A brief analysis of the latest SQL injection vulnerability in PHP framework Laravel

Laravel, the well-known PHP development framework, previously reported a high-risk SQL injection vulnerability on the official blog. Here is a brief analysis.

First of all, this vulnerability belongs to the irregular coding of the website. The official gave a hint:

But the official still did it It has been patched and can be fixed by upgrading to the latest version V5.8.7.

Let’s first locate here:

Illuminate\Validation\Rule

The officially recommended writing method is:

Rule::unique('users')->ignore($id),

If the website coding does not process the value of $id in advance, the user can pass it directly Giving malicious data to the ignore function will cause SQL injection.

Let’s follow the function:

\Illuminate\Validation\Rules\Unique.php class Unique {
... public function ignore($id, $idColumn = null) { if ($id instanceof Model) { return $this->ignoreModel($id, $idColumn);
        } $this->ignore = $id; $this->idColumn = $idColumn ?? 'id'; return $this;
    }

Here we do not consider writing $id as an instance. If $id is user-controllable, $idColumn can be written directly as empty, and finally assigned The situation is as follows:

$this->ignore = $id; $this->idColumn = 'id';

If the website code is structured like this, the value entered by the hacker is controllable:

$id = $request->input('id');

Finally we will get here:

Illuminate\Validation\Rules\Unique.php public function __toString() {
        ...
        ...
    }

We Take a look at the key code changes:

Illuminate\Validation\Rules\Unique.php
V5.8.7【最新版】 public function __toString() { $this->ignore ? '"'.addslashes($this->ignore).'"' : 'NULL',
    } 
Illuminate\Validation\Rules\Unique.php
V5.8.4 public function __toString() { $this->ignore ? '"'.$this->ignore.'"' : 'NULL',
    }

The latest code here is v5.8.7, which directly gives $this->ignore to addslashes. There was no protection here before.

What’s interesting is that the author compared the diffs, during which the official also tried to filter other quoted places. Finally, unified filtering was performed at __toString.

Finally, the following code will enter DatabaseRule for subsequent SQL rule matching.

Illuminate\Validation\Rules\DatabaseRule.php

There was no further processing after this, and then SQL injection was formed.

For more Laravel related technical articles, please visit the Laravel Framework Getting Started Tutorial column to learn!

The above is the detailed content of A brief analysis of the latest SQL injection vulnerability in PHP framework Laravel. For more information, please follow other related articles on the PHP Chinese website!