Learn about the audit of ThinkPHP framework in one minute (share)

The thinkphp framework tutorial column below will introduce you to the auditing (sharing) of the ThinkPHP framework in one minute. I hope it will be helpful to friends in need!

Introduction to ThinkPHP

ThinkPHP is a It is a free and open source, fast and simple object-oriented lightweight PHP development framework. It was founded in early 2006 and released under the Apache2 open source agreement. It was born for agile WEB application development and simplified enterprise application development. ThinkPHP has been adhering to the simple and practical design principle since its birth. While maintaining excellent performance and minimal code, it also focuses on ease of use. It has many original functions and features. With the active participation of the community team, it has been continuously optimized and improved in terms of ease of use, scalability and performance. It has grown into the most leading and influential WEB application development framework in China, with many Typical cases ensure that it can be stably used for commercial and portal-level development.

Vulnerability Brief

##Although the ThinkPHP 5.0.x framework uses parameterized queries method to operate the database, but in the insert and update methods, the parameters passed in are controllable and not strictly filtered, which ultimately led to the occurrence of this SQL injection vulnerability.

Using ThinkPHP framework 5.0.x sql injection vulnerability for analysis

thinkphpOfficial website download version 5.0.15: http://www.thinkphp.cn/down/1125.html . Set up the database, the database is tp, the table name is user, and there are two fields id and username.

Modify the database configuration information application/database.php, in application/config Turn on debugging and trace in .php.

Add a method to the Index class in application/index/controller/Index.php:

##

public  function testsql()
    {
        $username = input('get.username/a');
        db('user')->where(['id'=> 1])->insert(['username'=>$username]);
    }

The explanation is as follows:

http://127.0.0.1/thinkphp/ public/ index.php/ index/ index/ index domain name website directory external access directory entry file front desk controller method name

Extension: ##About updatexml function UPDATEXML (XML_document, XPath_string, new_value );

The first parameter: XML_document is in String format and is the name of the XML document object. The text is Doc

The second parameter: XPath_string (string in Xpath format). If you don’t understand Xpath syntax, you can find tutorials on the Internet.

The third parameter: new_value, String format, replaces the found data that meets the conditions

作用：改变文档中符合条件的节点的值

访问payload，就可以触发漏洞了。

漏洞分析

首先，我们知道 insert 方法存在漏洞，那就查看 insert 方法的具体实现。

通过input获取到参数后，username变量情况如下：

跟入insert，thinkphp/library/think/db/Query.php

然后执行insert语句

$sql = $this->builder->insert($data, $options, $replace);

跟入 thinkphp/library/think/db/Builder.php

跟入parseData至 thinkphp/library/think/db/Builder.php

可以看出$val是数组，且根据$val[0]值为inc，会通过switch语句进入到’inc’：

此处的parseKey，即thinkphp/library/think/db/builder/Mysql.php

此处并未对传入的$key进行更多的过滤与检查，将其与前面经过parseKey的结果进行拼接后返回给result

至此注入成功。

漏洞修复

 https://github.com/top-think/framework/commit/363fd4d90312f2cfa427535b7ea01a097ca8db1b

在进行dec和inc操作之前对$val[1]的值进行了再次确认。

总结

第一次审计Thinkphp框架   ，结合Thinkphp5.0手册以及网上教程完成此次漏洞的审计。

相关推荐：最新的10个thinkphp视频教程

The above is the detailed content of Learn about the audit of ThinkPHP framework in one minute (share). For more information, please follow other related articles on the PHP Chinese website!