Qibocms multiple systems bypass patches to continue injection 2

Qibocms multiple systems bypass patches to continue injection 2

The patch was bypassed before, and now the patch is released.
I checked the patch this morning. At first glance, I thought it was awesome.
Then I thought the patch was hanging and I put it down.
In the afternoon, I continued to look at the patch and we could still bypass it.

It still kills multiple systems.

Because it is a common function, there are more than one injection point.

You can use the v7 whole site system to find another point.

 

Let's take a look at qibocms's global filter function.
 

$_POST=Add_S($_POST);$_GET=Add_S($_GET);$_COOKIE=Add_S($_COOKIE);

 

Function Add_S ($ array) {foreach ($ array as $ key => $ value) {if (! Is_array ($ value) {@ eregi ("['\" &] + ", $ key) & die ('error KEY! '); $ Value = str_replace ("& # x", "& # x", $ value ); // filter unsafe characters $ value = preg_replace ("/eval/I", "eva l", $ value); // filter insecure functions! Get_magic_quotes_gpc () & $ value = addslashes ($ value); $ array [$ key] = $ value ;} else {$ array [$ key] = Add_S ($ array [$ key]) ;}} return $ array ;}

Here, the value addslashes in the array is escaped.

But there is no key addslashes (addslashes should not be implemented here because it will be bypassed as it was last time)



We can see that replace can bypass the code used to filter keys.

Now @ eregi ("['\" &] + ", $ key) & die ('error KEY! ');

I wiped it, and it looked awkward. If it matches 'or "or \, it exits directly.

When I first saw it, I thought it was awkward and put down qibo. Go to bed.

It's amazing in the afternoon.



We can write a file and test it on our own.



Call the qibo function again.


 

<? Php $ _ GET = Add_S ($ _ GET [a]); function Add_S ($ array) {foreach ($ array as $ key => $ value) {if (! Is_array ($ value) {@ eregi ("['\" &] + ", $ key) & die ('error KEY! '); $ Value = str_replace ("& # x", "& # x", $ value ); // filter unsafe characters $ value = preg_replace ("/eval/I", "eva l", $ value); // filter insecure functions! Get_magic_quotes_gpc () & $ value = addslashes ($ value); $ array [$ key] = $ value ;} else {$ array [$ key] = Add_S ($ array [$ key]) ;}} return $ array ;}

 

The single quotation marks in the bunker key are matched and exited.



But in another way, I will output $ key here.
 

Can I see submitting web.com/yu.php? When a [a'] [asd] = a, the key used to enter the filter function is asd.



Then it will not be matched and will not be filtered out.

So we are not bypassing this filter?

If you bypass this, just find a point.



In member/post. php


 

Elseif ($ job = 'manage') {if (! $ Atc_power) showerr ("You do not have permission"); if ($ rsdb [pages] <2) {header ("location: post. php? Job = edit & aid = $ aid & mid = $ mid & only = $ only "); exit;} $ erp = get_id_table ($ aid ); if ($ step = 2) {asort ($ orderDB); $ I = 0; foreach ($ orderDB AS $ key => $ value) {$ I ++; $ db-> query ("UPDATE {$ pre} reply $ erp SET orderid = $ I WHERE aid = '$ aid' AND rid = '$ key '");} refreshto ("$ FROMURL", "sorted successfully", 1 );}

Keys obtained by foreach are directly included in the query without filtering.


 

Directly submit the key to be matched and bypass it just now


 

In this way, the key to be detected is asd, but the key that contains single quotes is included in the query.



Cause injection.

 

Solution:

I really don't know how to filter this ..

Let's take a look.