PHP My Wind bypasses filtering SQL injection (Restrictions)

PHP My Wind bypasses filtering SQL injection (Restrictions)

PHPMyWind design defects bypass filtering SQL Injection

Will I tell you in the title that it is actually a global variable overwrite? Register_globals = on is required.

/Include/common. inc. php:

Foreach (array ('_ get',' _ Post') as $ _ request) {foreach ($ _ request as $ _ k = >$ _ v) {if (strlen ($ _ k)> 0 & preg_match ('# ^ (GLOBALS | _ GET | _ POST | _ SESSION | _ COOKIE )#', $ _ k) {exit ('variable names that do not allow requests! ') ;}$ {$ _ K }=_ RunMagicQuotes ($ _ v );}}

People who know this can understand it. The code matches GLOBALS to prohibit the submission of global variables GLOBALS to prevent overwriting of variables, but only checks for $ _ GET and $ _ POST, therefore, you only need to submit in $ _ COOKIE to bypass RunMagicQuotes.

There may be many injection points. For example, phpmywind/product. php

<? Phpif (! Empty ($ keyword) {$ keyword = htmlspecialchars ($ keyword); $ SQL = "SELECT * FROM 'dede _ infoimg 'WHERE (classid = $ cid OR parentstr LIKE' %, $ cid, % ') AND title LIKE' % $ keyword % 'AND delstate = ''AND checkinfo = true order by orderid DESC "; // here spell SQL} else {$ SQL = "SELECT * FROM 'dede _ infoimg 'WHERE (classid = $ cid OR parentstr LIKE' %, $ cid, % ') AND delstate = ''AND checkinfo = true order by orderid DESC";} $ dopage-> GetP Age ($ SQL, 9); while ($ row = $ dosql-> GetArray () {if ($ row ['picurl']! = '') $ Picurl = $ row ['picurl']; else $ picurl = 'templates/default/images/nofoundpic.gif '; if ($ row ['linkurl'] = ''and $ response _isreurl! = 'Y') $ gourl = 'productshow. php? Cid = '. $ row ['classid ']. '& id = '. $ row ['id']; else if ($ pai_isreurl = 'y') $ gourl = done'; else $ gourl = $ row ['linkurl'];?>

Here we add a cookie named GLOBALS [keyword]
 

Print $ keyword:
 

The filter is bypassed and'

Payload:
 

 

Solution:

Check cookie in global Filter Function