Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection vulnerability. Version: 5.0.x<=ThinkPHP5<=5.1.22 #2613

Closed
cyber-word opened this issue Nov 29, 2021 · 0 comments
Closed

SQL injection vulnerability. Version: 5.0.x<=ThinkPHP5<=5.1.22 #2613

cyber-word opened this issue Nov 29, 2021 · 0 comments

Comments

@cyber-word
Copy link

This vulnerability exists in the parseOrder method of the Builder class. Because the program did not filter the data well, it directly spliced the data into SQL statements, which eventually led to SQL injection vulnerability. Version: 5.0.x<=ThinkPHP5<=5.1.22
As an example of 5.0.15, in fact, any version of the parseOrder () method that does not filter the passed parameters is available:
Add the following code to index.php
image
And then our payload looks like this:
?name[name^updatexml(1,concat(0x7,user(),0x7e),1)%23]=1
^ can also be replaced with -,%,/,&...
Let's analyze the formation of vulnerabilities:
In the Order method of the Query class, we can see that the data is stored directly in the $this->options['order'] 中。

image
Next, the find method of the Connection class calls the Select method of the Builder class to generate the SQL statement
image
image
The program directly concatenates the string through the parseKey method to return (, without any filtering, detection, which is also the cause of this SQL injection vulnerability
ada15d0309c33e8935ec8dbda3a9ade
Finally, error injection is triggered:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant