Injection and repair of bypass filtering somewhere in Thinksaas

The filtering of added tags is lax. Today, I got the latest version of thinksaas and looked at the security issues after xfkxfk burst. However, many of them are still not filtered. Xfkxfk blew up app/tag/action/add. php. I saw the vulnerability file app/tag/action/add_ajax.php.

Case "do": $ objname = t ($ _ POST ['objname']); $ idname = t ($ _ POST ['idname']); $ objid = t ($ _ POST ['objid']); $ tags = t ($ _ POST ['tags']); $ new ['tag']-> addTag ($ objname, $ idname, $ objid, $ tags); echo "<script language = JavaScript> parent. window. location. reload (); </script> "; break;} filters function t ($ text) {$ text = preg_replace ('/\[. *? \]/Is ', '', $ text); $ text = cleanJs ($ text); // thoroughly filter spaces by qiniao $ text = preg_replace ('/\ s (? = \ S)/', '', $ text); $ text = preg_replace ('/[\ n \ r \ t]/','', $ text ); $ text = str_replace ('','', $ text); // $ text = str_replace ('','', $ text ); $ text = str_replace ('& nbsp;', '', $ text); $ text = str_replace ('&','', $ text ); $ text = str_replace ('=', '', $ text); $ text = str_replace ('-','', $ text ); $ text = str_replace ('#', '', $ text); $ text = str_replace ('%','', $ text); $ text = st R_replace ('! ', '', $ Text); $ text = str_replace (' @ ','', $ text); $ text = str_replace (' ^ ','', $ text); $ text = str_replace ('*', '', $ text); $ text = str_replace ('amp; ','', $ text ); $ text = str_replace ('position', '', $ text); $ text = strip_tags ($ text); $ text = htmlspecialchars ($ text ); $ text = str_replace ("'", "", $ text); return $ text ;}</code> filters out single quotes and comments .. After filtering, addTagfunction addTag ($ objname, $ idname, $ objid, $ tags) {if ($ objname! = ''& $ Idname! = ''& $ Objid! = ''& $ Tags! = '') {$ Tags = str_replace (',', $ tags); $ arrTag = explode (',', $ tags ); foreach ($ arrTag as $ item) {$ tagname = t ($ item); if (strlen ($ tagname) <'32' & $ tagname! = '') {$ Uptime = time (); $ tagcount = $ this-> findCount ('tag', array ('tagname' => $ tagname ,)); if ($ tagcount = '0') {$ tagid = $ this-> create ('tag', array ('tagname' => $ tagname, 'uptime' => $ uptime,); $ tagIndexCount = $ this-> findCount ('tag _'. $ objname. '_ Index', array ($ idname => $ objid, 'tagid' => $ tagid,); if ($ tagIndexCount = '0 ') {$ this-> create ("tag _". $ objname. "_ index", array ($ idname = >$ objid, 'tagid' = >$ tagid,);} $ tagIdCount = $ this-> findCount ("tag _". $ objname. "_ index", array ('tagid' => $ tagid,); $ count_obj = "count _". $ objname; $ this-> update ('tag', array ('tagid' => $ tagid,), array ($ count_obj => $ tagIdCount ,));} else {$ tagData = $ this-> find ('tag', array ('tagname' => $ tagname ,)); $ tagIndexCount = $ this-> findCount ("tag _". $ objname. "_ index", array ($ idname => $ objid, 'tagid' => $ tagData ['tagid'],); if ($ tagIndexCount = '0 ') {$ this-> create ("tag _". $ objname. "_ index", array ($ idname => $ objid, 'tagid' => $ tagData ['tagid'],);} $ tagIdCount = $ this-> findCount ("tag _". $ objname. "_ index", array ('tagid' => $ tagData ['tagid'],); $ count_obj = "count _". $ objname; $ this-> update ('tag', array ('tagid' => $ tagData ['tagid'],), array ($ count_obj => $ tagIdCount, 'uptime' => $ uptime,) ;}}}$ tagIndexCount = $ this-> findCount ('tag _'. $ objname. '_ Index', array ($ idname => $ objid, 'tagid' => $ tagid ,));

 

You can see that $ idname is the key.

public function findCount($table, $conditions = null) {$where = "";if (is_array ( $conditions )) {$join = array ();foreach ( $conditions as $key => $condition ) {$condition = $this->escape ( $condition );$join [] = "{$key} = {$condition}";}$where = "WHERE " . join ( " AND ", $join );} else {if (null != $conditions)$where = "WHERE " . $conditions;}$sql = "SELECT COUNT(*) AS ts_counter FROM " . dbprefix . "{$table} {$where}";$result = $this->db->once_fetch_assoc ( $sql );return $result ['ts_counter'];}

 

However, the key is not filtered. If the value is filtered, function t does not filter single quotes because it can be injected into the key. However, after the comments are filtered out, objid = 123 & objname = article & idname = 123 union select email from ts_user limit; a & tags = idname can be injected. Blind injection and latency.
Well, you can execute it. Solution:However, after the vulnerability file exposed by xfkxfk is released, you have filtered out the new version but it is not well filtered. The add_ajax vulnerability will bypass the vulnerability. I changed the file to avoid being the same as the xfkxfk vulnerability file. Enhance filtering.