The Discuz X1.5 forum of Ihipop school was hacked and there was a quarrel there all afternoon. Google "Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit" and you'll find out.
Discuz is a very popular forum system in China, and there should be many hacked websites. However, I am not interested in hacking other people's websites, and I also despise those so-called "hackers" who can't write code and only use tools released by others to attack.
After a cursory look at the code, this SQL injection vulnerability is caused by the urldecode function. In the PHP manual, there is a warning under the urldecode function:
The superglobals $_GET and $_REQUEST are already decoded. Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results.
The developer of Discuz (probably a novice) went over the top and added an extra urldecode:
Copy the code The code is as follows:
foreach($_POST as $k => $v) {
$value = urldecode($v);
$this->setParameter($k, $value);
}
After the single quote is urlencoded twice, it is %2527, and then POST. When generating the global variable $_POST, PHP will first urldecode it and get %27, and then PHP will check the settings of Magic Quotes. , but no matter whether Magic Quotes is turned on or not, %27 will not be addslashes, because there are no single quotes at all. But at this time, if you add urldecode in the PHP code, %27 will become a single quote, and then... you know.
When I first learned PHP, I read a bad book in the school library. It didn’t even mention that PHP will automatically urldecode when processing forms, so I used the urldecode function to decode it (I vaguely remember It seems to be written like this in the book, which is really misleading).
To summarize, it is: 1. It is very important to choose a good book; 2. Use the urldecode function with caution. 3. Pay attention to the warnings in the PHP manual.
Original text from http://demon.tw/programming/php-urldecode-sql-injection.html
http://www.bkjia.com/PHPjc/324509.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/324509.htmlTechArticleIhipop School’s Discuz X1.5 forum was hacked, and there was a quarrel there all afternoon. Google "Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit" and you'll find out. Discuz is a country...