Replacement of php Strings

Source: phpevals BLOG
Author: phpeval

Filtering and replacement are of course good. Recently, I helped my sister buy a Korean dish. Searching for half a day. I found a station that is said to be capable of selling Korean things. I am going to buy it. But it was too early (in the morning) and they didn't seem to have gotten up yet. QQ did not respond. So I want to test the security of their website. I checked the website. Ecshop2.1.5 is used. Now it seems that all of them have reached 2.6. GOOGLE 2.1.5 does not seem to have published any vulnerabilities. The next one is coming back.
It is interesting to see a place:
About 130 lines of comment. php have a UDF.

Function add_comment ($ cmt) {/* comment whether review is required */$ status = 1-$ GLOBALS [_ CFG] [comment_check]; /* Save the comment */$ SQL = "INSERT ". $ GLOBALS [ecs]-> table (comment ). "". "(comment_type, id_value, email, user_name, content, comment_rank, add_time, ip_address, status, parent_id ". ") VALUES (". "". $ cmt-> type. ",". $ cmt-> id. ",". $ cmt-> email. ",". $ cmt-> username. ",". "". str_replace (\\,\, $ cmt-> content ). ",". $ cmt-> rank. ",". time (). ",". real_ip (). ", $ status, 0)"; clear_cache_files (comments_list.lbi); return $ GLOBALS [db]-> query ($ SQL );}

This is the main thing.

Str_replace (\\,\, $ cmt-> content) // (by: phpeval)

As a result, \ is replaced with \ to construct an appropriate statement. You can inject it.

Submit \ enter the program and then change \\
What function does it pass through. It will become \
Then they are replaced. It becomes \

Test method: Send a post to capture a package. Then comment on the location. Add one.
You will see an error.

However, the target website database is mysql 4.0.24. No way to subquery. You can only win him by another means. The version 2.6.1 of ecshop is released. It seems that this is not the case.