Vulnerability Analysis: by Phithon
Copy the Code code as follows:
($action = = ' Grouppermission ') {
...
Ksort ($gids);
$groupids = Array ();
foreach ($gids as $row) {
$groupids [] = $row [0];
}
$query = $db->query ("select * FROM {$tablepre}usergroups U-left JOIN {$tablepre}admingroups a on U.groupid=a.admingid W Here U.groupid in (". Implodeids ($groupids).");
...
}
function Implodeids ($array) {
if (!empty ($array)) {
Return "'". Implode ("', '", Is_array ($array)? $array: Array ($array)). "'";
} else {
Return ';
}
}
First define an array groupids, and then Traverse $gids (which is also the array, that is, $_get[gids]), and the first bit of all the values in the arrays are taken out and placed in the groupids.
Why is this operation causing an injection?
Discuz The Get array is addslashes escaped in the global way, that is, it will ' escape to ', so if our arguments are: gids[1]= ' then it will be escaped to $gids[1]=\ ', and this assignment statement $groupids[] = $ Row[0] is equivalent to taking the first character of the string, that is, the escape symbol is taken out.
Looking back, he used implodeids to handle the data before putting it in the SQL statement. We see the Implodeids function
A very simple function is to use the $groupids array just as ', ' to split up, to make a string similar to ' 1 ', ' 2 ', ' 3 ', ' 4 ' returned.
But our array has just taken out an escape character that will escape a normal one here, such as this:
' 1 ', ' \ ', ' 3 ', ' 4 '
Did you see a bit different, the 4th single quote was escaped, which means that the 5th single quotation mark and the 3rd single quotation mark are closed.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
