table of Contents
Environment to build
$ composer create-project topthink/think thinkphp-5.1.7
Modify composer.json 5.1. * => 5.1.7
$ composer update
analysis
The position of the injection point and the injection point are at parseData in 5.0.15, are directly set-data parsing the user complete control of the spliced data into the SQL statement.
Let's look at points of vulnerability, is first positioned in accordance with the commit record Github
Here you can see directly delete the default statements block, and delete the parseArrayData method.
5.1.7 environment by building below us, look at the impact of the statement was deleted in the original version of what will be. First look at the controller
Get here for a username array variable, $ pass username, then the value field as 'name', and insert test table.
Let's request a test url:
127.0.0.1/thinkphp/thinkphp_5.1.7/public/index.php/index/index/sqli?username[0]=aaa&username[1]=bbb
At this time, we can see the value $ username { "aaa", "bbb"}.
In the following part of the next commit deletion breakpoints, because of this break is located parseData () at, so we start with parseData begin with.
It can be seen here $ data resolved into key-value pair, because $ val array is not empty, enter the switch-default statement block, then a user controllable $ val passed as arguments parseArrayData process. Then get the return value into the $ result array eventually returned $ result array. Let's follow what parseArrayData
这里先把$data的前两个元素赋值给$type和$value。不过由于我们这个的第一个元素是aaa,因此没有进入第一个case。通过分析第一个case可以发现,这里直接将$value(即$data[1])、$data[2]、$data[3]拼接到了返回值$result中,因此我们把我们的username[0]的值改为point,然后再加一个username[2]。
测试url:
127.0.0.1/thinkphp/thinkphp_5.1.7/public/index.php/index/index/sqli?username[0]=point&username[1]=bbb&username[2]=ccc
调试一下:
可以看到这里直接将参数拼接进来。继续调试,看看最终形成的sql语句:
返回页面:
试一下报错注入payload:
http://127.0.0.1/thinkphp/thinkphp_5.1.7/public/index.php/index/index/sqli?username[0]=point&username[1]=bbbb&username[2]=updatexml(1,concat(0x7e,user(),0x7e),1))--%20
