This vulnerability exists in the parseOrder method of the Builder class. Because the program did not filter the data well, it directly spliced the data into SQL statements, which eventually led to SQL injection vulnerability. Version: 5.0.x<=ThinkPHP5<=5.1.22
As an example of 5.0.15, in fact, any version of the parseOrder () method that does not filter the passed parameters is available:
Add the following code to index.php
And then our payload looks like this:
?name[name^updatexml(1,concat(0x7,user(),0x7e),1)%23]=1
^ can also be replaced with -,%,/,&...
Let's analyze the formation of vulnerabilities:
In the Order method of the Query class, we can see that the data is stored directly in the $this->options['order'] 中。
Next, the find method of the Connection class calls the Select method of the Builder class to generate the SQL statement
The program directly concatenates the string through the parseKey method to return (, without any filtering, detection, which is also the cause of this SQL injection vulnerability
Finally, error injection is triggered:
The text was updated successfully, but these errors were encountered:
This vulnerability exists in the parseOrder method of the Builder class. Because the program did not filter the data well, it directly spliced the data into SQL statements, which eventually led to SQL injection vulnerability. Version: 5.0.x<=ThinkPHP5<=5.1.22

As an example of 5.0.15, in fact, any version of the parseOrder () method that does not filter the passed parameters is available:
Add the following code to index.php
And then our payload looks like this:
?name[name^updatexml(1,concat(0x7,user(),0x7e),1)%23]=1
^ can also be replaced with -,%,/,&...
Let's analyze the formation of vulnerabilities:
In the Order method of the Query class, we can see that the data is stored directly in the $this->options['order'] 中。
Next, the find method of the Connection class calls the Select method of the Builder class to generate the SQL statement
The program directly concatenates the string through the parseKey method to return (, without any filtering, detection, which is also the cause of this SQL injection vulnerability
Finally, error injection is triggered:
The text was updated successfully, but these errors were encountered: