A phpdisk code design defect causes SQL Injection

A phpdisk code design defect causes SQL Injection

Vulnerability version: PHPDisk F-Core Series

Test version: PHPDisk F-Core v1.1 20140703

SQL injection is triggered when resources are released. The parameter post_tag is the injection point and the code is displayed.

/Modules/post. inc. php, about 124th lines
 

$ Db-> query_unbuffered ("insert into {$ tpf} posts set ". $ db-> SQL _array ($ ins ). ""); $ pid = $ db-> insert_id (); make_tags ($ tags, $ tag_arr, $ pid ); // injection point $ db-> query_unbuffered ("update {$ tpf} categories set cate_num = cate_num + 1 where cate_id = '$ cate_id '"); $ sysmsg [] = $ settings [pd_post_name]. 'published successfully ';

Follow up with the make_tags function.
 

Function make_tags ($ tags, $ tag_arr, $ file_id) {global $ db, $ tpf, $ timestamp, $ pd_uid; if ($ tags) {$ tags = filter_tag ($ tags); $ tags_str = ''; for ($ I = 0; $ I <count ($ tag_arr); $ I ++) {if ($ tag_arr [$ I]) {$ tags_str. = "'". filter_tag ($ tag_arr [$ I]). "',"; // filter_tag processes the tag value $ rs = $ db-> fetch_one_array ("select count (*) as total from {$ tpf} post2tag where tag_name = '{$ tag_arr [$ I]}' and pid = '{$ file_id}' "); if (! $ Rs ['Total']) {$ ins = array ('tag _ name' => $ tag_arr [$ I], 'pid '=> $ file_id ,); $ db-> query_unbuffered ("insert into {$ tpf} post2tag set ". $ db-> SQL _array ($ ins ). ";") ;}unset ($ rs) ;}$ tags_str = (substr ($ tags_str,-1) == ',')? Substr ($ tags_str, 0,-1): $ tags_str; $ db-> query_unbuffered ("update {$ tpf} tags set tag_count = tag_count-1 where tag_name in (select tag_name from {$ tpf} post2tag where pid = '$ file_id ')"); // echo "delete from {$ tpf} post2tag where pid = '$ file_id' and tag_name not in ($ tags_str )"; $ db-> query_unbuffered ("delete from {$ tpf} post2tag where pid = '$ file_id' and tag_name not in ($ tags_str)" // leave a backslash Injection

The filter_tag function is the focus. Follow up with this function to see
 

function filter_tag($str){return str_replace(array('"',"'",'/','(',')','*'),'',$str);}

This function filters out special characters such as single quotes. The filter is empty ~, However, the data imported by POST is filtered by addslashes. if you remove the single quotation mark here, the backslash will be left, resulting in injection.

Test process:

Build a local environment to test

 

The official test site is also tested.

Http://demo.phpdisk.com/f/
 

 

No mysql error, blind injection or latency

Solution:

Filter_tag is not required when addslashes is available.