[漏洞修复]4-22 修复博客SQL注入一枚

偶然发现博客居然存在SQL注入漏洞？当时就懵逼了，这么久才发现。。。

漏洞发现

在博主随笔处，利用了wp自带的wp_ajax钩子，过滤不严，导致POST提交查询文章内容时，s_id存在sql注入漏洞。

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.xiaoxiaowu.me
Connection: close
Content-Length: 26
Accept: */*
Origin: https://www.xiaoxiaowu.me
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://www.xiaoxiaowu.me/sy
Accept-Language: zh-CN,zh;q=0.9
Cookie:

action=shuoshuo&s_id=1467

漏洞代码

//ajax shuoshuo function shuoshuo(){ echo popularPosts($num);     die(); } add_action('wp_ajax_shuoshuo', 'shuoshuo'); add_action('wp_ajax_nopriv_shuoshuo', 'shuoshuo');  function popularPosts($num) {         global $wpdb;         $s_id = $_POST['s_id'];       $sql="SELECT ID,post_title,post_content FROM wp_posts WHERE post_type='shuoshuo' and post_status = 'publish' and ID = $s_id order by ID desc";        $myrows = $wpdb->get_results($sql);       foreach ($myrows as $b) {       echo $b->post_content;//这是文章内容       //echo $b->ID." ";//这是文章ID      // echo $b->post_title." ";//这是文章标题 }} 

可以看到，在$sql那段，$s_id直接就被调用了，没有做任何的过滤处理，最终导致了SQL注入漏洞。

漏洞修复

在$s_id加上单引号即可解决问题。

//ajax shuoshuo function shuoshuo(){ echo popularPosts($num);     die(); } add_action('wp_ajax_shuoshuo', 'shuoshuo'); add_action('wp_ajax_nopriv_shuoshuo', 'shuoshuo');  function popularPosts($num) {         global $wpdb;         $s_id = $_POST['s_id'];       $sql="SELECT ID,post_title,post_content FROM wp_posts WHERE post_type='shuoshuo' and post_status = 'publish' and ID = '$s_id' order by ID desc";        $myrows = $wpdb->get_results($sql);       foreach ($myrows as $b) {       echo $b->post_content;//这是文章内容       //echo $b->ID." ";//这是文章ID      // echo $b->post_title." ";//这是文章标题 }} 

可以看到，已经无法注入了。