Popular Science 1 in mysql brute-force and error Injection

Two examples of the old SQL Injection Vulnerabilities of uchome were extracted. The vulnerabilities were published a long time ago. Both of them are in the personal data update process:

 

The content of the code KEY that registers the variable directly enters the $ inserts array.

Foreach ($ _ POST ['friend'] as $ key => $ value ){

$ Value = intval ($ value );

$ Inserts [] = "('base', '$ key',' $ space [uid] ',' $ value ')";

}

Directly go to the VALUES of the INSERT statement.

If ($ inserts ){

$ _ SGLOBAL ['db']-> query ("delete from ". tname ('spaceinfo '). "WHERE uid = '$ space [uid]' AND type = 'base '");

$ _ SGLOBAL ['db']-> query ("insert into". tname ('spaceinfo'). "(type, subtype, uid, friend)

VALUES ". implode (',', $ inserts ));

 

.................

 

The content of the code KEY that registers the variable directly enters the $ inserts array.

Foreach ($ _ POST ['info'] as $ key => $ value ){

$ Value = getstr ($ value, 500, 1, 1 );

$ Friend = intval ($ _ POST ['info _ friend'] [$ key]);

$ Inserts [] = "('$ space [uid]', 'info', '$ key',' $ value', '$ friend ')";

}

Directly go to the VALUES of the INSERT statement.

If ($ inserts ){

$ _ SGLOBAL ['db']-> query ("delete from ". tname ('spaceinfo '). "WHERE uid = '$ space [uid]' $ _ SGLOBAL ['db']-> query (" insert ". tname ('spaceinfo ')."

(Uid, type, subtype, title, friend)

VALUES ". implode (',', $ inserts ));

 

 

After analyzing the code, we can find that there are two INSERT-type SQL Injection statements, and the $ key-registered variables can construct SQL statement injection, but this will be affected by GPC, however, keys of super global variables such as $ _ POST in earlier versions of PHP are not affected by GPC.

 

Here I use the HTTP Editor and HTTP Sniffer of Acunetix Web Vulnerability plugin.

 

 

As uchome continues some of discuz's security measures, the submitted requests verify formhash. We need formhash to construct the request, use HTTP Sniffer to capture the request package on the personal settings page, and right-click to edit the package.

According to the context analysis of the code, we need to construct

Request URL: cp. php? Ac = profile & op = info

Request Parameter profilesubmit formhash info

After these variables and conditions are met, you can enter the SQL injection vulnerability code segment of the program.

 

From: black box of RAyh4c

Popular Science 2 http://www.bkjia.com/Article/201108/100723.html of mysql brute-force Injection
Popular Science 3 http://www.bkjia.com/Article/201108/100724.html of mysql brute-force Injection