PHPCMS V9 video sharing module SQL Injection Vulnerability Analysis

If you don't talk much about it, go to code analysis \ phpcms \ modules \ video. php (78 lines of code)/*** video adding method */public function add () {if ($ _ POST ['dosubmit ']) {// process first, submitted data $ data ['vid'] = $ _ POST ['vid']; // obviously, vid is not filtered if (! $ Data ['vid']) showmessage (L ('failed _ you_video_uploading '), 'index. php? M = video & c = video & a = add'); $ data ['title'] = isset ($ _ POST ['title']) & trim ($ _ POST ['title'])? Trim ($ _ POST ['title']): showmessage (L ('video _ title_not_empty '), 'index. php? M = video & c = video & a = add & meunid = '. $ _ GET ['meunid']); $ data ['description'] = trim ($ _ POST ['description']); $ data ['keyword'] = trim (strip_tags ($ _ POST ['keyword']); // post data to vms, and get the returned value $ get_data = $ this-> ku6api-> vms_add ($ data); if (! $ Get_data) {showmessage ($ this-> ku6api-> error_msg);} $ data ['vid'] = $ get_data ['vid']; $ data ['addtime'] = SYS_TIME; $ data ['userupload'] = intval ($ _ POST ['userupload']); // This is the focus .. $ videoid = $ this-> v-> add ($ data); // enter the database .. if ($ videoid) {showmessage (L ('Operation _ success '), 'index. php? M = video & c = video & a = init & meunid = '. $ _ GET ['meunid']);} else {showmessage (L ('Operation _ failure '), 'index. php? M = video & c = video & a = add & meunid = '. $ _ GET ['meunid']) ;}} else {if (! $ This-> ku6api-> testapi () {showmessage (L ('vms _ sn_skey_error '),'? M = video & c = video & a = setting & menuid = '. $ _ GET ['menuid']);} $ flash_info = $ this-> ku6api-> flashuploadparam (); $ show_validator = true; include $ this-> admin_tpl ('video _ add') ;}} www.2cto.com. Next we will continue to analyze the data into the database .. \ Phpcms \ modules \ classes \ v. class. php */public function add ($ data = array () {if (is_array ($ data )&&! Empty ($ data) {$ data ['status'] = 1; $ data ['userid'] = defined ('in _ admin ')? 0: param: get_cookie ('_ userid'); // do you want to play with cookie injection? // Although $ _ data ['vid'] is not mentioned here, it is in my singing .. $ Vid = $ this-> db-> insert ($ data, true); // inserted, dear !! Return $ vid? $ Vid: false;} else {return false; exploit this vulnerability in advance: 1. allow users to be registered 2. allow video upload and use exp: vulnerability: Because the vid is submitted by html, we only need to modify the vid value to "SQL .. A picture has a truth .. Thanks to y0umer

Www.2cto.com: it has been transferred to the official website. Please wait for the patch to be upgraded.