In fact, this was discovered a few days ago, but today it was released because of my most important person ..
I don't need to talk about it anymore. I just need to analyze the Code directly.
\ Phpcms \ modules \ video. php (78 lines of code)
/***** Video adding method */Public Function add () {if ($ _ post ['dosubmit ']) {// first, submitted data $ data ['vid'] = $ _ post ['vid']; // obviously, VID is not filtered if (! $ Data ['vid']) showmessage (L ('failed _ you_video_uploading '), 'index. php? M = video & C = video & A = add'); $ data ['title'] = isset ($ _ post ['title']) & trim ($ _ post ['title'])? Trim ($ _ post ['title']): showmessage (L ('video _ title_not_empty '), 'index. php? M = video & C = video & A = add & meunid = '. $ _ Get ['meunid']); $ data ['description'] = trim ($ _ post ['description']); $ data ['keyword'] = trim (strip_tags ($ _ post ['keyword']); // post data to VMS, and get the returned value $ get_data = $ this-> ku6api-> vms_add ($ data); If (! $ Get_data) {showmessage ($ this-> ku6api-> error_msg);} $ data ['vid'] = $ get_data ['vid']; $ data ['addtime'] = sys_time; $ data ['userupload'] = intval ($ _ post ['userupload']); // This is the focus .. $ videoid = $ this-> V-> Add ($ data); // enter the database .. if ($ videoid) {showmessage (L ('Operation _ SUCCESS '), 'index. PHP? M = video & C = video & A = init & meunid = '. $ _ Get ['meunid']);} else {showmessage (L ('Operation _ failure '), 'index. PHP? M = video & C = video & A = add & meunid = '. $ _ Get ['meunid']) ;}} else {If (! $ This-> ku6api-> testapi () {showmessage (L ('vms _ sn_skey_error '),'? M = video & C = video & A = Setting & menuid = '. $ _ Get ['menuid']);} $ flash_info = $ this-> ku6api-> flashuploadparam (); $ show_validator = true; include $ this-> admin_tpl ('video _ add ');}}
Well, next we will continue to analyze the data into the database ..
*/Public Function add ($ DATA = array () {If (is_array ($ data )&&! Empty ($ data) {$ data ['status'] = 1; $ data ['userid'] = defined ('in _ admin ')? 0: Param: get_cookie ('_ userid'); // do you want to play with Cookie injection? // Although $ _ DATA ['vid'] is not mentioned here, it is in my singing .. $ Vid = $ this-> DB-> insert ($ data, true); // inserted, dear !! Return $ vid? $ Vid: false;} else {return false;
However, there are two prerequisites for exploits ..
Exploit this vulnerability in advance:
- Allow registered users
- Allow video upload
Exploitation vulnerability: Because VID is submitted by HTML, we only need to modify the vid value to "SQL ..