CmsTop media edition template has three SQL blind Injection Vulnerabilities

CmsTop media edition template has three SQL blind Injection Vulnerabilities

Not all websites have these templates installed. This template is generally used by users.

The vulnerability file is in/apps/rss/controller/fullsite. php.
Public function get_sectiondata (){
$ Sectionid = $ _ GET ['regionid']; // multiple IDs are separated by commas (,).
$ Outtyle = $ _ GET ['outtyle']; // output type
$ Section_list = $ this-> _ rss-> ls_section ($ sectionid );
$ Data = array ();
Foreach ($ section_list as $ section ){
If ($ section ['data'] & ($ section ['data'] {0 }==' {'| $ section ['data'] {0} = = '['))
{
$ Data [] = json_decode ($ section ['data'], true );
}
Else
{
$ Data [] = unserialize ($ section ['data']);
The ls_section tracking function is in/apps/rss/model/fullsite. php.
Function ls_section ($ sectionid ){
$ SQL = "SELECT * FROM '# table_section '";
If ($ sectionid) $ SQL. = "WHERE sectionid IN (". $ sectionid .")";
$ SQL. = "ORDER BY sectionid DESC ";
$ Data = $ this-> db-> select ($ SQL );
Return $ data;
}
$ Sectionid = $ _ GET ['regionid'];
(". $ Sectionid .")";
We can see that there is no filtering and no single quotation marks. I don't know if there is any filtering, because my source code is not completely decrypted. We need to subtract the method and blind note to test whether there is inject No. 1.
Http://app.ellechina.com /? App = rss & controller = fullsite & action = get_sectiondata § ionid = 1 & outtyle = 1
2
Http://app.ellechina.com /? App = rss & controller = fullsite & action = get_sectiondata § ionid = 2-1 & outtyle = 1
No. 3
Http://app.ellechina.com /? App = rss & controller = fullsite & action = get_sectiondata § ionid = 2 & outtyle = 1
Value 1 is equal to value 2-1 of 1 and 2. The same data is returned and value 3 is 2. Therefore, different values are returned. Therefore, injection exists.



Second, in/apps/rss/controller/fullsite. php
Public function get_category (){
$ Categoryid = $ _ GET ['categoryid']; // multiple IDs are separated by commas (,).
$ Outtyle = $ _ GET ['outtyle']; // output type
$ Category_list = $ this-> _ rss-> ls_category ($ categoryid );
$ This-> template-> assign ('LIST', $ category_list );
The ls_category tracking function is in/apps/rss/model/fullsite. php.
// Obtain the column data
Function ls_category ($ categoryid ){
$ SQL = "SELECT * FROM '# table_category '";
If ($ categoryid) $ SQL. = "WHERE catid IN (". $ categoryid .")";
$ SQL. = "ORDER BY catid DESC ";
$ Data = $ this-> db-> select ($ SQL );
Return $ data;
Like the first one, it does not demonstrate. The third is latency injection in apps \ editor \ controller \ slide. php.
Public function pic_html ()
{
$ Idtmp = explode (',', $ _ GET ['id']);
Foreach ($ idtmp as $ k => $ v ){
If (! Empty ($ v )){
$ Id [] = $ v;
}
}
$ Db = factory: db ();
// Obtain the $ id [0] group chart information.
$ Data = $ db-> select ("SELECT * FROM # table_picture_group WHERE contentid = $ id [0] order by sort ASC ");
$ Html. ='
';
$ _ Count = 0;
Foreach ($ data as $ value)
$ Idtmp = explode (',', $ _ GET ['id']);
$ Data = $ db-> select ("SELECT * FROM # table_picture_group WHERE contentid = $ id [0] order by sort ASC ");
Split to query. We can use sqlmap to test it.

Solution:
Intval Parameter