test
1 <?php 2 /** 3 * 用户登录程序 4 */ 5 define('DBHOST', 'localhost'); 6 define('DBUSER', 'root'); 7 define('DBPWD', ''); 8 define('DBNAME', 'bug'); 9 10 $username = trim($_POST['username']); 11 $password = trim($_POST['password']); 12 $conn = mysql_connect(DBHOST, DBUSER, DBPWD) or die(mysql_error()); 13 mysql_select_db(DBNAME, $conn) or die(mysq_error()); 14 $sql = "select * from `users` where `username`='".$username."' and `password`='".$password."'"; 15 $res = mysql_query($sql) or die(mysql_error()); 16 if($user = mysql_fetch_array($res)){ 17 echo "Query Sql: ".$sql."<br/>"; 18 exit('Login Success, Current User: '.$user['username']); 19 }else{ 20 echo "Query Sql: ".$sql."<br/>"; 21 exit('login Error'); 22 } 23 ?>
1 <?php 2 /** 3 * Xss漏洞演示代码 4 * 功能说明:简单的一个留言板提交程序 5 */ 6 7 define('DBHOST', 'localhost'); 8 define('DBUSER', 'root'); 9 define('DBPWD', ''); 10 define('DBNAME', 'bug'); 11 12 $conn = mysql_connect(DBHOST, DBUSER, DBPWD) or die(mysql_error()); 13 mysql_select_db(DBNAME, $conn) or die(mysq_error()); 14 //留言入库 15 $content = trim($_POST['content']); 16 17 mysql_query("insert into message (message, addtime) values ('".mysql_escape_string($content)."', '".date("Y-m-d H:i:s")."')") or die(mysql_error()); 18 $mid = mysql_insert_id(); 19 if($mid){ 20 exit('submit success!'); 21 }else{ 22 exit('submit error!'); 23 } 24 ?>
1 <?php 2 /** 3 * 文件包含漏洞演示 4 */ 5 $mod = trim($_GET['mod']); 6 $mod = str_replace('../', '', $mod); 7 $file = './lib/'.$mod.'.php'; 8 if(file_exists($file)){ 9 @include($file); 10 }else{ 11 exit('request error!'); 12 } 13 ?>
1 <?php 2 /** 3 * 变量覆盖漏洞演示代码 4 */ 5 $template = './template/default.html'; 6 extract($_GET); 7 if(isset($mod) && in_array($mod, array('do', 'go', 'fo'))){ 8 //严格过滤mod,只允许mod=do,go,fo 9 $template = './template/'.$mod.'.html'; 10 }else{ 11 //不做处理,使用默认模板 12 } 13 //包含模板 14 echo $template; 15 ?>
1 <?php 2 /** 3 * 用户登录程序 4 */ 5 define('DBHOST', 'localhost'); 6 define('DBUSER', 'root'); 7 define('DBPWD', ''); 8 define('DBNAME', 'bug'); 9 10 $username = trim($_POST['username']); 11 $password = trim($_POST['password']); 12 $conn = mysql_connect(DBHOST, DBUSER, DBPWD) or die(mysql_error()); 13 mysql_select_db(DBNAME, $conn) or die(mysq_error()); 14 $sql = "select * from `users` where `username`='".addslashes($username)."' and `password`='".addslashes($password)."'"; 15 if(do_query_safe($sql) < 0){ 16 exit("当前的sql存在注入风险"); 17 } 18 $res = mysql_query($sql) or die(mysql_error()); 19 if($user = mysql_fetch_array($res)){ 20 echo "Query Sql: ".$sql."<br/>"; 21 exit('Login Success, Current User: '.$user['username']); 22 }else{ 23 echo "Query Sql: ".$sql."<br/>"; 24 exit('login Error'); 25 } 26 27 /** 28 * 摘自discuzx的sql安全检测函数 29 */ 30 function do_query_safe($sql) { 31 $_config['dfunction'] = array('load_file','hex','substring','if','ord','char'); 32 $_config['daction'] = array('intooutfile','intodumpfile','unionselect','(select', 'unionall', 'uniondistinct'); 33 $_config['dnote'] = array('/*','*/','#','--','"'); 34 $_config['dlikehex'] = 1; 35 $_config['afullnote'] = 0; 36 37 $sql = str_replace(array('\\\\', '\\\'', '\\"', '\'\''), '', $sql); 38 $mark = $clean = ''; 39 if (strpos($sql, '/') === false && strpos($sql, '#') === false && strpos($sql, '-- ') === false) { 40 $clean = preg_replace("/'(.+?)'/s", '', $sql); 41 } else { 42 $len = strlen($sql); 43 $mark = $clean = ''; 44 for ($i = 0; $i < $len; $i++) { 45 $str = $sql[$i]; 46 switch ($str) { 47 case '\'': 48 if (!$mark) { 49 $mark = '\''; 50 $clean .= $str; 51 } elseif ($mark == '\'') { 52 $mark = ''; 53 } 54 break; 55 case '/': 56 if (empty($mark) && $sql[$i + 1] == '*') { 57 $mark = '/*'; 58 $clean .= $mark; 59 $i++; 60 } elseif ($mark == '/*' && $sql[$i - 1] == '*') { 61 $mark = ''; 62 $clean .= '*'; 63 } 64 break; 65 case '#': 66 if (empty($mark)) { 67 $mark = $str; 68 $clean .= $str; 69 } 70 break; 71 case "\n": 72 if ($mark == '#' || $mark == '--') { 73 $mark = ''; 74 } 75 break; 76 case '-': 77 if (empty($mark) && substr($sql, $i, 3) == '-- ') { 78 $mark = '-- '; 79 $clean .= $mark; 80 } 81 break; 82 83 default: 84 85 break; 86 } 87 $clean .= $mark ? '' : $str; 88 } 89 } 90 91 $clean = preg_replace("/[^a-z0-9_\-\(\)#\*\/\"]+/is", "", strtolower($clean)); 92 93 if ($_config['afullnote']) { 94 $clean = str_replace('/**/', '', $clean); 95 } 96 97 if (is_array($_config['dfunction'])) { 98 foreach ($_config['dfunction'] as $fun) { 99 if (strpos($clean, $fun . '(') !== false) 100 return '-1'; 101 } 102 } 103 104 if (is_array($_config['daction'])) { 105 foreach ($_config['daction'] as $action) { 106 if (strpos($clean, $action) !== false) 107 return '-3'; 108 } 109 } 110 111 if ($_config['dlikehex'] && strpos($clean, 'like0x')) { 112 return '-2'; 113 } 114 115 if (is_array($_config['dnote'])) { 116 foreach ($_config['dnote'] as $note) { 117 if (strpos($clean, $note) !== false) 118 return '-4'; 119 } 120 } 121 122 return 1; 123 } 124 ?>
1 <?php 2 /** 3 * Xss漏洞演示代码 4 * 功能说明:简单的一个留言板提交程序 5 */ 6 7 define('DBHOST', 'localhost'); 8 define('DBUSER', 'root'); 9 define('DBPWD', ''); 10 define('DBNAME', 'bug'); 11 12 $conn = mysql_connect(DBHOST, DBUSER, DBPWD) or die(mysql_error()); 13 mysql_select_db(DBNAME, $conn) or die(mysq_error()); 14 //留言入库 15 $content = trim($_POST['content']); 16 17 mysql_query("insert into message (message, addtime) values ('".mysql_escape_string(safe_replace($content))."', '".date("Y-m-d H:i:s")."')") or die(mysql_error()); 18 $mid = mysql_insert_id(); 19 if($mid){ 20 exit('submit success!'); 21 }else{ 22 exit('submit error!'); 23 } 24 25 /** 26 * 安全过滤函数 27 * 28 * @param $string 29 * @return string 30 */ 31 function safe_replace($string) { 32 $string = str_replace('%20','',$string); 33 $string = str_replace('%27','',$string); 34 $string = str_replace('%2527','',$string); 35 $string = str_replace('*','',$string); 36 $string = str_replace('"','"',$string); 37 $string = str_replace("'",'',$string); 38 $string = str_replace('"','',$string); 39 $string = str_replace(';','',$string); 40 $string = str_replace('<','<',$string); 41 $string = str_replace('>','>',$string); 42 $string = str_replace("{",'',$string); 43 $string = str_replace('}','',$string); 44 $string = str_replace('\\','',$string); 45 return $string; 46 } 47 ?>
1 <?php 2 /** 3 * 文件包含漏洞演示 4 */ 5 $mod = trim($_GET['mod']); 6 if(!preg_match("/^[a-zA-Z0-9_]+$/", $mod)){ 7 exit("WARNIG"); 8 } 9 $file = './lib/'.$mod.'.php'; 10 if(file_exists($file)){ 11 @include($file); 12 }else{ 13 exit('request error!'); 14 } 15 ?>
1 <?php 2 /** 3 * 变量覆盖漏洞演示代码 4 */ 5 $template = './template/default.html'; 6 /* 7 extract($_GET); 8 */ 9 $mod = isset($_GET['mod']) ? trim($_GET['mode']) : 'do'; 10 if(isset($mod) && in_array($mod, array('do', 'go', 'fo'))){ 11 //严格过滤mod,只允许mod=do,go,fo 12 $template = './template/'.$mod.'.html'; 13 }else{ 14 //不做处理,使用默认模板 15 } 16 //包含模板 17 echo $template; 18 ?>
1 <?php 2 /** 3 * 变量覆盖漏洞演示代码 4 */ 5 $template = './template/default.html'; 6 /* 7 extract($_GET); 8 */ 9 $mod = isset($_GET['mod']) ? trim($_GET['mod']) : 'do'; 10 if(in_array($mod, array('do', 'go', 'fo'))){ 11 //严格过滤mod,只允许mod=do,go,fo 12 $template = './template/'.$mod.'.html'; 13 }else{ 14 //不做处理,使用默认模板 15 } 16 //包含模板 17 echo $template; 18 ?>
1 <?php 2 /** 3 * 发表博客程序,此程序存在CSRF漏洞 4 */ 5 session_start(); 6 if(!isset($_SESSION['user'])){ 7 exit("你还未登录"); 8 } 9 define('DBHOST', 'localhost'); 10 define('DBUSER', 'root'); 11 define('DBPWD', ''); 12 define('DBNAME', 'bug'); 13 14 $conn = mysql_connect(DBHOST, DBUSER, DBPWD) or die(mysql_error()); 15 mysql_select_db(DBNAME, $conn) or die(mysq_error()); 16 //如果有登陆提交 17 if(isset($_POST['dosubmit'])){ 18 $blog = trim($_POST['blog']); 19 mysql_query("insert into blog (username, blog, addtime) values ('".addslashes($_SESSION['user'])."', '".$blog."', ".time().")"); 20 $id = mysql_insert_id(); 21 if($id > 0){ 22 exit("success"); 23 }else{ 24 exit("error"); 25 } 26 } 27 28 ?>
1 <?php 2 /** 3 * 发表博客程序,此程序存在CSRF漏洞 4 */ 5 6 //为防止csrf跨站攻击漏洞,要对请求来源进行严格限制 7 $reffer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''; 8 if(!empty($reffer)){ 9 $hostinfo = parse_url($reffer); 10 //请求host白名单 11 if(!in_array($hostinfo['host'], array('10.221.20.113'))){ 12 exit('unvalid request'); 13 } 14 } 15 session_start(); 16 if(!isset($_SESSION['user'])){ 17 exit("你还未登录"); 18 } 19 define('DBHOST', 'localhost'); 20 define('DBUSER', 'root'); 21 define('DBPWD', ''); 22 define('DBNAME', 'bug'); 23 24 $conn = mysql_connect(DBHOST, DBUSER, DBPWD) or die(mysql_error()); 25 mysql_select_db(DBNAME, $conn) or die(mysq_error()); 26 //如果有登陆提交 27 if(isset($_POST['dosubmit'])){ 28 $blog = trim($_POST['blog']); 29 mysql_query("insert into blog (username, blog, addtime) values ('".addslashes($_SESSION['user'])."', '".$blog."', ".time().")"); 30 $id = mysql_insert_id(); 31 if($id > 0){ 32 exit("success"); 33 }else{ 34 exit("error"); 35 } 36 } 37 ?>