Ihipop School of Discuz X1.5 Forum was black, where a quarrel for an afternoon. Google "discuz! x1-1.5 notify_credit.php blind SQL injection exploit ", you know.
Discuz is a very popular forum system in China, it should be a lot of black sites. But I'm not interested in invading other people's websites, and I despise the so-called "hackers" that code does not write that can only be attacked with tools that others emit.
A cursory look at the code, this SQL injection vulnerability is caused by the UrlDecode function. In the PHP manual, there is a warning under the UrlDecode function:
The Superglobals $_get and $_request are already decoded. The Using UrlDecode () on a element in $_get or $_request could have unexpected and dangerous.
And Discuz's developers (presumably novice) add a urldecode to the lily:
Copy Code code as follows:
foreach ($_post as $k => $v) {
$value = UrlDecode ($v);
$this->setparameter ($k, $value);
}
Single quotes are urlencode two times after the%2527, and then post,php the internal in the generation of global variable $_post will first UrlDecode, get%27, and then PHP will check the Magic quotes settings, but whether or not to open Magic Quotes,%27 will not be addslashes, because there is no single quotation mark at all. But then if you add urldecode,%27 to the PHP code, it becomes a single quote, and then ... You know.
In my beginner PHP, look at the school library of a rotten book, which did not write PHP in the process of processing the form will automatically urldecode, so they use the UrlDecode function to decode (vaguely remember the book seems to be so written, really fraught AH).
To sum up, is: 1, the choice of a good book is very important; 2, use the UrlDecode function carefully. 3, notice the warning in the PHP manual.
Original from http://demon.tw/programming/php-urldecode-sql-injection.html