’, ‘往’, ‘望’, ‘为’, ‘为何’, ‘为什么’, ‘为着’, ‘喂’, ‘嗡嗡’, ‘我’, ‘我们’, ‘呜’, ‘呜呼’, ‘乌乎’, ‘无论’, ‘无宁’, ‘毋宁’, ‘嘻’, ‘吓’, ‘相对而言’, ‘像’, ‘向’, ‘向着’, ‘嘘’, ‘呀’, ‘焉’, ‘沿’, ‘沿着’, ‘要’, ‘要不’, ‘要不然’, ‘要不是’, ‘要么’, ‘要是’, ‘也’, ‘也罢’, ‘也好’, ‘一’, ‘一般’, ‘一旦’, ‘一方面’, ‘一来’, ‘一切’, ‘一样’, ‘一则’, ‘依’, ‘依照’, ‘矣’, ‘以’, ‘以便’, ‘以及’, ‘以免’, ‘以至’, ‘以至于’, ‘以致’, ‘抑或’, ‘因’, ‘因此’, ‘因而’, ‘因为’, ‘哟’, ‘用’, ‘由’, ‘由此可见’, ‘由于’, ‘又’, ‘于’, ‘于是’, ‘于是乎’, ‘与’, ‘与此同时’, ‘与否’, ‘与其’, ‘越是’, ‘云云’, ‘哉’, ‘再说’, ‘再者’, ‘在’, ‘在下’, ‘咱’, ‘咱们’, ‘则’, ‘怎’, ‘怎么’, ‘怎么办’, ‘怎么样’, ‘怎样’, ‘咋’, ‘照’, ‘照着’, ‘者’, ‘这’, ‘这边’, ‘这儿’, ‘这个’, ‘这会儿’, ‘这就是说’, ‘这里’, ‘这么’, ‘这么点儿’, ‘这么些’, ‘这么样’, ‘这时’, ‘这些’, ‘这样’, ‘正如’, ‘吱’, ‘之’, ‘之类’, ‘之所以’, ‘之一’, ‘只是’, ‘只限’, ‘只要’, ‘至’, ‘至于’, ‘诸位’, ‘着’, ‘着呢’, ‘自’, ‘自从’, ‘自个儿’, ‘自各儿’, ‘自己’, ‘自家’, ‘自身’, ‘综上所述’, ‘总而言之’, ‘总之’, ‘纵’, ‘纵令’, ‘纵然’, ‘纵使’, ‘遵照’, ‘作为’, ‘兮’, ‘呃’, ‘呗’, ‘咚’, ‘咦’, ‘喏’, ‘啐’, ‘喔唷’, ‘嗬’, ‘嗯’, ‘嗳’,
‘a\’s’, ‘able’, ‘about’, ‘above’, ‘according’, ‘accordingly’, ‘across’, ‘actually’,
‘after’, ‘afterwards’, ‘again’, ‘against’, ‘ain\’t’, ‘all’, ‘allow’, ‘allows’,
‘almost’, ‘alone’, ‘along’, ‘already’, ‘also’, ‘although’, ‘always’, ‘am’,
‘among’, ‘amongst’, ‘an’, ‘and’, ‘another’, ‘any’, ‘anybody’, ‘anyhow’,
‘anyone’, ‘anything’, ‘anyway’, ‘anyways’, ‘anywhere’, ‘apart’, ‘appear’, ‘appreciate’,
‘appropriate’, ‘are’, ‘aren\’t’, ‘around’, ‘as’, ‘aside’, ‘ask’, ‘asking’,
‘associated’, ‘at’, ‘available’, ‘away’, ‘awfully’, ‘be’, ‘became’, ‘because’,
‘become’, ‘becomes’, ‘becoming’, ‘been’, ‘before’, ‘beforehand’, ‘behind’, ‘being’,
‘believe’, ‘below’, ‘beside’, ‘besides’, ‘best’, ‘better’, ‘between’, ‘beyond’,
‘both’, ‘brief’, ‘but’, ‘by’, ‘c\’mon’, ‘c\’s’, ‘came’, ‘can’,
‘can\’t’, ‘cannot’, ‘cant’, ’cause’, ’causes’, ‘certain’, ‘certainly’, ‘changes’,
‘clearly’, ‘co’, ‘com’, ‘come’, ‘comes’, ‘concerning’, ‘consequently’, ‘consider’,
‘considering’, ‘contain’, ‘containing’, ‘contains’, ‘corresponding’, ‘could’, ‘couldn\’t’, ‘course’,
‘currently’, ‘definitely’, ‘described’, ‘despite’, ‘did’, ‘didn\’t’, ‘different’, ‘do’,
‘does’, ‘doesn\’t’, ‘doing’, ‘don\’t’, ‘done’, ‘down’, ‘downwards’, ‘during’,
‘each’, ‘edu’, ‘eg’, ‘eight’, ‘either’, ‘else’, ‘elsewhere’, ‘enough’,
‘entirely’, ‘especially’, ‘et’, ‘etc’, ‘even’, ‘ever’, ‘every’, ‘everybody’,
‘everyone’, ‘everything’, ‘everywhere’, ‘ex’, ‘exactly’, ‘example’, ‘except’, ‘far’,
‘few’, ‘fifth’, ‘first’, ‘five’, ‘followed’, ‘following’, ‘follows’, ‘for’,
‘former’, ‘formerly’, ‘forth’, ‘four’, ‘from’, ‘further’, ‘furthermore’, ‘get’,
‘gets’, ‘getting’, ‘given’, ‘gives’, ‘go’, ‘goes’, ‘going’, ‘gone’,
‘got’, ‘gotten’, ‘greetings’, ‘had’, ‘hadn\’t’, ‘happens’, ‘hardly’, ‘has’,
‘hasn\’t’, ‘have’, ‘haven\’t’, ‘having’, ‘he’, ‘he\’s’, ‘hello’, ‘help’,
‘hence’, ‘her’, ‘here’, ‘here\’s’, ‘hereafter’, ‘hereby’, ‘herein’, ‘hereupon’,
‘hers’, ‘herself’, ‘hi’, ‘him’, ‘himself’, ‘his’, ‘hither’, ‘hopefully’,
‘how’, ‘howbeit’, ‘however’, ‘i\’d’, ‘i\’ll’, ‘i\’m’, ‘i\’ve’, ‘ie’,
‘if’, ‘ignored’, ‘immediate’, ‘in’, ‘inasmuch’, ‘inc’, ‘indeed’, ‘indicate’,
‘indicated’, ‘indicates’, ‘inner’, ‘insofar’, ‘instead’, ‘into’, ‘inward’, ‘is’,
‘isn\’t’, ‘it’, ‘it\’d’, ‘it\’ll’, ‘it\’s’, ‘its’, ‘itself’, ‘just’,
‘keep’, ‘keeps’, ‘kept’, ‘know’, ‘known’, ‘knows’, ‘last’, ‘lately’,
‘later’, ‘latter’, ‘latterly’, ‘least’, ‘less’, ‘lest’, ‘let’, ‘let\’s’,
‘like’, ‘liked’, ‘likely’, ‘little’, ‘look’, ‘looking’, ‘looks’, ‘ltd’,
‘mainly’, ‘many’, ‘may’, ‘maybe’, ‘me’, ‘mean’, ‘meanwhile’, ‘merely’,
‘might’, ‘more’, ‘moreover’, ‘most’, ‘mostly’, ‘much’, ‘must’, ‘my’,
‘myself’, ‘name’, ‘namely’, ‘nd’, ‘near’, ‘nearly’, ‘necessary’, ‘need’,
‘needs’, ‘neither’, ‘never’, ‘nevertheless’, ‘new’, ‘next’, ‘nine’, ‘no’,
‘nobody’, ‘non’, ‘none’, ‘noone’, ‘nor’, ‘normally’, ‘not’, ‘nothing’,
‘novel’, ‘now’, ‘nowhere’, ‘obviously’, ‘of’, ‘off’, ‘often’, ‘oh’,
‘ok’, ‘okay’, ‘old’, ‘on’, ‘once’, ‘one’, ‘ones’, ‘only’,
‘onto’, ‘or’, ‘other’, ‘others’, ‘otherwise’, ‘ought’, ‘our’, ‘ours’,
‘ourselves’, ‘out’, ‘outside’, ‘over’, ‘overall’, ‘own’, ‘particular’, ‘particularly’,
‘per’, ‘perhaps’, ‘placed’, ‘please’, ‘plus’, ‘possible’, ‘presumably’, ‘probably’,
‘provides’, ‘que’, ‘quite’, ‘qv’, ‘rather’, ‘rd’, ‘re’, ‘really’,
‘reasonably’, ‘regarding’, ‘regardless’, ‘regards’, ‘relatively’, ‘respectively’, ‘right’, ‘said’,
‘same’, ‘saw’, ‘say’, ‘saying’, ‘says’, ‘second’, ‘secondly’, ‘see’,
‘seeing’, ‘seem’, ‘seemed’, ‘seeming’, ‘seems’, ‘seen’, ‘self’, ‘selves’,
‘sensible’, ‘sent’, ‘serious’, ‘seriously’, ‘seven’, ‘several’, ‘shall’, ‘she’,
‘should’, ‘shouldn\’t’, ‘since’, ‘six’, ‘so’, ‘some’, ‘somebody’, ‘somehow’,
‘someone’, ‘something’, ‘sometime’, ‘sometimes’, ‘somewhat’, ‘somewhere’, ‘soon’, ‘sorry’,
‘specified’, ‘specify’, ‘specifying’, ‘still’, ‘sub’, ‘such’, ‘sup’, ‘sure’,
‘t\’s’, ‘take’, ‘taken’, ‘tell’, ‘tends’, ‘th’, ‘than’, ‘thank’,
‘thanks’, ‘thanx’, ‘that’, ‘that\’s’, ‘thats’, ‘the’, ‘their’, ‘theirs’,
‘them’, ‘themselves’, ‘then’, ‘thence’, ‘there’, ‘there\’s’, ‘thereafter’, ‘thereby’,
‘therefore’, ‘therein’, ‘theres’, ‘thereupon’, ‘these’, ‘they’, ‘they\’d’, ‘they\’ll’,
‘they\’re’, ‘they\’ve’, ‘think’, ‘third’, ‘this’, ‘thorough’, ‘thoroughly’, ‘those’,
‘though’, ‘three’, ‘through’, ‘throughout’, ‘thru’, ‘thus’, ‘to’, ‘together’,
‘too’, ‘took’, ‘toward’, ‘towards’, ‘tried’, ‘tries’, ‘truly’, ‘try’,
‘trying’, ‘twice’, ‘two’, ‘un’, ‘under’, ‘unfortunately’, ‘unless’, ‘unlikely’,
‘until’, ‘unto’, ‘up’, ‘upon’, ‘us’, ‘use’, ‘used’, ‘useful’,
‘uses’, ‘using’, ‘usually’, ‘value’, ‘various’, ‘very’, ‘via’, ‘viz’,
‘vs’, ‘want’, ‘wants’, ‘was’, ‘wasn\’t’, ‘way’, ‘we’, ‘we\’d’,
‘we\’ll’, ‘we\’re’, ‘we\’ve’, ‘welcome’, ‘well’, ‘went’, ‘were’, ‘weren\’t’,
‘what’, ‘what\’s’, ‘whatever’, ‘when’, ‘whence’, ‘whenever’, ‘where’, ‘where\’s’,
‘whereafter’, ‘whereas’, ‘whereby’, ‘wherein’, ‘whereupon’, ‘wherever’, ‘whether’, ‘which’,
‘while’, ‘whither’, ‘who’, ‘who\’s’, ‘whoever’, ‘whole’, ‘whom’, ‘whose’,
‘why’, ‘will’, ‘willing’, ‘wish’, ‘with’, ‘within’, ‘without’, ‘won\’t’,
‘wonder’, ‘would’, ‘wouldn\’t’, ‘yes’, ‘yet’, ‘you’, ‘you\’d’, ‘you\’ll’,
‘you\’re’, ‘you\’ve’, ‘your’, ‘yours’, ‘yourself’, ‘yourselves’, ‘zero’
);
}
if (in_array(trim($keyword), $stop_words_list)) //单个匹配???
{
return false;
}
 
return true;
}
 
 
匹配还是失效。。。。
 
models/question.php
 
if ($keyword)
{
$where[] = “(MATCH(question_content_fulltext) AGAINST(‘” . $this->model(‘search_index’)->encode_search_code($this->model(‘system’)->analysis_keyword($keyword)) . “‘ IN BOOLEAN MODE))”;
}
 
 
analysis_keyword这个类恩。。 一个测试而已,很多过滤用这个类。。。
 
http://wenda.anwsion.com/search/ajax/search_result/search_type-all__q-1%27%29%28;%5C//*where%20if%20and
 
 
Database error —— SQL: SELECT *, MATCH(question_content_fulltext) AGAINST(‘1′)(;\//*where if and’ IN BOOLEAN MODE) AS score FROM aws_question WHERE MATCH(question_content_fulltext) AGAINST(‘1′)(;\//*where if and’ IN BOOLEAN MODE) ORDER BY score DESC LIMIT 0, 20 Error Message: Mysqli prepare error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘(;\//*where if and’ IN BOOLEAN MODE) AS score FROM aws_question WHERE MATCH(ques’ at line 1
 
 
修复方案:
程序得认真下;1)写代码换输入法啊! 2)匹配都不匹配儿戏啊! 3)单个匹配???
 
作者:_Evil

Tags:

Anwsion漏洞,

如果您喜欢我的博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容: 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡


来自 Seay互联网安全博客
本文地址:http://www.cnseay.com/2024/
文章版权说明请看置顶文章,尊重作者,转载请以链接形式标明原文地址

马上分享给你的朋友吧~

发表评论

你的大名(必填)

你的邮箱(必填)

评论内容(必填)