UWA 2.X v2.1.5 Multiple SQL injections

UWA 2.X v2.1.5 Multiple SQL injections

Look at this function

/Core/lib/core/Db. class. php

protected function parse_value($value) {if(is_string($value)) {$value = '\'' . $this->escape_string($value) . '\'';}elseif(isset($value[0]) && is_string($value[0]) && strtolower($value[0]) == 'exp') {$value = $this->escape_string($value[1]);}elseif(is_array($value)) {$value = array_map(array($this, 'parse_value'), $value);}elseif(is_null($value)) {$value = 'null';}return $value;}

This is a function that processes fields during database operations. When the field is an array and the first value is exp,

Without a single quotation mark. (It looks a little like tp ..)



Where has it been called?

For example

Protected function parse_set ($ data ){

foreach($data as $key => $val) {$value = $this->parse_value($val);if(is_scalar($value)) { // filter non-scalar$set[] = $this->parse_key($key) . '=' . $value;}}return ' SET ' . implode(',', $set);}

Follow up,

Public function update ($ data, $ options ){

$sql = 'UPDATE '.$this->parse_table($options['table']).$this->parse_set($data).$this->parse_where(isset($options['where']) ? $options['where'] : '').$this->parse_order(isset($options['order']) ? $options['order'] : '').$this->parse_limit(isset($options['limit']) ? $options['limit'] : '').$this->parse_lock(isset($options['lock']) ? $options['lock'] : false);return $this->execute($sql);}

Then, when we-> update ($ data); meet the conditions, we can bypass single quotes injection.

There are still many calls to this function, such as insert.

I will not give an example here.



Two injections are used to verify that they can be injected.



#1

/Lib/ctrlr/Member/ArchiveCtrlr. class. php

Add_archive_do function.

public function add_archive_do() {.........$data = array();$data['archive_channel_id'] = intval(ARequest::get('archive_channel_id'));............$data['a_title'] = AFilter::text(AFilter::plain_text(ARequest::get('a_title'), 85));$data['a_keywords'] = AFilter::text(AFilter::plain_text(ARequest::get('a_keywords'), 85));$data['a_description'] = AFilter::text(ARequest::get('a_description'), 200);$data['a_cost_points'] = intval(ARequest::get('a_cost_points'));$data['member_id'] = ASession::get('member_id');$data['m_username'] = ASession::get('m_username');$data['a_add_time'] = time();$data['a_edit_time'] = $data['a_add_time'];$data['a_add_ip'] = AServer::get_ip();$data['a_edit_ip'] = $data['a_add_ip'];$data['a_rank'] = 50;$_o = M('Option')->get_option(array('core', 'interaction'));$_aci = M('ArchiveChannel')->where(array('archive_channel_id' => array('EQ', $data['archive_channel_id'])))->find();....../* insert to main table */$result = M('Archive')->add_archive($data);if(!empty($result['error'])) {$this->error(L('PUBLISH_FAILED'), Url::U('archive/list_archive?archive_model_id=' . $data['archive_model_id']));}/* insert to addon table */$data['archive_id'] = $result['data'];$data = array_merge(ARequest::get(), $data);/* delete external links */if(isset($data['delete_external_links']) and !empty($data['delete_external_links'])) {foreach($data['delete_external_links'] as $field) {if(MAGIC_QUOTES_GPC) {$data[$field] = stripslashes($data[$field]);}$data[$field] = str_replace(__HOST__, '#basehost#', $data[$field]);$data[$field] = preg_replace("/(<a[ \t\r\n]{1,}href=[\"']{0,}http:\/\/[^\/]([^>]*)>)|(<\/a>)/isU", '', $data[$field]);$data[$field] = str_replace('#basehost#', __HOST__, $data[$field]);if(MAGIC_QUOTES_GPC) {$data[$field] = addslashes($data[$field]);}}}$result = M('Archive')->add_archive_addon($data);...........}

Add articles and capture packets
 

The data comes out.
 

#2

Edit_archive_do function.

The code is similar to that of add_archive_do.

Capture packets and modify the data ..
 

 

 

Solution:

Filter