PHPRAP 1.0.4 -1.0.8 CVE-2018-11032 – SQL Injection

Authors:FortuneC00kie            Risk:High

CVE:CVE-2018-11032              0day:SQL Injection

0day -id:0DAY-176178             Date:2018-05-14

Description

PHPRAP 1.0.4 through 1.0.8 has SQL Injection via the application/home/controller/project.php search() function.

Analysis

file: application/home/controller/project.php 246line

public function search()
    {

        $search = request::get('search', []);

        $db = db::instance();

        $table_suffix = $db->suffix;
        $table_name   = $table_suffix .'project';

        if($title = trim($search['project'])){

            $where = "title like '%{$title}%'";

        }

        if($user = trim($search['user'])){

            $user_sql = 'select id from ' . $table_suffix . 'user where ' .  "(name like '%{$user}%' or email like '%{$user}%') ";

            $user_ids = $db->show(false)->query($user_sql);

            $user_ids = array_column($user_ids, 'id');

            $where = $where ? $where .= ' and ' : '';

            if($user_ids){

                $where .= "user_id in (" . implode(',', $user_ids) . ')';

            }else{

                $where .= 'user_id in (0)';

            }

        }

        $where = $where ? $where .= ' and ' : '';

        $where .= 'allow_search = 1';

        $where = $where ? ' where ' . $where : '';

        $sql   = "select * from $table_name $where order by id desc";

        $total = count($db->show(false)->query($sql));

        $pre_rows = 10;

        $page  = new page($total, $pre_rows);

        $projects = $db->show(false)->query($sql, $pre_rows);

        $this->assign('search', $search);
        $this->assign('page', $page);
        $this->assign('projects', $projects);

        $this->display('project/search');

    }

you can see in line 264 ,Using the splicing string method for sql statement generation,it will cause sql injection attack

Leave a Reply