YouYaX_V5.66 SQL Injection Vulnerability
/Lib/MessageAction. php row 94
Public function delMesses () {$ user = $ _ SESSION ['youyax _ user']; if ($ user = "" | $ user = null) $ this-> redirect ("Index ". C ('default _ url '). "index ". C ('static _ url'); for ($ k = 0; $ k <count ($ _ POST ['cb ']); $ k ++) {$ id = $ _ POST ['cb '] [$ k]; $ result = $ this-> find (C ('db _ prefix '). "message", 'string', "mto = '". $ _ SESSION ['youyax _ user']. "'and id = '". $ id. "'"); if ($ result) {$ this-> delete (C ('db _ Prefix '). "message", "mto = '". $ _ SESSION ['youyax _ user']. "'and id = '". $ id. "'") ;}$ this-> assign ('jumpurl', $ this-> youyax_url. "/Message ". C ('default _ url '). "show ". C ('static _ url')-> assign ('msgtitle', 'Operation successfully')-> assign ('message', 'message deleted! ')-> Success ();}
$ Id = $ _ POST ['cb '] [$ k]; $ this-> find () is directly input if not filtered; see find ()/ORG/YouYa. php line 356
Public function find ($ table, $ ext = "string", $ param) {// search for the substring if (preg_match_all ("/=/", $ param, $ tmp) that matches the given regular expression pattern in param )) {$ SQL = "select * from ". $ table. "where ". $ param;} else {$ param = "id = ". intval ($ param); $ SQL = "select * from ". $ table. "where ". $ param;} $ result = mysql_query ($ SQL );
As long as $ parm has "=" in it, it won't be intval. This point is the same as no output. It can only be based on the time injection and YouYaX_V5.47 SQL Injection Vulnerability (official website) A local file containing/ORG/YouYa is attached to a chicken ribs like a http://www.bkjia.com/Article/201407/320189.html. php line 107
Private function deal ($ tp) {if (isset ($ _ COOKIE ['youyax _ lang ']) {$ this-> lang = require ("lang /". $ _ COOKIE ['youyax _ lang ']. "/lang. php "); // not safe $ this-> array_array ['lang '] = $ this-> lang;
When the current mysql user has the file permission but cannot write the web directory, you can use injection to write a lang. php to/tmp and then set the cookie youyax_lang .. /.. /.. /tmp can successfully contain shell POST http://bbs.youyax.com/Message-delMesses.aspx HTTP/1.1 Host: bbs.youyax.com dropdown = del & cb [] = 1 'You can see the error information specific injection method and YouYaX_V5.47 SQL Injection Vulnerability (the official website lay down the gun) http://www.bkjia.com/Article/201407/320189.html consistent don't use sqlmap to demonstrate
Solution:Don't miss it