74cms (20140709) the latest version of the second injection

74cms (20140709) the latest version of the second injection

74cms V3.4.20140709

Instead of modifying the vulnerability code, you can modify the filter function.

Although the filtering Code cannot be bypassed .. However, the data can still be found.

On the basis of modifying the filter function, you can modify the code properly.

First, let's look at the filter function.

 

function remove_xss($string) {     $string = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $string);      $parm1 = Array('javascript', 'union','vbscript', 'expression', 'applet', 'xml', 'blink', 'link', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');    $parm2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');$parm3 = Array('alert','sleep','load_file','confirm','prompt','benchmark','select','update','insert','delete','create','alter','drop','truncate');    $parm = array_merge($parm1, $parm2, $parm3); for ($i = 0; $i < sizeof($parm); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($parm[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[x|X]0([9][a][b]);?)?'; $pattern .= '|(&#0([9][10][13]);?)?'; $pattern .= ')?'; }$pattern .= $parm[$i][$j]; }$pattern .= '/i';$string = preg_replace($pattern, '****', $string); }return $string;}

Compared with the previous

First, we can see that some SQL protection keywords are added. Then, the keyword replace is empty.

Now it's replace. And I mode is enabled...



I cannot go around this. Find out where data can be directly output.



__________________________________________________________________



74cms cannot contain special characters during registration



But in plus/ajax_user.php ..


 

elseif ($act=='do_reg'){$captcha=get_cache('captcha');if ($captcha['verify_userreg']=="1"){$postcaptcha=$_POST['postcaptcha'];if ($captcha['captcha_lang']=="cn" && strcasecmp(QISHI_DBCHARSET,"utf8")!=0){$postcaptcha=iconv("utf-8",QISHI_DBCHARSET,$postcaptcha);}if (empty($postcaptcha) || empty($_SESSION['imageCaptcha_content']) || strcasecmp($_SESSION['imageCaptcha_content'],$postcaptcha)!=0){exit("err");}}require_once(QISHI_ROOT_PATH.'include/fun_user.php');$username = isset($_POST['username'])?trim($_POST['username']):exit("err");$password = isset($_POST['password'])?trim($_POST['password']):exit("err");$member_type = isset($_POST['member_type'])?intval($_POST['member_type']):exit("err");$email = isset($_POST['email'])?trim($_POST['email']):exit("err");if (strcasecmp(QISHI_DBCHARSET,"utf8")!=0){$username=iconv("utf-8",QISHI_DBCHARSET,$username);$password=iconv("utf-8",QISHI_DBCHARSET,$password);} $register=user_register($username,$password,$member_type,$email);

The user name is not verified here, and the user name is directly registered.



Because the filter function needs to output data directly, register the following username as follows:


 

We can see that an error is reported. Don't worry about it.



So find out where data can be directly exported.



In user/user_pms.php


 

Elseif ($ act = "add_save") {$ setsqlarr ['msgtype'] = 2; $ setsqlarr ['msgfrom '] = trim ($ _ SESSION ['username']); $ setsqlarr ['msgfromuid'] = intval ($ _ SESSION ['uid']); $ toname = trim ($ _ GET ['toname']); $ setsqlarr ['message'] = trim ($ _ GET ['msg ']); if (strcasecmp (QISHI_DBCHARSET, "utf8 ")! = 0) {$ toname = iconv ("UTF-8", QISHI_DBCHARSET, $ toname); $ setsqlarr ['message'] = iconv ("UTF-8", QISHI_DBCHARSET, $ setsqlarr ['message']);} $ msgtouser = $ db-> getone ("select * from ". table ('members '). "where username = '{$ toname}' LIMIT 1"); if (empty ($ msgtouser) {exit ('the recipient does not exist! ');} Elseif ($ msgtouser ['uid'] = $ _ SESSION ['uid']) {exit ("You cannot send messages to yourself! ");} Elseif ($ _ SESSION ['utype '] = '1' & $ msgtouser ['utype'] = '2 ') {$ SQL = "select did from ". table ('Company _ down_resume '). "WHERE company_uid = '{$ _ SESSION ['uid']}' AND resume_uid = '{$ msgtouser ['uid']}' LIMIT 1 "; $ info = $ db-> getone ($ SQL); if (! Empty ($ info) {exit ("You have not downloaded the resume created by <strong >{$ msgtouser ['username']} </strong>, you can send a short message to TA only after you download your resume! ") ;}}$ Setsqlarr ['msgtouid'] = $ msgtouser ['uid']; $ setsqlarr ['msgtoname'] = $ msgtouser ['username']; $ setsqlarr ['dateline '] = time (); $ setsqlarr ['new'] = 1; $ setsqlarr ['replace time'] = $ setsqlarr ['dateline']; $ setsqlarr ['replace id'] = $ setsqlarr ['msgfromuid']; inserttable (table ('pms '), $ setsqlarr );

$ Setsqlarr ['msgtoname'] = $ msgtouser ['username'];



Here, the database user name is directly included in the insert statement, and the message is sent to other users.



First, register a user for this user name hex. I used xiaoyu hex once.



Then send the message.


 

Then log on to the registered number.


 

Get data.

Solution:

Verify the user name here,