This article to introduce PHPCMS 2008 the latest vulnerability graphic test detailed, there is a need to understand the students can enter the reference reference.
Phpcms2008 is a Web site content management system based on PHP+MYSQL architecture and an open source PHP development platform. The PHPCMS is developed in a modular manner, with easy-to-use features that can be easily expanded to provide heavyweight website building solutions for medium to large sites. Over the past 3 years, with PHPCMS team's long-term accumulation of rich web development and database experience and the courage to innovate the pursuit of perfect design concept, so that PHPCMS has been recognized by nearly 100,000 sites, and increasingly used in large and medium-sized commercial sites.
0x02 written in the front.
Phpcms 2008 This is the second time I see the code, has found some problems, but did not put out, this time a little closer look, and found some problems
This time put 2, which what what Getshell temporarily will not put, compared to V9, 2008 of the security can be really poor, modular and code strict degree also did not v9 strong
This time not to read the code, only to read a few pages, first put 2 problematic places, if there is a better way, then discuss the 0x03 path together???
In include/common.inc.php, this is the global configuration file to be loaded by phpcms
$dbclass = ' db_ '. Db_database;require $dbclass. " Class.php '; $db = new $dbclass; $db->connect (Db_host, Db_user, DB_PW, Db_name, Db_pconnect, Db_charset); Require ' session_ '. Session_storage. '. Class.php '; $session = new Session (); Session_set_cookie_params (0, Cookie_path, cookie_domain); if ($_request) {if (MAGIC_QUOTES_GPC) {$_request = New_stripslashes ($_request); if ($_cookie) $_cookie = New_stripslashes ($_cookie); Extract ($db->escape ($_request), extr_skip); } else {$_post = $db->escape ($_post); $_get = $db->escape ($_get); $_cookie = $db->escape ($_cookie); @extract ($_POST,EXTR_SKIP); @extract ($_GET,EXTR_SKIP); @extract ($_COOKIE,EXTR_SKIP); } if (!defined (' in_admin ')) $_request = FILTER_XSS ($_request, allowed_htmltags); if ($_cookie) $db->escape ($_cookie);} Echo query_string;if (query_string && strpos (query_string, ' = ') = = = False && Preg_match ("/^(.*). (htm|html|shtm|shtml) $/", Query_string, $urlvar)) {//var_dump ($urlvar [1]); echo ' Test '; Parse_str (Str_replace (Array ('/', '-', '), Array (' & ', ' = ', '), $urlvar [1]); } |
Here, the first instance of the database is instantiated, resulting in a $db resource handle, which is used to manipulate the database.
And then we're going to quantify the parameters we've passed in.
Here are some small filters, you can see, so the parameters passed in here as a variable
But what about the next line?
if (query_string && strpos (query_string, ' = ') = = = False && Preg_match ("/^ (. *)". htm|html|shtm|shtml) $/", Query_string, $urlvar)) { //var_dump ($urlvar [1]); echo ' Test '; Parse_str (Str_replace (Array ('/', '-', '), Array (' & ', ' = ', '), $urlvar [1]); } |
Look at this place?
The query_string here comes from the front.
Define (' Http_referer ', isset ($_server[' http_referer '))? $_server[' Http_referer ']: ');d efine (' Script_name ', isset ( $_server[' Script_name ')? $_server[' Script_name ': Preg_replace ("/(. *). PHP (. *)/I", "\1.php", $_server[' php_self ']));d efine (' Query_ STRING ', Safe_replace ($_server[' query_string ')); |
There's a filter, but it doesn't affect
What if we were to cover this db variable here?
Because here Parse_str (Str_replace (Array ('/', '-', '), Array (' & ', ' = ', '), $urlvar [1]);
You can replace us in
So if we submit the following character http://localhost/phpcms/index.php?db-5/gid-xd.html he will go wrong because this db is overwritten, so the physical path explodes out of 0x04 SQL injection!!!
In the c.php
$db->query ("UPDATE". Db_pre. " Ads SET ' clicks ' =clicks+1 WHERE adsid= ". $ads [' Adsid ']); $info [' username '] = $_username; $info [' clicktime '] = time (); $ info[' ip ' = IP; $info [' adsid '] = $id; $info [' referer '] = http_referer; $year = date (' ym ', time); $table = Db_pre. ' Ads_ '. $ year; $table _status = $db->table_status ($table);//echo ' test '; if (! $table _status) { include mod_root. ' include/ Create.table.php ';} $db->insert ($table, $info); |
Notice the Http_referer this constant here.
The constants here are defined by the previous common.inc.php.
Define (' Http_referer ', isset ($_server[' http_referer '])? $_server[' Http_referer ']: ');
No filtering operation, so you understand, I estimate a lot of students have found, but did not go to announce, so I xxoo for you, haha ... Don't scold me.
And then
$db->insert ($table, $info);
Let's take a look at what it's doing here.
function Insert ($tablename, $array) { $this->check_fields ($tablename, $array); return $this->query ("INSERT into '$tablename ' ('". Implode (', ' ", Array_keys ($array))." ') VALUES (' ". Implode (" ', ' ", $array)." ') "; echo "INSERT into ' $tablename ' ('". Implode (', ' ", Array_keys ($array))." ') VALUES (' ". Implode (" ', ' ", $array)." ') ";} |
So you know.
http://www.bkjia.com/PHPjc/629621.html www.bkjia.com true http://www.bkjia.com/PHPjc/629621.html techarticle This article to introduce PHPCMS 2008 the latest vulnerability graphic test detailed, there is a need to understand the students can enter the reference reference. Phpcms2008 is a Web site content management based on the Php+mysql architecture ...