FengCms filters SQL injection, which leads to brute-force user name and password management.

FengCms filters SQL injection, which leads to brute-force user name and password management.

I tested this small cms as soon as it was launched. It feels good. However, hundreds of secrets are always sparse. Injection ......

The search function in the/app/model/moduleModel. php file is used for search at the front end. For details, refer to the code public function search ($ arrays, $ field = "", $ num = "20") {// var_dump ($ arrays); // var_dump ($ field ); // die; if ($ arrays ['project']) {$ SQL = 'select * from ''. DB_PREFIX. $ arrays ['project']. ''where title like "% '. $ arrays ['tags']. '% "or tags like" % '. $ arrays ['tags']. '% "'; // var_dump ($ SQL); // die; return arraypage (D ($ this-> d_name)-> excsql ($ SQL. 'order by id desc '), $ num);} else {$ arr = D ($ this-> d_name)-> field ("project ") -> Where ("type = 1 & search = 1")-> getall (); if (count ($ arr)> 1) $ union = "union "; foreach ($ arr as $ k =>$ v) {if ($ this-> attrib ($ v ['project'], 'tags ')) {$ array [] = 'select '. $ this-> fieldhandle ($ field ). 'id, title, html, time from ''. DB_PREFIX. $ v ['project']. ''where title like "% '. $ arrays ['tags']. '% "or tags like" % '. $ arrays ['tags']. '% "and status = 1';} else {$ array [] = 'select '. $ this-> fieldhandle ($ field ). 'id, title, html, time From ''. DB_PREFIX. $ v ['project']. ''where title like "% '. $ arrays ['tags']. '% "and status = 1';} return arraypage (D ($ this-> d_name)-> excsql (" select * from (". implode ("union", $ array ). ") h order by time desc"), $ num) ;}} the Code finally calls D ($ this-> d_name)-> excsql () to execute the SQL statement. Discovery through tracking. The excsql function is located in/system/core/model. php. The function is as follows: public function excsql ($ SQL) {return $ this-> db-> fetch ($ this-> db-> query ($ SQL ));} the query in the database is directly called. The query is located in/system/driver/db_mysqli.php. The function is as follows: public function query ($ SQL) {// verify that the connection is correct if (! $ This-> is_links () return throwexce (sprintf ('suied IED argument is not a valid MySQLI-Link resource. '); $ this-> query_id = mysqli_query ($ this-> link_id, $ SQL); you can see that the last sentence directly calls mysqli_query () to execute the SQL statement. Although this cms uses global filtering to prevent SQL injection. However, global filtering does not work. Because first: the whole query does not use single quotation marks, but uses double quotation marks. It does not work even if single quotes are used here. This is because the html template is used for your query. Global Filtering does not notice this. This causes injection. The specific use depends on the vulnerability proof.

Mysql monitoring log. We can see that the statement is indeed executed.

 

The administrator password and other information can be exposed through construction.