One ThinkSNS SQL injection (ignoring WAF)

One ThinkSNS SQL injection (ignoring WAF)

Found during development.

Apps/page/Lib/Action/DiyAction. class. php line 192:

public function doCopyTemplate() {$id = intval ( $_POST ['id'] );$page = $_POST ['page'];$channel = $_POST ['channel'];$databaseData = D ( 'Page' )->getPageInfo ( $page, $channel );$result = $this->checkRole ( $databaseData ['manager'], $databaseData );if ($result ['admin']) {echo D ( 'pageTemplate' )->saveCopyAction ( $id, $this->mid, $page, $channel );} else {echo - 1;}}</code>

Get $ _ POST ['channel'] And pass in the getPageInfo function. Let's look at this function:

/*** Return page details * @ param unknown_type $ id * @ param unknown_type $ field * @ return unknown */public function getPageInfo ($ map, $ field = 'id, page_name, domain, canvas, manager, status, guest, seo_title, seo_keywords, seo_description ') {$ data = $ this-> where ($ map)-> field ($ field) -> find (); return $ data ;}</code>

The default value indicates that the second parameter is the field name, and you do not need to consider addslashes.

Let's try. After login, send the following packet:
 

Let's see what statements mysql has executed:
 

As shown in the figure, there are many controllable parts, and we can control all the content after the select statement. No sensitive word select, so WAF is ignored.

There are many other methods in this file, so I will not point them out one by one.

 

To construct a blind note. See the Code:

$databaseData = D ( 'Page' )->getPageInfo ( $page, $channel );$result = $this->checkRole ( $databaseData ['manager'], $databaseData );</code>

$ DatabaseData ['manager'] has passed in the checkRole function. Let's see it:

Private function checkRole ($ user, $ pageInfo) {$ admin = false; $ openDiy = false; $ userModel = model ('usergroup'); $ user = explode (',', $ user); if (in_array ($ this-> mid, $ user) | $ userModel-> isAdmin ($ this-> mid) {$ admin = true ;} else {$ this-> error ('You have no management permission! ');} If (isset ($ _ GET ['diy']) & $ pageInfo ['pagetype ']! = 'LIST') {$ openDiy = true;} $ this-> assign ('opendiy ', $ openDiy); $ this-> assign ('admin', $ admin ); $ result ['admin'] = $ admin; $ result ['opendiy '] = $ openDiy; return $ result;} </code>

If $ this-> mid (your uid) is in $ user, it is passed. Otherwise, "You are not authorized to manage" is displayed ".

Therefore, you can blind Note by displaying "You have no management Permissions.



My $ this-> mid is 2.> 113 "method not found" is displayed ":
 

> 114 "you do not have administrator permissions ":
 

Similarly, to inject a user password, you only need to change user () to password.

Solution:

Enhanced Filtering