SQL injection vulnerability in the latest ThinkPHP version
You can say that the previous SQL injection vulnerability has a weakness. Indeed, tp I functions will be processed.
But this hole, I function can't help, so you can't say anything.
It has nothing to do with the previous holes and is caused by non-patching. It also affects 3.1 ~ Version 3.2. Continue to use onethink for demonstration.
The following controller triggers SQL injection:
public function test() { $uname = I('get.uname'); $u = M('user')->where(array( 'uname' => $uname ))->find(); dump($u); }
Why?
Let's look at the code. The latest source code I downloaded from github: https://github.com/liu21st/thinkphp
/ThinkPHP/Library/Think/Db/Driver. class. php line 531:
// Where subunit analysis protected function parseWhereItem ($ key, $ val) {$ whereStr = ''; if (is_array ($ val )) {if (is_string ($ val [0]) {if (preg_match ('/^ (EQ | NEQ | GT | EGT | LT | ELT) $/I ', $ val [0]) {// comparison operation $ whereStr. = $ key. ''. $ this-> comparison [strtolower ($ val [0])]. ''. $ this-> parseValue ($ val [1]);} elseif (preg_match ('/^ (NOTLIKE | LIKE) $/I', $ val [0]) {// fuzzy search if (is_array ($ val [1]) {$ likeLogic = isset ($ val [2])? Strtoupper ($ val [2]): 'OR'; if (in_array ($ likeLogic, array ('and', 'or', 'xor '))) {$ likeStr = $ this-> comparison [strtolower ($ val [0])]; $ like = array (); foreach ($ val [1] as $ item) {$ like [] = $ key. ''. $ likeStr. ''. $ this-> parseValue ($ item);} $ whereStr. = '('. implode (''. $ likeLogic. '', $ like ). ')' ;}} else {$ whereStr. = $ key. ''. $ this-> comparison [strtolower ($ val [0])]. ''. $ this-> parseValue ($ val [1]) ;}} elseif (' Bind' = strtolower ($ val [0]) {// use the expression $ whereStr. = $ key. '= :'. $ val [1];} elseif ('exp' = strtolower ($ val [0]) {// use the expression $ whereStr. = $ key. ''. $ val [1];} elseif (preg_match ('/IN/I', $ val [0]) {// IN operation if (isset ($ val [2]) & 'exp '= $ val [2]) {$ whereStr. = $ key. ''. strtoupper ($ val [0]). ''. $ val [1];} else {if (is_string ($ val [1]) {$ val [1] = explode (',', $ val [1]) ;}$ zone = implode (',', $ this-> parseValue ($ val [1 ]); $ WhereStr. = $ key. ''. strtoupper ($ val [0]). '('. $ zone. ')';} elseif (preg_match ('/BETWEEN/I', $ val [0]) {// BETWEEN Operation $ data = is_string ($ val [1])? Explode (',', $ val [1]): $ val [1]; $ whereStr. = $ key. ''. strtoupper ($ val [0]). ''. $ this-> parseValue ($ data [0]). AND '. $ this-> parseValue ($ data [1]);} else {E (L ('_ EXPRESS_ERROR _'). ':'. $ val [0]) ;}} else {$ count = count ($ val); $ rule = isset ($ val [$ count-1])? (Is_array ($ val [$ count-1])? Strtoupper ($ val [$ count-1] [0]): strtoupper ($ val [$ count-1]): ''; if (in_array ($ rule, array ('and', 'or', 'xor') {$ count = $ count-1;} else {$ rule = 'and ';} for ($ I = 0; $ I <$ count; $ I ++) {$ data = is_array ($ val [$ I])? $ Val [$ I] [1]: $ val [$ I]; if ('exp' = strtolower ($ val [$ I] [0]) {$ whereStr. = $ key. ''. $ data. ''. $ rule. '';} else {$ whereStr. = $ this-> parseWhereItem ($ key, $ val [$ I]). ''. $ rule. ''; }}$ whereStr = '('. substr ($ whereStr, 0,-4 ). ')' ;}} else {// use fuzzy match for string fields $ likeFields = $ this-> config ['db _ like_fields ']; if ($ likeFields & preg_match ('/^ ('. $ likeFields. ') $/I', $ key) {$ whereStr. = $ key. 'like '. $ this-> parseValue ('% '. $ val. '%');} else {$ whereStr. = $ key. '= '. $ this-> parseValue ($ val) ;}return $ whereStr ;}
This is the function for processing the where condition. We can see the following snippet:
} Elseif (preg_match ('/BETWEEN/I', $ val [0]) {// BETWEEN Operation $ data = is_string ($ val [1])? Explode (',', $ val [1]): $ val [1]; $ whereStr. = $ key. ''. strtoupper ($ val [0]). ''. $ this-> parseValue ($ data [0]). AND '. $ this-> parseValue ($ data [1]);}
When matching/BETWEEN/I and $ val [0], strtoupper ($ val [0]) is directly inserted into the SQL statement.
This match: preg_match ('/BETWEEN/I', $ val [0]), which is obviously problematic. Because this match does not include ^ $, that is, the limit at the beginning and end, as long as our $ val [0] contains between, this match can be established and an SQL injection is generated.
To prevent the filter effect of I function on our input, let's look at I function:
Function I ($ name, $ default = '', $ filter = null, $ datas = null) {if (strpos ($ name ,'/')) {// specify the modifier list ($ name, $ type) = explode ('/', $ name, 2);} if (strpos ($ name ,'. ') {// specify the parameter source list ($ method, $ name) = explode ('. ', $ name, 2);} else {// The default value is $ method = 'param';} switch (strtolower ($ method) {case 'get ': $ input = & $ _ GET; break; case 'post': $ input = & $ _ post; break; case 'put': parse_str (file_get_contents ('php: // Indium Ut '), $ input); break; case 'param': switch ($ _ SERVER ['request _ method']) {case 'post ': $ input = $ _ POST; break; case 'put': parse_str (file_get_contents ('php: // input'), $ input); break; default: $ input = $ _ GET;} break; case 'path': $ input = array (); if (! Empty ($ _ SERVER ['path _ info']) {$ depr = C ('url _ PATHINFO_DEPR '); $ input = explode ($ depr, trim ($ _ SERVER ['path _ info'], $ depr);} break; case 'request': $ input = & $ _ request; break; case 'session ': $ input = & $ _ session; break; case 'cookies': $ input = & $ _ cookie; break; case 'server ': $ input = & $ _ SERVER; break; case 'globals': $ input = & $ globals; break; case 'data': $ input = & $ datas; break; default: re Turn NULL;} if (''= $ name) {// get all variables $ data = $ input; $ filters = isset ($ filter )? $ Filter: C ('default _ filter'); if ($ filters) {if (is_string ($ filters) {$ filters = explode (',', $ filters);} foreach ($ filters as $ filter) {$ data = array_map_recursive ($ filter, $ data ); // parameter filtering }}elseif (isset ($ input [$ name]) {// value operation $ data = $ input [$ name]; $ filters = isset ($ filter )? $ Filter: C ('default _ filter'); if ($ filters) {if (is_string ($ filters) {$ filters = explode (',', $ filters);} elseif (is_int ($ filters) {$ filters = array ($ filters);} foreach ($ filters as $ filter) {if (function_exists ($ filter) {$ data = is_array ($ data )? Array_map_recursive ($ filter, $ data): $ filter ($ data); // parameter filtering} elseif (0 === strpos ($ filter ,'/')) {// supports regular expression verification if (1! = Preg_match ($ filter, (string) $ data) {return isset ($ default )? $ Default: NULL ;}} else {$ data = filter_var ($ data, is_int ($ filter )? $ Filter: filter_id ($ filter); if (false ===$ data) {return isset ($ default )? $ Default: NULL ;}}} if (! Empty ($ type) {switch (strtolower ($ type) {case's ': // string $ data = (string) $ data; break; case 'A ': // array $ data = (array) $ data; break; case 'D': // number $ data = (int) $ data; break; case 'F ': // floating point $ data = (float) $ data; break; case 'B': // boolean $ data = (boolean) $ data; break ;}}} else {// default variable value $ data = isset ($ default )? $ Default: NULL;} is_array ($ data) & array_pai_recursive ($ data, 'Think _ filter'); return $ data ;}
Some improvements compared with earlier versions:
1. Forced type conversion $ type is added, but $ type is empty by default, and forced type conversion does not exist.
2. Put is_array ($ data) & array_walk_recursive ($ data, 'Think _ filter'); in the last row. Let's look at the filter function think_filter:
Function think_filter (& $ value) {// TODO other security filtering // filter query special characters if (preg_match ('/^ (EXP | NEQ | GT | EGT | LT | ELT | OR | LIKE | NOTLIKE | | IN) $/I ', $ value) {$ value. = '';}}
In fact, this is a solution to my previous vulnerability. I will add spaces after some keywords. However, we can see that this regular expression has a "^ $" at the beginning and end of the qualifier. Therefore, space is added only when the input parameter is "equal to" BETWEEN ", and space is added here, which does not affect the vulnerability generation, because the regular expression of the vulnerability location does not contain the first and last delimiters of ^ $.
Another note: thinkphp has released an "Incorrect" patch, which has been removed by the official team. Therefore, you do not need to consider the interference caused by the patch.
Let's go back to the original code:
public function test() { $uname = I('get.uname'); $u = M('user')->where(array( 'uname' => $uname ))->find(); dump($u); }
Let's test this Code:
The vulnerability exists. Let's take a look at the specific executed SQL statement:
In. Besides BETWEEN, there is also IN, which I will explain.
Onethink Demo:
Solution:
Regular Expressions must be clearly written:
/^ BETWEEN $/I