Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Thinkphp 5.1.24 delete函数设计缺陷建议修改 #858

Closed
ghost opened this issue Sep 26, 2018 · 12 comments
Closed

Thinkphp 5.1.24 delete函数设计缺陷建议修改 #858

ghost opened this issue Sep 26, 2018 · 12 comments

Comments

@ghost
Copy link

ghost commented Sep 26, 2018

分析的是5.1.24版本。例如,有一个删除的场景,代码简化如下。
image

在delete时,如果where中参数值可控,可能会造成sql注入的分析。详细分析参考下面文档。
Thinkphp 5.1.24 可能导致注入分析.docx

@Aoiujz
Copy link
Collaborator

Aoiujz commented Sep 26, 2018

这明显是你用的不对啊, 是谁告诉你where是这么拼接查询条件的?

@Aoiujz
Copy link
Collaborator

Aoiujz commented Sep 26, 2018

写成 ->where('nickname', $nickname) 你注入了我看看 ?

@liu21st
Copy link
Member

liu21st commented Sep 27, 2018

手册明确写了 如果使用字符串查询条件 请使用手动参数绑定

@liu21st liu21st closed this as completed Sep 27, 2018
@potats0
Copy link

potats0 commented Sep 27, 2018

6666,这老哥用这个洞骗了一个cve,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17566

@wachman
Copy link

wachman commented Sep 28, 2018

感觉上述主要是基于$filed不可控的情况下。根据代码注释可知 $field为查询字段。在有一些场景中,可能可以通过多个字段匹配值来操作可能会造成$field可控,那么可能就会存在问题了。例如一下。这个还是得跟场景有关。
public function hello(){
// $key = " age = 20) or (select sleep(if('' = :aa,10,5))) ;# ";
// $value = 'aa';
$key = input('key');
$value = input('value');
$ids = ['id','password','birthday','place'];
if(in_array($key,$ids)){
echo 'failed';
}else{
$retult = Db::table("user")->where($key,$value)->delete();
}
}
上述执行得是DELETE FROM user WHERE ( age = 20) or (select sleep(if('' = '',10,5)));#)所以得看情况吧、没有那么通用罢了。如果将$field作为列名那么可能在where中加一个判断,就像一些操作会检测表名是否存在一样。

@liu21st
Copy link
Member

liu21st commented Sep 28, 2018

@wachman 你这个不可能成功的 不是规范的field不可能作为查询field,再说 如果开发能写出这样的代码,那么就算框架没有漏洞 估计业务上面的漏洞已经一堆了

@5up3rc
Copy link

5up3rc commented Sep 29, 2018

活久见。这都能cve

@Balis0ng
Copy link

用假洞骗CVE是最骚的。大哥你很缺么(手动狗头)

@Lucifaer
Copy link

这是cve被黑的最惨的一次,真的是服了

@yindex
Copy link

yindex commented Sep 29, 2018

注册时间、评论时间、键盘拼写习惯(retult)等等判断,@wachman 你就是发起issue申请cve的那位吧.
为什么把老github账号注销了

@perhaps542
Copy link

666,这都CVE了

@top-think top-think locked as off-topic and limited conversation to collaborators Sep 29, 2018
@kinosang
Copy link
Member

kinosang commented Sep 29, 2018

因偏离主题,锁定本 issue,如需继续讨论“delete函数设计缺陷”问题请开新 issue

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants