PHP-Fusion是一款基于PHP的内容管理系统。 PHP-Fusion的submit.php文件没有正确地过滤对submit_info[]参数的输入便在SQL查询中使用,远程攻击者可能利用此漏洞执行SQL注入攻击。 相关代码: 1. if ($stype == \"l\") { 2. 3. if (isset($_POST[\'\'submit_link\'\'])) { 4. 5. if ($_POST[\'\'link_name\'\'] != \"\" && $_POST[\'\'link_url\'\'] != \"\" && $_POST[\'\'link_description\'\'] != \"\") { 6. $submit_info[\'\'link_category\'\'] = stripinput($_POST[\'\'link_category\'\']); 7. $submit_info[\'\'link_name\'\'] = stripinput($_POST[\'\'link_name\'\']); 8. $submit_info[\'\'link_url\'\'] = stripinput($_POST[\'\'link_url\'\']); 9. $submit_info[\'\'link_description\'\'] = stripinput($_POST[\'\'link_description\'\']); 10. $result = dbquery(\"INSERT INTO \".$db_prefix.\"submissions (submit_type, submit_user, submit_datestamp, submit_criteria) VALUES (\'\'l\'\', \'\'\".$userdata[\'\'user_id\'\'].\"\'\', \'\'\".time().\"\'\', \'\'\".serialize($submit_info).\"\'\')\");...
PHP-Fusion是一款基于PHP的内容管理系统。 PHP-Fusion的submit.php文件没有正确地过滤对submit_info[]参数的输入便在SQL查询中使用,远程攻击者可能利用此漏洞执行SQL注入攻击。 相关代码: 1. if ($stype == \"l\") { 2. 3. if (isset($_POST[\'\'submit_link\'\'])) { 4. 5. if ($_POST[\'\'link_name\'\'] != \"\" && $_POST[\'\'link_url\'\'] != \"\" && $_POST[\'\'link_description\'\'] != \"\") { 6. $submit_info[\'\'link_category\'\'] = stripinput($_POST[\'\'link_category\'\']); 7. $submit_info[\'\'link_name\'\'] = stripinput($_POST[\'\'link_name\'\']); 8. $submit_info[\'\'link_url\'\'] = stripinput($_POST[\'\'link_url\'\']); 9. $submit_info[\'\'link_description\'\'] = stripinput($_POST[\'\'link_description\'\']); 10. $result = dbquery(\"INSERT INTO \".$db_prefix.\"submissions (submit_type, submit_user, submit_datestamp, submit_criteria) VALUES (\'\'l\'\', \'\'\".$userdata[\'\'user_id\'\'].\"\'\', \'\'\".time().\"\'\', \'\'\".serialize($submit_info).\"\'\')\"); sql查询中有两个变量:$userdata[\'\'user_id\'\']和序列化数组$submit_info。如果通过gpc变量设置了submit_info[]数组中值的话,就会未经stripinput检查在序列化数组中使用,导致Sql注入攻击。 成功攻击允许攻击者检索管理员口令哈希,但要求有效的用户凭据、知道数据库表格前缀,且禁用了magic_quotes_gpc。
