ROCBOSS micro-Community V1.1 SQL Injection Vulnerability

ROCBOSS micro-Community V1.1 SQL Injection Vulnerability

 

The official version of ROCBOSS V1.1 has an SQL injection vulnerability:

Vulnerability files:

\ Module \ user. module. class. php

11th lines of code:

$ UserInfo = Common: getMemberInfo ($ this-> db, is_numeric ($ userId )? 'Uid': 'nickname', $ userId );

This line of code queries the database. The key lies in the variable $ userId.

Go back to the 10th lines of code:

$ UserId = (isset ($ _ GET ['id']) & trim ($ _ GET ['id'])! = '')? $ _ GET ['id']: $ this-> loginInfo ['uid'];

When $ _ GET ['id'] is assigned a value, this parameter can be controlled without filtering.

Go to the database to view the execution.
 

public static function getMemberInfo($DB, $key, $value){$memberArray = array("uid" => 0,"nickname" => "","email" => "","password" => "","regtime" => "","qqid" => "","groupid" => 0);$DBArray = $DB->selectOneArray("SELECT * FROM `" . PRE . "user` WHERE `" . $key . "`='" . $value . "'");

If you do not enable GPC, the third parameter Value can introduce taint data for injection.

Verify

First, you need to register a user

Access after login

Http: // 192.168.45.131/rocboss /? M = user & w = index & id = 1

The injected parameter is id.

Union and blind injection can be performed.
 

Use sqlmap for verification:
 

No problems with Analysis

Google: powered by rocboss v1.1 ..

Http://www.chinaful.cn /? M = user & w = index & id = 1'

Http://x213.com /? M = user & w = index & id = 1'

Http://80fd.com /? M = user & w = index & id = 1'

Http://demo.x4code.com /? M = user & w = index & id = 1'

Http://fs.net-diy.com /? M = user & w = index & id = 1'

...

All done, no problem.
 

 

 

 

 

 

I have won a lot of sites and only want to verify them ..

Solution:

Intval