MolyX Board 2.81 Forum db_base.php Page SQL Injection Vulnerability

Affected Versions:
MolyX Board 2.81

Vulnerability description:
MolyX Board is one of the Magic Series of Web application software products. MolyX Studios, after years of market technology research and research, based on the advantages of many Forum program technologies and practices, we have developed a forum system with powerful functions, fast speed, outstanding performance, and extremely high security for Chinese users.

Includes/db/db_base.php Injection
 

1. function insert ($ table, $ array, $ type = INSERT, $ func = query_unbuffered)
2.
3. if ($ SQL = $ this-> SQL _insert ($ table, $ array, $ type )))
4 .{
5. return $ this-> $ func ($ SQL );
6 .}
7. return false;

Next, let's look at the SQL _insert () function.
 

1. function SQL _insert ($ table, $ array, $ type = INSERT, $ prefix = INSERT)
2.
3. if (! Is_array ($ array) | emptyempty ($ array ))
4 .{
5. return false;
6 .}
7. return "$ prefix INTO $ table". $ this-> SQL _clause ($ type, $ array );

Let's look at the SQL _clause () function.
 

1. function SQL _clause ($ query, $ array)
2 .{
3. if (! Is_array ($ array ))
4 .{
5. return false;
6 .}
7.
8. $ query = strtoupper ($ query );
9. $ fields = $ values =;
10. if ($ query = INSERT | $ query = INSERT_SELECT)
11 .{
12. foreach ($ array as $ key => $ var)
13 .{
14. $ fields. =, '. $ key .';
15.
16. if (is_array ($ var) & is_string ($ var [0])
17 .{
18. // INSERT SELECT
19. $ values. =,. $ var [0];
20 .}
21. else
22 .{
23. $ values. =,. $ this-> validate ($ var );
24 .}
25 .}
26. $ fields = substr ($ fields, 2 );
27. $ values = substr ($ values, 2 );
28. $ query = ($ query = INSERT )? (. $ Fields.) VALUES (. $ values.): (. $ fields.) SELECT. $ values .;
29 .}
30 ........................................ omit irrelevant code

$ Values. =,. $ var [0]; The variable $ var [0] is not enclosed in single quotes. The problem arises !!
 
Note that the init_input () function in global. php performs array (& #032;, <! --, -->,>, <,",!, "", "", $, "") Is filtered into array (, & #60; & #33; --, -- & #62;, & gt;, & lt ;, & quot;, & #33;, & #39;, <br/>, & #036;,) <* Reference
Http://hi.baidu.com/mr_xhming
*>
Test method:

The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!
Find $ DB-> insert (), and check whether the second parameter of the database has any variables that we can use, and then construct and submit the data with the data flow.
For example: $ aa [] = 0, (select + password + from + mxb_user + where + id = 1), 0, 0) % 23SEBUG Security suggestions:
Vendor patch:
MolyX Board
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.molyx.com/