Skip to content

Instantly share code, notes, and snippets.

@LioTree
Created May 2, 2024 22:46
Show Gist options
  • Save LioTree/879fdedad0d72b90614a85873db3967b to your computer and use it in GitHub Desktop.
Save LioTree/879fdedad0d72b90614a85873db3967b to your computer and use it in GitHub Desktop.
PicUploader HistoryModel.php::createOne SQL injection

Vendor: https://github.com/xiebruce/PicUploader

version: before https://github.com/xiebruce/PicUploader/commit/fcf82eacc4ad2e62b6182ca152a48bda739157be

A SQL injection vulnerability is in https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/HistoryModel.php#L31

  public function createOne($data){
		$uploadTime = date('Y-m-d H:i:s');
		$sql = 'INSERT INTO `'.self::$tableName.'`(`filename`, `url`, `size`, `created_at`, `mime`, `md5`, `upload_server`) VALUES("'.$data['filename'].'", "'.$data['url'].'", '.$data['size'].', "'.$uploadTime.'", "'.$data['mime'].'", "'.$data['md5'].'", "'.$data['uploadServer'].'")';
		$affectedRow = $this->execute($sql);
		return $affectedRow;
	}

The variables $key and $val come from the parameter $conditionArr, and users can control the values of this parameter through https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/dispatch.php#L30

$json = call_user_func_array(array((new $className()), $func), [$_REQUEST]);

图片

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment