phpyun SQL injection-vulnerability warning-the black bar safety net

2014-02-08T00:00:00
ID MYHACK58:62201442256
Type myhack58
Reporter 佚名
Modified 2014-02-08T00:00:00

Description

In/model/qqconnect. class. php file:

function cert_action(){

$id=$_GET['id'];

$arr=@explode("|",base64_decode($id));

if($id && is_array($arr) && $arr[0] && $arr[2]==$this->config['coding']){

$row=$this->obj->DB_select_once("company_cert","uid='".$ arr[0]."' and check2='".$ arr[1]."'");

if(is_array($row)){

if($row[status]!= 1){

$value.="cert=concat(cert,',1'),";

}

$id=$this->obj->DB_update_all("company_cert","status='1'","uid='".$ arr[0]."' and check2='".$ arr[1]."'");

if($_GET['type']=="3"){

$value.="email='".$ row['check']."'";

$id?$ this->obj->DB_update_all("lt_info",$value,"uid='".$ arr[0]."' "):"";

}else{

$value.="linkmail='".$ row['check']."'";

$id?$ this->obj->DB_update_all (the"company",$value,"uid='".$ arr[0]."' "):"";

}

$id?$ this->obj->ACT_msg($this->config['sy_weburl']."/ member","authentication success"):$this->obj->ACT_msg($this->config['sy_weburl'],"authentication failed, contact administrator authentication");

}else{

$this->obj->ACT_msg($this->config['sy_weburl'],"authentication failed, please check the antecedents","2");

}

}else{

$this->obj->ACT_msg($this->config['sy_weburl'],"illegal operation!"," 2");

}

}

The code from$_GET to obtain the id parameters, and then base64 decoded according to|separator, wherein the first 0 element and the 1 element into the SQL query, but before a judgment:

if($id && is_array($arr) && $arr[0] && $arr[2]==$this->config['coding']){

Here$this->config['coding']the default is null, when we only submitted two elements of an array,$arr[2]is also null, so$arr[2]==$this->config['coding'], the condition is satisfied to enter judgment so that the injection occurs:

if($id && is_array($arr) && $arr[0] && $arr[2]==$this->config['coding']){

$row=$this->obj->DB_select_once("company_cert","uid='".$ arr[0]."' and check2='".$ arr[1]."'");

DB_select_once:

function DB_select_once($tablename, $where = 1, $select = "*") {

$cachename=$tablename.$ where;

if(!$ return=$this->Memcache_set($cachename)){

$SQL = "SELECT ".$ select." FROM " . $this->def . $tablename . "WHERE ".$ where." limit 1";

$query = $this->db->query($SQL);

$return=$this->db->fetch_array($query);

$this->Memcache_set($cachename,$return);

}

return $return;

}

[1] [2] next