One Finecms code triggers Multiple SQL injections

One Finecms code triggers Multiple SQL injections

Location:

/Dayrui/core/D_Member_Home.php 81 rows:

$order = isset($_GET['order']) && strpos($_GET['order'], "undefined") !== 0 ? $this->input->get('order', TRUE) : 'updatetime desc';

The next 109 rows:

$ This-> link-> order_by ($ order );

First, the order is obtained from $ _ GET and directly placed into the order by statement, resulting in SQL injection.

Because multiple classes inherit this class, SQL injection causes multiple features to be shot, including various sub-functions of finecms.

 

For example, news.

First, modify/dayrui/core/D_Common.php line 304:

if ($this->member['adminid'] || IS_ADMIN || 1) {    $this->db->db_debug = $this->site[SITE_ID]->db_debug = TRUE;} else {    $this->db->db_debug = $this->site[SITE_ID]->db_debug = FALSE;}

After IS_ADMIN or 1, debug the database. At this time, access http: // xxxx/member/index. php? S = news & c = home & kw = & order = aaaa'

The following error is reported:
 

However, since no error is reported by default, what other injection methods are available besides Delayed Injection After order?

In AR of CI, once an error occurs in database statement execution, the result () or result_array () function following it throws a fatal error: Call to a member function result_array () on a non-object, php cannot continue execution. Therefore, even if error_reporting (0) or php is not enabled, we can determine whether the SQL statement is successfully executed by observing whether the page is fully executed.

Therefore, we were given a blind note condition: the error is different from the correct display page.



I have talked a lot about it. Let's use it directly:

Error: http: // xxx/member/index. php? S = news & c = home & kw = & order = (select 1 from information_schema.tables where ord (mid (user () from 1 for 1)> 113) Correct: http: // xxx/member/index. php? S = news & c = home & kw = & order = (select 1 from information_schema.tables where ord (mid (user () from 1 for 1)> 114)

The preceding method constructs an SQL statement with an error and returns an error using the number of results returned by the subquery. If the number of results returned by the Subquery is greater than 1, the "Subquery returns more than 1 row" error will pop up. Therefore, when ord ('R')> 113, the where statement is true and multiple results are returned by the select statement, resulting in an SQL statement error and a Fatal error in php. When ord ('R')> 114, the where statement is false. If 0 results are returned by the select statement, no error is returned.
 

 

 

Solution:

Enhanced Filtering