PHPCMS 9.4.2 mobile phone number verification Bypass

In api/sms_idcheck.php, there is a code for mobile phone number authentication. If this authentication is faulty, you can bypass it and bring the controllable input to the SQL statement.

If ($ mobile) {if (! Preg_match ('/^ 1 ([0-9] {9})/', $ mobile) exit ('check phone error'); $ posttime = SYS_TIME-360; $ where = "'mobile' = '$ mobile' AND 'posttime'>' $ posttime'"; $ r = $ sms_report_db-> get_one ($ where, 'id _ Code', 'Id DESC '); if ($ r & $ r ['id _ Code'] = $ mobile_verify) exit ('1 '); /* we can see that the regular expression/^ 1 ([0-9] {9})/is used when the mobile phone number is filtered. This regular expression has problems, it only determines whether the first digit is 1, whether there are 9 Numbers next, and the subsequent content is not determined. therefore, even if we enter 10000000000 *********** (******** instead of any character), it will regard it as a mobile phone number, to the $ where section below to query, there is a certain threat. by default, the connected database is mysql. It is not easy to use because single quotes are escaped. however, in specific circumstances, for example, when connecting to mysql, you can bypass the escape by using the gbk character set connection. in addition, when other databases are used, risks may also exist. */

 

Http: // localhost/api. php? When op = sms_idcheck & action = id_code & mobile_verify = 123456 & mobile = 13800138, check phone error. http: // localhost/api. php? is returned? When op = sms_idcheck & action = id_code & mobile_verify = 123456 & mobile = 10000000000% bf ', it bypasses mobile verification and brings the content to the database for query. Solution:It is a chicken rib. repair or repair is not harmful. preg_match ('/^ 1 [0-9] {9, 10} $/') // Add a $ Terminator after the regular expression.