KPPW latest SQL injection vulnerability 2
KPPW latest SQL injection vulnerability 2
File/control/user/account_auth.php
$arrAllowAuth = array('realname','enterprise','bank','mobile','email');if ($code&&in_array($code,$arrAllowAuth)) {$code or $code = $keys ['0']; $code or kekezu::show_msg ( $_lang ['param_error'], "index.php?do=auth", 3, '', 'warning' );$auth_class = "keke_auth_" . $code . "_class";$objAuth = new $auth_class ( $code ); $auth_item = $arrAllAuthItems [$code]; $auth_dir = $auth_item ['auth_dir']; $arrAuthInfo = $objAuth->get_user_auth_info ( $gUid, 0, $intBankAid ); require S_ROOT . "/auth/$code/control/index.php";require keke_tpl_class::template ( 'auth/' . $code . '/tpl/' . $_K ['template'] . '/'.$step );die;} else {$real_pass = keke_auth_fac_class::auth_check ( 'enterprise', $gUid ) or $real_pass = keke_auth_fac_class::auth_check ( "realname", $gUid );$arrHasAuthItem = keke_auth_fac_class::get_auth ( $gUserInfo );$arrUserAuthInfo = $arrHasAuthItem ['info'];}
Take a closer look at the following:
$arrAuthInfo = $objAuth->get_user_auth_info ( $gUid, 0, $intBankAid );
The variable $ intBankAid enters the function get_user_auth_info.
Follow-up function get_user_auth_info
File/lib/sys/keke_auth_base_class.php:
public function get_user_auth_info($uid,$is_username=0,$show_id=''){$sql="select * from ".TABLEPRE.$this->_auth_table_name;if($uid){$is_username=='0' and $sql.=" where uid = '$uid' " or $sql.=" where username = '$uid' ";$show_id and $sql.=" and ".$this->_primary_key."=".$show_id;$sql .=" order by $this->_primary_key desc";$data = db_factory::query($sql);if(sizeof($data)==1){return $data[0];}else{return $data;}}else{return array();}}
The received variable $ intBankAid -- $ show_id, and then $ show_id enters $ SQL
During the entire process, the variable $ intBankAid is not filtered, and finally $ SQL is entered into the database, resulting in the SQL injection vulnerability.
http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=account&op=auth&code=bank&step=step2&intBankAid=147 and 1=1
http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=account&op=auth&code=bank&step=step2&intBankAid=147 and 1=2
Database execution records:
Solution:
Get_user_auth_info function: $ show_id and $ SQL. = "and". $ this-> _ primary_key. "= '". $ show_id ."'";