Shulou(Shulou.com)06/01 Report--

This article mainly introduces "SQL injection vulnerability analysis of ThinkPHP5.1.x". In daily operation, I believe that many people have doubts about ThinkPHP5.1.x SQL injection vulnerability analysis. The editor consulted all kinds of data and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "ThinkPHP5.1.x SQL injection vulnerability analysis". Next, please follow the editor to study!

Background introduction 1.1 vulnerability description

There is a SQL injection vulnerability in previous versions of ThinkPHP5.1.23 due to improper filtering of the key value of the processing array when the program processes parameters after order by. If the parameter is controllable by the user, and when the passed data is an array, it will lead to a vulnerability.

1.2 affected system version

ThinkPHP

< 5.1.23 1.3 漏洞编号 CVE-2018-16385 二、环境搭建 1.下载安装thinkphp5.1.x 对于thinkphp5.1.x完整版，目前官方没有直接下载的链接。Github上只是放出核心版。该版本需要以Composer或Git方式进行安装。 这里以Composer安装方式说明。 在 Linux 和 Mac OS X 中可以运行如下命令： curl -sS https://getcomposer.org/installer | phpmv composer.phar/usr/local/bin/composer 在 Windows 中，你需要下载并运行 Composer-Setup.exe 。 安装好之后，切换路径到WEB目录下运行： composercreate-project topthink/think=5.1.1 tp5.1 --prefer-dist 然后会生成一个名为tp5.1的文件夹。到此think5.1.1下载成功。 2.然后在浏览器中访问

If this page appears, it proves that the installation was successful.

3.Demo example

Write the Demo file, name it Test.php, and put it in the / tp5.1/application/index/controller/ directory.

4. Database

To match the Demo file, you need to create a user table and then set a field (id).

Third, details of the loophole

In the function of / thinkphp/library/think/db/Builder.php parseOrder ():

Pass in the contents of the order parameter through Demo, and when the $order passed in is an array, the foreach function divides the $order array into key and value forms.

According to the vulnerability repair patch, you know that the vulnerability occurs in the parseOrderField () function.

When $val is an array, it enters the parseOrderField () function.

Trace the parseOrderField () function

The getOptions () function acquires the parameters to be queried, the getFieldsBind () function obtains the data table binding information, and the foreach loop handles the value of $val. in fact, it is not the point here, just mention it. It doesn't matter what the value of $vale is, because the injection point is on $key, and $val is spliced after $key, and you can comment out $val in the construction of $key plus #.

The focus is on the parseKey () function, which tracks the parseKey () function.

Here, multiple judgments and processing are performed on the incoming $key.

1. Is_numeric judges that if it is a number, it returns, and if not, it continues to execute downwards.

two。 Determine whether $key belongs to the Expression class.

3. Strpos ($key,'- >') & & false = strpos ($key,'(').

4. ('*'! = $key & & ($strict | |! preg_match ('/ [,\'\ "\ *\ (\) `.\ s] /', $key).

Because $key is our sql injection statement, 1.2.3 is definitely not satisfied, while 4 is satisfied.

So at this time, $key will add an `sign on the left and right sides.

$table does not exist and will not be modified to $key, so $key is returned after adding the `sign, and then concatenated with the $val and field strings, and then return is assigned to the array variable. Then, array and order by strings are concatenated to form an order by query statement. Finally, the system calls the query () function to query the database, triggering the vulnerability.

To highlight, because of the field function, there are two key points for vulnerability exploitation:

First of all, explain the field () function: the field () function in MySQL is used to sort the query result sets in SQL in a specified order. Commonly used with order by.

Key 1:

The field () function must specify two fields greater than or equal to to work properly, otherwise an error will be reported.

When there is only one field in the table, we can specify a parameter of a number or string at will.

Key 2:

When the parameter in field is not a string or number, the specified parameter must be the correct table field, otherwise the program will report an error. Here, because the program will add ``restrictions in the first field, you must specify the correct field name. The second field has no restrictions, and you can specify a string or number.

So, to exploit this vulnerability, first we need to know at least one field name in the table, and second, we pass two fields into the field () function. The second field does not need to know the field name, just bypass it with a number or string.

Payload construction

According to the above analysis, the construction of payload needs to meet the following conditions:

1. The $order passed in needs to be an array.

2.$val must also be an array.

3. Know at least one field name in the database table and pass in two parameters.

4. Close.

The final Payload is constructed as follows:

Http://127.0.0.1/tp5.1/public/index/test/index?order[id`,111)|updatexml(1,concat(0x3a,user()),1)%23][]=1

Or

Http://127.0.0.1/tp5.1/public/index/test/index?order[id`,'aaa')| updatexml (1) concat (0x3a) user (), 1)% 23] [] = 1

Fourth, dynamic debugging analysis

Sometimes it is difficult to know what certain functions have done just by static analysis, and it is difficult to understand thoroughly the running process of the program. Using dynamic analysis, step-by-step debug, it is easy to understand.

Here we use the payload constructed above for debug.

First of all, the breakpoint:

$val is an array that goes into the parseOrderField () function. F7 next step (what I'm using here is phpstorm,F7, which means step debugging).

After the foreach loop, you can see that only $val is processed and $key is not involved (our focus is on $key). The value of $val is based on $key with a prefix of: data__ followed by a 0.

Continue to F7 and enter the parseKey () function.

Here, you see that $key satisfies the if condition, and then adds a `sign on both sides.

The last returned $key. In fact, it is a sign added on both sides.

Finally, the value returned to the array variable is the concatenation of the file string and $key and $val.

Continue with F7 and see how the program goes next.

Carried out limit analysis, union analysis and other analysis processing, and finally came to the removeoption () function.

You can see the $sql here, which can already trigger the injection vulnerability.

Then go through the middle of several processes, compared with the above figure, did not change the content of the sql statement. Finally, the sql statement goes into the query () function and executes the SQL statement, which successfully triggers the injection vulnerability.

Fixes suggested official patches

At present, the official patch has been updated, please upgrade to the ThinkPHP5.1.24 version as soon as possible.

Manual repair

Modify the code according to the official plan.

Https://github.com/top-think/framework/commit/f0f9fc71b8b3716bd2abdf9518bcdf1897bb776

At this point, the study on "SQL injection vulnerability Analysis of ThinkPHP5.1.x" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.