Vendor: https://github.com/xiebruce/PicUploader
version: before https://github.com/xiebruce/PicUploader/commit/fcf82eacc4ad2e62b6182ca152a48bda739157be
A SQL injection vulnerability is in https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/HistoryModel.php#L31
public function createOne($data){
$uploadTime = date('Y-m-d H:i:s');
$sql = 'INSERT INTO `'.self::$tableName.'`(`filename`, `url`, `size`, `created_at`, `mime`, `md5`, `upload_server`) VALUES("'.$data['filename'].'", "'.$data['url'].'", '.$data['size'].', "'.$uploadTime.'", "'.$data['mime'].'", "'.$data['md5'].'", "'.$data['uploadServer'].'")';
$affectedRow = $this->execute($sql);
return $affectedRow;
}
The variables $key
and $val
come from the parameter $conditionArr
, and users can control the values of this parameter through
https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/dispatch.php#L30
$json = call_user_func_array(array((new $className()), $func), [$_REQUEST]);