1 <?php
2 /**
3 * 用户登录程序
4 */
5 define('DBHOST', 'localhost');
6 define('DBUSER', 'root');
7 define('DBPWD', '');
8 define('DBNAME', 'bug');
9
10 $username = trim($_POST['username']);
11 $password = trim($_POST['password']);
12 $conn = mysql_connect(DBHOST, DBUSER, DBPWD) or die(mysql_error());
13 mysql_select_db(DBNAME, $conn) or die(mysq_error());
14 $sql = "select * from `users` where `username`='".$username."' and `password`='".$password."'";
15 $res = mysql_query($sql) or die(mysql_error());
16 if($user = mysql_fetch_array($res)){
17 echo "Query Sql: ".$sql."<br/>";
18 exit('Login Success, Current User: '.$user['username']);
19 }else{
20 echo "Query Sql: ".$sql."<br/>";
21 exit('login Error');
22 }
23 ?>
1 <?php
2 /**
3 * Xss漏洞演示代码
4 * 功能说明:简单的一个留言板提交程序
5 */
6
7 define('DBHOST', 'localhost');
8 define('DBUSER', 'root');
9 define('DBPWD', '');
10 define('DBNAME', 'bug');
11
12 $conn = mysql_connect(DBHOST, DBUSER, DBPWD) or die(mysql_error());
13 mysql_select_db(DBNAME, $conn) or die(mysq_error());
14 //留言入库
15 $content = trim($_POST['content']);
16
17 mysql_query("insert into message (message, addtime) values ('".mysql_escape_string($content)."', '".date("Y-m-d H:i:s")."')") or die(mysql_error());
18 $mid = mysql_insert_id();
19 if($mid){
20 exit('submit success!');
21 }else{
22 exit('submit error!');
23 }
24 ?>
1 <?php
2 /**
3 * 文件包含漏洞演示
4 */
5 $mod = trim($_GET['mod']);
6 $mod = str_replace('../', '', $mod);
7 $file = './lib/'.$mod.'.php';
8 if(file_exists($file)){
9 @include($file);
10 }else{
11 exit('request error!');
12 }
13 ?>
1 <?php
2 /**
3 * 变量覆盖漏洞演示代码
4 */
5 $template = './template/default.html';
6 extract($_GET);
7 if(isset($mod) && in_array($mod, array('do', 'go', 'fo'))){
8 //严格过滤mod,只允许mod=do,go,fo
9 $template = './template/'.$mod.'.html';
10 }else{
11 //不做处理,使用默认模板
12 }
13 //包含模板
14 echo $template;
15 ?>
1 <?php
2 /**
3 * 用户登录程序
4 */
5 define('DBHOST', 'localhost');
6 define('DBUSER', 'root');
7 define('DBPWD', '');
8 define('DBNAME', 'bug');
9
10 $username = trim($_POST['username']);
11 $password = trim($_POST['password']);
12 $conn = mysql_connect(DBHOST, DBUSER, DBPWD) or die(mysql_error());
13 mysql_select_db(DBNAME, $conn) or die(mysq_error());
14 $sql = "select * from `users` where `username`='".addslashes($username)."' and `password`='".addslashes($password)."'";
15 if(do_query_safe($sql) < 0){
16 exit("当前的sql存在注入风险");
17 }
18 $res = mysql_query($sql) or die(mysql_error());
19 if($user = mysql_fetch_array($res)){
20 echo "Query Sql: ".$sql."<br/>";
21 exit('Login Success, Current User: '.$user['username']);
22 }else{
23 echo "Query Sql: ".$sql."<br/>";
24 exit('login Error');
25 }
26
27 /**
28 * 摘自discuzx的sql安全检测函数
29 */
30 function do_query_safe($sql) {
31 $_config['dfunction'] = array('load_file','hex','substring','if','ord','char');
32 $_config['daction'] = array('intooutfile','intodumpfile','unionselect','(select', 'unionall', 'uniondistinct');
33 $_config['dnote'] = array('/*','*/','#','--','"');
34 $_config['dlikehex'] = 1;
35 $_config['afullnote'] = 0;
36
37 $sql = str_replace(array('\\\\', '\\\'', '\\"', '\'\''), '', $sql);
38 $mark = $clean = '';
39 if (strpos($sql, '/') === false && strpos($sql, '#') === false && strpos($sql, '-- ') === false) {
40 $clean = preg_replace("/'(.+?)'/s", '', $sql);
41 } else {
42 $len = strlen($sql);
43 $mark = $clean = '';
44 for ($i = 0; $i < $len; $i++) {
45 $str = $sql[$i];
46 switch ($str) {
47 case '\'':
48 if (!$mark) {
49 $mark = '\'';
50 $clean .= $str;
51 } elseif ($mark == '\'') {
52 $mark = '';
53 }
54 break;
55 case '/':
56 if (empty($mark) && $sql[$i + 1] == '*') {
57 $mark = '/*';
58 $clean .= $mark;
59 $i++;
60 } elseif ($mark == '/*' && $sql[$i - 1] == '*') {
61 $mark = '';
62 $clean .= '*';
63 }
64 break;
65 case '#':
66 if (empty($mark)) {
67 $mark = $str;
68 $clean .= $str;
69 }
70 break;
71 case "\n":
72 if ($mark == '#' || $mark == '--') {
73 $mark = '';
74 }
75 break;
76 case '-':
77 if (empty($mark) && substr($sql, $i, 3) == '-- ') {
78 $mark = '-- ';
79 $clean .= $mark;
80 }
81 break;
82
83 default:
84
85 break;
86 }
87 $clean .= $mark ? '' : $str;
88 }
89 }
90
91 $clean = preg_replace("/[^a-z0-9_\-\(\)#\*\/\"]+/is", "", strtolower($clean));
92
93 if ($_config['afullnote']) {
94 $clean = str_replace('/**/', '', $clean);
95 }
96
97 if (is_array($_config['dfunction'])) {
98 foreach ($_config['dfunction'] as $fun) {
99 if (strpos($clean, $fun . '(') !== false)
100 return '-1';
101 }
102 }
103
104 if (is_array($_config['daction'])) {
105 foreach ($_config['daction'] as $action) {
106 if (strpos($clean, $action) !== false)
107 return '-3';
108 }
109 }
110
111 if ($_config['dlikehex'] && strpos($clean, 'like0x')) {
112 return '-2';
113 }
114
115 if (is_array($_config['dnote'])) {
116 foreach ($_config['dnote'] as $note) {
117 if (strpos($clean, $note) !== false)
118 return '-4';
119 }
120 }
121
122 return 1;
123 }
124 ?>
1 <?php
2 /**
3 * Xss漏洞演示代码
4 * 功能说明:简单的一个留言板提交程序
5 */
6
7 define('DBHOST', 'localhost');
8 define('DBUSER', 'root');
9 define('DBPWD', '');
10 define('DBNAME', 'bug');
11
12 $conn = mysql_connect(DBHOST, DBUSER, DBPWD) or die(mysql_error());
13 mysql_select_db(DBNAME, $conn) or die(mysq_error());
14 //留言入库
15 $content = trim($_POST['content']);
16
17 mysql_query("insert into message (message, addtime) values ('".mysql_escape_string(safe_replace($content))."', '".date("Y-m-d H:i:s")."')") or die(mysql_error());
18 $mid = mysql_insert_id();
19 if($mid){
20 exit('submit success!');
21 }else{
22 exit('submit error!');
23 }
24
25 /**
26 * 安全过滤函数
27 *
28 * @param $string
29 * @return string
30 */
31 function safe_replace($string) {
32 $string = str_replace('%20','',$string);
33 $string = str_replace('%27','',$string);
34 $string = str_replace('%2527','',$string);
35 $string = str_replace('*','',$string);
36 $string = str_replace('"','"',$string);
37 $string = str_replace("'",'',$string);
38 $string = str_replace('"','',$string);
39 $string = str_replace(';','',$string);
40 $string = str_replace('<','<',$string);
41 $string = str_replace('>','>',$string);
42 $string = str_replace("{",'',$string);
43 $string = str_replace('}','',$string);
44 $string = str_replace('\\','',$string);
45 return $string;
46 }
47 ?>
1 <?php
2 /**
3 * 文件包含漏洞演示
4 */
5 $mod = trim($_GET['mod']);
6 if(!preg_match("/^[a-zA-Z0-9_]+$/", $mod)){
7 exit("WARNIG");
8 }
9 $file = './lib/'.$mod.'.php';
10 if(file_exists($file)){
11 @include($file);
12 }else{
13 exit('request error!');
14 }
15 ?>
1 <?php
2 /**
3 * 变量覆盖漏洞演示代码
4 */
5 $template = './template/default.html';
6 /*
7 extract($_GET);
8 */
9 $mod = isset($_GET['mod']) ? trim($_GET['mode']) : 'do';
10 if(isset($mod) && in_array($mod, array('do', 'go', 'fo'))){
11 //严格过滤mod,只允许mod=do,go,fo
12 $template = './template/'.$mod.'.html';
13 }else{
14 //不做处理,使用默认模板
15 }
16 //包含模板
17 echo $template;
18 ?>
1 <?php
2 /**
3 * 变量覆盖漏洞演示代码
4 */
5 $template = './template/default.html';
6 /*
7 extract($_GET);
8 */
9 $mod = isset($_GET['mod']) ? trim($_GET['mod']) : 'do';
10 if(in_array($mod, array('do', 'go', 'fo'))){
11 //严格过滤mod,只允许mod=do,go,fo
12 $template = './template/'.$mod.'.html';
13 }else{
14 //不做处理,使用默认模板
15 }
16 //包含模板
17 echo $template;
18 ?>
1 <?php
2 /**
3 * 发表博客程序,此程序存在CSRF漏洞
4 */
5 session_start();
6 if(!isset($_SESSION['user'])){
7 exit("你还未登录");
8 }
9 define('DBHOST', 'localhost');
10 define('DBUSER', 'root');
11 define('DBPWD', '');
12 define('DBNAME', 'bug');
13
14 $conn = mysql_connect(DBHOST, DBUSER, DBPWD) or die(mysql_error());
15 mysql_select_db(DBNAME, $conn) or die(mysq_error());
16 //如果有登陆提交
17 if(isset($_POST['dosubmit'])){
18 $blog = trim($_POST['blog']);
19 mysql_query("insert into blog (username, blog, addtime) values ('".addslashes($_SESSION['user'])."', '".$blog."', ".time().")");
20 $id = mysql_insert_id();
21 if($id > 0){
22 exit("success");
23 }else{
24 exit("error");
25 }
26 }
27
28 ?>
1 <?php
2 /**
3 * 发表博客程序,此程序存在CSRF漏洞
4 */
5
6 //为防止csrf跨站攻击漏洞,要对请求来源进行严格限制
7 $reffer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';
8 if(!empty($reffer)){
9 $hostinfo = parse_url($reffer);
10 //请求host白名单
11 if(!in_array($hostinfo['host'], array('10.221.20.113'))){
12 exit('unvalid request');
13 }
14 }
15 session_start();
16 if(!isset($_SESSION['user'])){
17 exit("你还未登录");
18 }
19 define('DBHOST', 'localhost');
20 define('DBUSER', 'root');
21 define('DBPWD', '');
22 define('DBNAME', 'bug');
23
24 $conn = mysql_connect(DBHOST, DBUSER, DBPWD) or die(mysql_error());
25 mysql_select_db(DBNAME, $conn) or die(mysq_error());
26 //如果有登陆提交
27 if(isset($_POST['dosubmit'])){
28 $blog = trim($_POST['blog']);
29 mysql_query("insert into blog (username, blog, addtime) values ('".addslashes($_SESSION['user'])."', '".$blog."', ".time().")");
30 $id = mysql_insert_id();
31 if($id > 0){
32 exit("success");
33 }else{
34 exit("error");
35 }
36 }
37 ?>
