Ihipop School's Discuz X1.5 Forum was black, where a quarrel for an afternoon. Google a bit "discuz! x1-1.5 notify_credit.php Blind SQL injection Exploit ", you know.
Discuz is a popular forum system in China, the site should be a lot of black. But I'm not interested in invading people's websites, and I despise the code that doesn't write the so-called "hackers" that only use the tools that other people emit.
A cursory look at the code, this SQL injection vulnerability is caused by the UrlDecode function. In the PHP manual, there is a warning below the UrlDecode function:
The Superglobals $_get and $_request are already decoded. Using UrlDecode () on a element in $_get or $_request could has unexpected and dangerous results.
and Discuz developers (presumably novice) lily, add a urldecode:
Copy CodeThe code is as follows:
foreach ($_post as $k = = $v) {
$value = UrlDecode ($v);
$this->setparameter ($k, $value);
}
The single quote is UrlEncode two times after it is%2527, and then the post,php internally in the generation of global variable $_post will first UrlDecode, get%27, and then PHP will check the Magic Quotes settings, but whether or not to open the magic Quotes,%27 are not addslashes because there is no single quote at all. But then if you add urldecode,%27 to the PHP code, it will be single quotes, then ... You know.
When I first beginner PHP, look at the school library of a bad book, there is no PHP in the process of processing the form will automatically urldecode, so I use the UrlDecode function to decode (vaguely remember the book seems to be so written, really fraught AH).
Sum up, that is: 1, choose a good book is very important; 2. Use UrlDecode function with caution. 3. Note the warnings in the PHP manual.
Original from http://demon.tw/programming/php-urldecode-sql-injection.html
http://www.bkjia.com/PHPjc/324509.html www.bkjia.com true http://www.bkjia.com/PHPjc/324509.html techarticle Ihipop School's Discuz X1.5 Forum was black, where a quarrel for an afternoon. Google a bit "discuz! x1-1.5 notify_credit.php Blind SQL injection Exploit ", you know. Discuz is a country ...