PhpcmsV9 SQL injection vulnerability and repair

Others say that the most dangerous part is the safest. I say that the safest part is the most dangerous...
I believe you did not think of this most common problem. SQL injection is often found in various tutorials...
Gpc off required

First, let's look at the logon location .. It's most common...

Http: // 127.0.0.1/index. php? M = member & c = index & a = login

 

By default, the user center that comes with V9 is installed.

 

Phpcms \ modules \ member \ index. php

Public function login () {$ this-> _ session_start (); // obtain the user siteid $ siteid = isset ($ _ REQUEST ['siteid']) & trim ($ _ REQUEST ['siteid'])? Intval ($ _ REQUEST ['siteid']): 1; // defines the constant if (! Defined ('siteid') {define ('siteid', $ SITEID);} if (isset ($ _ POST ['dosubmit ']) {if (empty ($ _ SESSION ['d d']) {// identify the verification code $ code = isset ($ _ POST ['code']) & trim ($ _ POST ['code'])? Trim ($ _ POST ['code']): showmessage (L ('input _ Code'), HTTP_REFERER); if ($ _ SESSION ['code']! = Strtolower ($ code) {showmessage (L ('Code _ error'), HTTP_REFERER) ;}$ username = isset ($ _ POST ['username']) & trim ($ _ POST ['username'])? Trim ($ _ POST ['username']): showmessage (L ('username _ empty'), HTTP_REFERER); $ password = isset ($ _ POST ['Password']) & trim ($ _ POST ['Password'])? Trim ($ _ POST ['Password']): showmessage (L ('password _ empty'), HTTP_REFERER ); $ cookietime = intval ($ _ POST ['cookietime']); $ synloginstr = ''; // synchronously log on to the js Code if (pc_base: load_config ('system ', 'phpsso ') {$ this-> _ init_phpsso (); $ status = $ this-> client-> ps_member_login ($ username, $ password ); $ memberinfo = unserialize ($ status );

 

You can see that the user name and password are handed over

$this->client->ps_member_login($username, $password);

Follow up.

Phpcms \ modules \ member \ classes \ client. class. php

$return = $this->_ps_send('login', array('username'=>$username, 'password'=>$password)); private function _ps_send($action, $data = null) {   return $this->_ps_post($this->ps_api_url."/index.php?m=phpsso&c=index&a=".$action, 500000, $this->auth_data($data)); } public function auth_data($data) {  $s = $sep = '';  foreach($data as $k => $v) {   if(is_array($v)) {    $s2 = $sep2 = '';    foreach($v as $k2 => $v2) {      $s2 .= "$sep2{$k}[$k2]=".$this->_ps_stripslashes($v2);     $sep2 = '&';    }    $s .= $sep.$s2;   } else {    $s .= "$sep$k=".$this->_ps_stripslashes($v);   }   $sep = '&';  }   $auth_s = 'v='.$this->ps_vsersion.'&appid='.APPID.'&data='.urlencode($this->sys_auth($s));  return $auth_s; } _ps_stripslashesprivate function _ps_stripslashes($string) {  !defined('MAGIC_QUOTES_GPC') && define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());  if(MAGIC_QUOTES_GPC) {   return stripslashes($string);  } else {   return $string;  } }

 

Restored GPC and passed parameters to API.

Let's look at the API's processing method.

 

Phpsso_server \ phpcms \ modules \ phpsso \ classes \ phpsso. class. php

if(isset($_POST['data'])) {   parse_str(sys_auth($_POST['data'], 'DECODE', $this->applist[$this->appid]['authkey']), $this->data);        if(!is_array($this->data)) {    exit('0');   }  } else {   exit('0');  }

 

The parse_str function filters data based on GPC by default.

 

To

 

Phpsso_server \ phpcms \ modules \ phpsso \ index. php

 

Public function login () {$ this-> password = isset ($ this-> data ['Password'])? $ This-> data ['Password']: ''; $ this-> email = isset ($ this-> data ['email '])? $ This-> data ['email ']: ''; if ($ this-> email) {$ userinfo = $ this-> db-> get_one (array ('email '=> $ this-> email ));} else {$ userinfo = $ this-> db-> get_one (array ('username' => $ this-> username);} phpsso_server \ phpcms \ libs \ classes \ model. class. phpfinal public function get_one ($ where = '', $ data = '*', $ order ='', $ group = '') {if (is_array ($ where )) $ where = $ this-> sqls ($ where); return $ this-> db-> get_one ($ d Ata, $ this-> table_name, $ where, $ order, $ group );} /*** convert the array into an SQL statement * @ param array $ where the array to be generated * @ param string $ font connection string. */Final public function sqls ($ where, $ font = 'and') {if (is_array ($ where) {$ SQL = ''; foreach ($ where as $ key => $ val) {$ SQL. = $ SQL? "$ Font '$ key' =' $ val '": "' $ key' = '$ val'";} return $ SQL;} else {return $ where ;}}

 

We can see that the entire process does not filter strings...

Therefore, SQL Injection exists when GPC is OFF.

The problem may not be clear.

Two:

1. auth_data parameter concatenation

2. the api does not filter data.

 

What can be done? Blind note, arbitrary user login... There is actually a lot to use ..

The test is as follows:

Solution:
Filter