Analysis of SQL Injection Vulnerabilities in jechc CMS (& lt; = 1.7)

Jieqi CMS is a novel-based CMS. Currently, the latest version is 1.7, which has a high usage rate in novels, I spent some time reading his code over the past few days. I think it is quite interesting to share it with you.
 
The core code of the entire system is zend encrypted. After dezend, let's take a look. First, we can see from the select-type injection with the highest probability. However, we can find that all the parameters in the past will be included in \ lib \ database. in php, combine SQL statements and add them to the jieqimysqldatabase class (\ lib \ database \ mysql \ db. php.
 
After careful viewing, we can find that it is not available, because if it is a numeric variable, it is brought to the database. in php, The is_numeric check will be performed. If it is a string type, the \ escape will be performed, and the wide byte injection is attempted, but unfortunately the dp. in php, there is a saying "character_set_client = binary". That is to say, when the php program interacts with mysql, it uses the binary Character Set to query.
 
I noticed that there is no transcoding operation in the program, so the wide-byte injection method is useless.
 
This is a bad signal, because basically all strings in the program will be escaped, and I cannot jump out of the magic quotes.
 
Another black box looked at it, and a part of the background will show the IP address when the user leaves a message. The IP address is inserted in the database, so I thought about whether the IP address can be forged and whether it can be used for injection or xss.
 
After analysis, the obtained IP function is jieqi_userip (/global. php) www.2cto.com, obtained through HTTP_CLIENT_IP, can be forged, but it hurts that after jieqi_userip gets the IP, it will replace the decimal point with null, then judge is_numeric--|, and then I'm happy.
 
Then I looked for xss, 1.7 did not find xss, and 1.6 had several reflective xss.
 
I made persistent efforts and looked at other places, but I didn't have much breakthrough. Finally, I found some problems when I registered the part.
 
The registration processing page is/register. in php and post, parameters in the past include username, password, repassword, email, sex, qq, url, and action. After following up, we found that the process was followed by/regcheck. in php, check whether username is legal, whether username is repeated, whether password is equal to repassword, whether email is legal, and whether email is repeated. In other words, sex, qq, and url are not checked, but qq and url are in the varchar type in the database. cms treats these two parameters as strings, that is to say, if a single quotation mark appears, it will be escaped. As mentioned above, it cannot jump out of the magic quotation mark.
 
Fortunately, the program is a bit dense and naive, believing that sex is displayed in a single queue on the frontend. There are only three possibilities: 0, 1, and 2, so no is_numeric judgment is made, directly into the database, you can use it.
 
To sum up, I think the author has a high security awareness over the past few days and has taken measures against common security problems, I am disappointed to find out what I think of again and again. I also admire the security consciousness of the author. I hope the author can fix it in time when I see this article. In addition, if there are any deficiencies in the above personal analysis, I hope you can add that if you find some other problems in version 1.7 or other better background get webshell methods, please let me know, communicate and make progress together, thx :)

Author http://www.90sec.org/thread-2155-1-1.html