PHP-Audit-Labs Day2 示例的简单分析

  • 漏洞位于themes/default/404.php
1
2
3
4
5
6
7
8
9
<?php theme_include('header'); ?>

	<section class="content wrap">
		<h1>Page not found</h1>

		<p>Unfortunately, the page <code>/<?php echo current_url(); ?></code> could not be found. Your best bet is either to try the <a href="<?php echo base_url(); ?>">homepage</a>, try <a href="#search">searching</a>, or go and cry in a corner (although I don’t recommend the latter).</p>
	</section>

<?php theme_include('footer'); ?> was not found
  • Anchor 使用了路由,如果访问的url不存在则会执行404.php
    比如访问/admin/xxx,会返回

404
The page admin/xxx was not found.
Try the homepage

  • 其中xxx用户可控,处理不好就可能造成xss
  • 可以看到404.php中调用了base_url()获取用户访问的url
1
2
3
function current_url() {
	return Uri::current();
}
  • 跟进Uri类的current静态方法
1
2
3
4
5
public static function current() {
	if(is_null(static::$current)) static::$current = static::detect();

	return static::$current;
}
  • 跟进detect静态方法
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
/**
	 * Try and detect the current uri
	 *
	 * @return string
	 */
	public static function detect() {
		// create a server object from global
		$server = new Server($_SERVER);

		$try = array('REQUEST_URI', 'PATH_INFO', 'ORIG_PATH_INFO');

		foreach($try as $method) {

			// make sure the server var exists and is not empty
			if($server->has($method) and $uri = $server->get($method)) {

				// apply a string filter and make sure we still have somthing left
				if($uri = filter_var($uri, FILTER_SANITIZE_URL)) {

					// make sure the uri is not malformed and return the pathname
					if($uri = parse_url($uri, PHP_URL_PATH)) {
						return static::format($uri, $server);
					}

					// woah jackie, we found a bad'n
					throw new ErrorException('Malformed URI');
				}
			}
		}

		throw new OverflowException('Uri was not detected. Make sure the REQUEST_URI is set.');
	}
  • 先通过$server->get($method) 依次获得 $_SERVER的’REQUEST_URI’ ,'PATH_INFO’和’ORIG_PATH_INFO’键值,存储在$uri中
  • 如果filter_var($uri, FILTER_SANITIZE_URL) 和 parse_url($uri, PHP_URL_PATH) 都为真的话就将其返回,否则抛出一个错误
  • 其中FILTER_SANITIZE_URL过滤器的作用如下
1
2
FILTER_SANITIZE_URL 过滤器删除字符串中所有非法的 URL 字符。
该过滤器允许所有的字符、数字以及 $-_.+!*'(),{}|\\^~[]`"><#%;/?:@&=。

该过滤器不会过滤<>/,直接可以插入

1
<scirpt></scirpt>

标签

  • 只有严重不合格的url,parse_url才会返回false
1
2
3
4
5
php > print_r(parse_url('/admin/<script>alert(1)</script>'));
Array
(
    [path] => /admin/<script>alert(1)</script>
)
  • 因此最后的payload
1
/admin/<script>alert(1)</script>