Skip to content

Instantly share code, notes, and snippets.

@LioTree
Created May 2, 2024 22:32
Show Gist options
  • Save LioTree/1ef01cb832aac567387f76bb24a7fceb to your computer and use it in GitHub Desktop.
Save LioTree/1ef01cb832aac567387f76bb24a7fceb to your computer and use it in GitHub Desktop.
PicUploader HistoryController::getByConditions SQL injection

Vendor: https://github.com/xiebruce/PicUploader

version: before https://github.com/xiebruce/PicUploader/commit/fcf82eacc4ad2e62b6182ca152a48bda739157be

A SQL injection vulnerability is in https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/HistoryController.php#L189.

   public function getByConditions($conditionArr){
        $model = new HistoryModel();
        try {
            $where = '';
            foreach($conditionArr as $key=>&$val){
                $where .= "`".$key."`='".$val."' AND ";
            }
            $where .= '1=1';
            $res = $model->findByConditions($where);
        }catch (\PDOException $exception){
            $res = false;
            $msg = $exception->getMessage();
            $this->AddMissingColumn($model, $msg);
        }
        return $res;
    }

The variables $key and $val come from the parameter $conditionArr, and users can control the values of this parameter through https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/dispatch.php#L30

$json = call_user_func_array(array((new $className()), $func), [$_REQUEST]);

图片

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment