SQL Injection in BuildHelper.php where method with POC

### Vulnerability Overview The provided webpage screenshot displays a PHP file named `BuildHelper.php`, which contains a potential SQL injection vulnerability. The vulnerability is located in the `where` method, specifically when processing the `$where` array parameter. Due to insufficient filtering and escaping of user input, attackers can inject malicious SQL code by crafting specific inputs. ### Impact Scope - **Affected Module**: The `where` method within the `BuildHelper` class. - **Affected Scenarios**: Any database query operations utilizing this method are susceptible to SQL injection attacks. - **Potential Harm**: Attackers may exploit SQL injection to retrieve, modify, or delete data from the database, and potentially execute arbitrary commands. ### Remediation Plan 1. **Input Validation**: Strictly validate all user inputs to ensure they conform to the expected format. 2. **Parameterized Queries**: Use parameterized queries or prepared statements to avoid directly concatenating user input into SQL statements. 3. **Escape Special Characters**: Escape special characters in inputs to prevent them from being interpreted as part of the SQL syntax. ### POC Code The following is a possible POC code example demonstrating how to exploit this vulnerability: ```php // Assume the $where array is controlled by user input $where = [ 'id' => '1 OR 1=1' ]; // Call the where method $result = BuildHelper::where($where); // The generated SQL statement might be: // SELECT * FROM table WHERE id = 1 OR 1=1 ``` ### Complete Code Block Below is the complete code for the `where` method in the `BuildHelper.php` file: ```php public static function where(array $where, $id = null) { $sql = ''; $params = []; foreach ($where as $key => $item) { $id++; $prefix = "{$sql}."; $length = count($item); // PHP switch continue exception issue, so using if else if ($length == 2) { // 2 conditions if (is_array($item[0]) && is_array($item[1])) { $symbol = $item[0]; $subWhere = $item[1]; if (static::isMulti($subWhere)) { $subWhere = [$subWhere]; } $subSql = static::where($subWhere, $id); if (count($subWhere) > 1) { $subSql = "({$subSql})"; } if ($symbol == 'merge') { $sql = $subSql; } if ($key > 0) { throw new \PDOException(sprintf('This where can\'t be the first: %s', json_encode($item))); } } else { $sql .= " " . strtoupper($symbol) . " {$subSql}"; if ($key > 0) { throw new \PDOException(sprintf('This where can\'t be the first: %s', json_encode($item))); } } $params = array_merge($params, $subParams); continue; } // No condition if (is_string($item[0]) && is_string($item[1])) { $field = $item[0]; $operator = $item[1]; $condition = $item[2]; $subSql = "{$field} {$operator}"; $sql .= " AND {$subSql}"; if ($key == 0) { $sql = $subSql; } continue; } throw new \PDOException(sprintf('Invalid where format: %s', json_encode($item))); } elseif ($length == 3) { // Standard conditions (equals/not equals/in/not in/greater than/less than/greater than or equal/less than or equal) $field = $item[0]; $operator = $item[1]; $condition = $item[2]; $in = in_array(strtoupper($operator), ['IN', 'NOT IN']); $between = in_array(strtoupper($operator), ['BETWEEN', 'NOT BETWEEN']); if ( (is_string($field) && $field instanceof Expression) && is_string($operator) && is_scalar($condition) || (is_string($field) && ($in || $between) && is_array($condition)) ) { $subSql = ''; $name = $prefix . str_replace(['.', ' ', '(', ')'], ['', '', '', '', '', '', '', '', ''], $field); $operator = strtoupper($operator); if (is_array($condition)) { $subSql = "{$field} {$operator} ({$name})"; $params[$name] = $condition; } else { if ($in) { $subSql = "{$field} {$operator} ({$name})"; $params[$name] = $condition; } if ($between) { $name1 = $prefix . 'a' . str_replace(['.', ' ', '(', ')'], ['', '', '', '', ''], $field); $name2 = $prefix . 'b' . str_replace(['.', ' ', '(', ')'], ['', '', '', '', ''], $field); $subSql = "{$field} {$operator} ({$name1} AND {$name2})"; $params[$name1] = $condition[0]; $params[$name2] = $condition[1]; } } $sql .= " AND {$subSql}"; if ($key == 0) { $sql = $subSql; } continue; } throw new \PDOException(sprintf('Invalid where format: %s', json_encode($item))); } else { throw new \PDOException(sprintf('Invalid where format: %s', json_encode($item))); } return [$sql, $params]; } ```

Goal Reached Thanks to every supporter — we hit 100%!

SQL Injection in BuildHelper.php where method with POC

More from this source