Ucenter Home SQL Injection Vulnerability Analysis (GPC = OFF required)

SQL Injection 1:
Vulnerability in file \ source \ cp_profile.php
 
$ Value ){
If ($ value ['formtype '] = 'select') $ value ['maxsize'] = 255;
$ Setarr ['field _ '. $ field] = getstr ($ _ POST ['field _'. $ field], $ value ['maxsize'], 1, 1 );
If ($ value ['requestred'] & empty ($ setarr ['field _ '. $ field]) {
Showmessage ('field _ required', '', 1, array ($ value ['title']);
}
}

Updatetable ('space', $ setarr, array ('uid' => $ _ SGLOBAL ['supe _ uid']);

// Privacy
$ Inserts = array ();
Foreach ($ _ POST ['friend'] as $ key => $ value ){
$ Value = intval ($ value );
$ Inserts [] = "('base', '$ key',' $ space [uid] ',' $ value')"; // What is this? The key has not been filtered out for 11 years and has not been fixed yet.
}
If ($ inserts ){
$ _ SGLOBAL ['db']-> query ("delete from ". tname ('spaceinfo '). "WHERE uid = '$ space [uid]' AND type = 'base '");
$ _ SGLOBAL ['db']-> query ("insert into". tname ('spaceinfo'). "(type, subtype, uid, friend)
VALUES ". implode (',', $ inserts); // The value is not interpreted...
}
SQL Injection 2:
 
Read it all,In addition to the cold meal above, there is anotherKEYNot processed either.,Cause Injection:
Vulnerability file \ source \ cp_privacy.php
 
$ Value ){
$ Space ['privacy '] ['filter _ icon'] [$ key] = 1;
}
// User group settings
$ Space ['privacy '] ['filter _ gid'] = array ();
Foreach ($ _ POST ['privacy '] ['filter _ gid'] as $ key => $ value ){
$ Space ['privacy '] ['filter _ gid'] [$ key] = intval ($ value );
}

// Filter notifications
$ Space ['privacy '] ['filter _ note'] = array ();
Foreach ($ _ POST ['privacy '] ['filter _ note'] as $ key => $ value) {// The key is converted to $ space ['privacy '] ['filter _ note'] [$ key].
$ Space ['privacy '] ['filter _ note'] [$ key] = 1;
}

Privacy_update ();
 
// Update the friend Cache
Friend_cache ($ _ SGLOBAL ['supe _ uid']);
 
Showmessage ('Do _ success ', 'cp. php? Ac = privacy & op = view ');
}
 
If ($ _ GET ['op'] = 'view '){
// Friend group

$ Groups = getfriendgroup ();
// Shield
$ Filter_icons = empty ($ space ['privacy '] ['filter _ icon'])? Array (): $ space ['privacy '] ['filter _ icon']; // assign a value to $ filter_icons
$ Filter_note = empty ($ space ['privacy '] ['filter _ note'])? Array (): $ space ['privacy '] ['filter _ note'];
$ Iconnames = $ appids = $ icons = $ uids = $ users = array ();
 
... Omitted .......

 
Foreach ($ filter_icons as $ key => $ value ){
 
List ($ icon, $ uid) = explode ('|', $ key); // use | the key is assigned to $ uid without any filtering.
 
$ Icons [$ key] = $ icon;
 
$ Uids [$ key] = $ uid; // $ uids is not filtered either.
 
If (is_numeric ($ icon )){
 
$ Appids [$ key] = $ icon;
 
}
}
 
If ($ uids ){
$ Query = $ _ SGLOBAL ['db']-> query ("SELECT uid, username FROM ". tname ('space '). "WHERE uid IN (". simplode ($ uids ). ")"); // yes. no.
$ _ SGLOBAL ['db']-> fetch_array ($ query );
While ($ value = $ _ SGLOBAL ['db']-> fetch_array ($ query )){
$ Users [$ value ['uid'] = $ value ['username'];
}
}
// Obtain the application name
If ($ appids ){
$ Query = $ _ SGLOBAL ['db']-> query ("SELECT appid, appname FROM ". tname ('myapp '). "WHERE appid IN (". simplode ($ appids ). ")");
While ($ value = $ _ SGLOBAL ['db']-> fetch_array ($ query )){
$ Iconnames [$ value ['appid '] = $ value ['appname'];
}
}

$ Cat_actives = array ('view' => 'class = "active "');
 
}
 
Let's look at the simplode function ~
Function simplode ($ ids ){
Return "'". implode ("','", $ ids ). "'"; // although there are single quotes, the program does not filter the previous KEY value of post, so it can be shot when GPC is OFF.
}

Test diagram:
 

 
Note that you must log on and findFormhash,After login, you can find the source code