I think this vulnerability is a bit interesting ~~, Around me for half a day. PS: If gpc is not enabled, it doesn't matter if you are in line 59 of/system/init. php.
If (function_exists ('get _ magic_quotes_gpc ') {if (@ get_magic_quotes_gpc () // GPC performs reverse processing {if (! Function_exists ('stripslashes _ gpc ') {function stripslashes_gpc (& $ value) {$ value = stripslashes ($ value );}}
If your server has gpc enabled, I will use stripslashes, which means that the initial data is not escaped. Well, it will be better for the future (because php6 has removed this get_magic_quotes_gpc () function ). In the file/system/aws_model.inc.php's 978 lines,
Public function quote ($ string) {if (is_object ($ this-> db () {// The return below is a bit interesting. Let's see $ this-> db () -> quote ($ string): The two quotes are different. Do not think they are recursive. Otherwise, return trim ($ this-> db ()-> quote ($ string) is exceeded ), "'");} if (function_exists ('mysql _ escape_string') {$ string = @ mysql_escape_string ($ string );} else {$ string = addslashes ($ string);} return $ string ;}
The zend framework is used. /System/Zend/Db/Adapter/859 rows of Abstract. php
public function quote($value, $type = null) { $this->_connect(); if ($value instanceof Zend_Db_Select) { return '(' . $value->assemble() . ')'; } if ($value instanceof Zend_Db_Expr) { return $value->__toString(); } if (is_array($value)) { foreach ($value as &$val) { $val = $this->quote($val, $type); } return implode(', ', $value); } if ($type !== null && array_key_exists($type = strtoupper($type), $this->_numericDataTypes)) { $quotedValue = '0'; switch ($this->_numericDataTypes[$type]) { case Zend_Db::INT_TYPE: // 32-bit integer $quotedValue = (string) intval($value); break; case Zend_Db::BIGINT_TYPE: // 64-bit integer // ANSI SQL-style hex literals (e.g. x'[\dA-F]+') // are not supported here, because these are string // literals, not numeric literals. if (preg_match('/^( [+-]? # optional sign (?: 0[Xx][\da-fA-F]+ # ODBC-style hexadecimal |\d+ # decimal or octal, or MySQL ZEROFILL decimal (?:[eE][+-]?\d+)? # optional exponent on decimals or octals ) )/x', (string) $value, $matches)) { $quotedValue = $matches[1]; } break; case Zend_Db::FLOAT_TYPE: // float or decimal $quotedValue = sprintf('%F', $value); } return $quotedValue; } return $this->_quote($value); }
Here the return function is the _ quote function. You can see the name of the function. Wow, there are 839 rows of the same file.
protected function _quote($value) { if (is_int($value)) { return $value; } elseif (is_float($value)) { return sprintf('%F', $value); } return "'" . addcslashes($value, "\000\n\r\\'\"\032") . "'"; }
Is to perform addslashes processing. Okay, we escaped it once. Return to the quote function of the outer layer, and then look at the return trim ($ this-> db ()-> quote ($ string ),"'"); the main reason is that trim removes the 'from both sides. If we input' At the beginning, then \ is left after processing \. Haha, you must have seen it. When the SQL statement is executed, \ escape the backticks that finally contain strings. I will not post the query functions. The mysql pre-processing statement is used, and the execution is both prepare and execute. It is really different from the general statement. I still don't know much about it, and I have never played the zend framework .. This bug is really pitfall ..
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
