TaoCms SQL injection and Restoration

Version: taoCMS2.5Beta5 in include/common. php: 30 if (! Function_exists ('get _ magic_quotes_gpc ') | get_magic_quotes_gpc () 31 {32 $ _ get = Base: magic2word ($ _ GET); 33 $ _ POST = Base :: magic2word ($ _ POST); 34 $ _ COOKIE = Base: magic2word ($ _ COOKIE); 35} magic2word in include/Model/Base. defined in php: 230 static function magic2word ($ text) {231 if (is_array ($ text) {232 foreach ($ text as $ k => $ v) {233 $ text [$ k] = self: magic2word ($ v); 234} 235} else {236 $ text = strips Lashes ($ text); 237} 238 return $ text; 239} www.2cto.com in general is to remove the magic quotes from the beginning and then in: 123 static function safeword ($ text, $ level = 8) {124 if (is_array ($ text) 125 {126 foreach ($ text as $ key = >$ value) {127 $ safeword [$ key] = self :: safeword ($ value); 128} 129} 130 else 131 {132 switch ($ level) 133 {134 case 0: 135 if (get_magic_quotes_gpc ()) {// check whether magic_quotes_gpc is enabled. If not, use addslashes to escape 136 $ safeword = strip Cslashes ($ text); 137} else {138 $ safeword = $ text; 139} 140 break; 141 case 1: 142 $ safeword = intval ($ text); 143 break; 144 case 3: 145 $ safeword = strip_tags ($ text); 146 break; 147 case 5: 148 $ safeword = nl2br (htmlspecialchars ($ text); 149 break; 150 case 6: 151 $ safeword = str_replace ("'", "", addslashes ($ text); 152 $ safeword = str_replace ("select ","", $ safeword); 153 $ safeword = str_replace ("union", "", $ safe Word); 154 $ safeword = str_replace ("=", "", $ safeword); 155 break; 156 default: 157 if (ucfirst (DB) = 'sqlite ') {158 $ safeword = str_replace ("'", "'' ", $ text); 159} 160 else {161 $ safeword = Base: _ addslashs ($ text ); 162} 163 break; 164 165} 166} 167 return $ safeword; 168} 169 static function _ addslashs ($ text) {170 if (! Get_magic_quotes_gpc () {// check whether magic_quotes_gpc is enabled. If not, use addslashes to escape 171 $ text = addslashes ($ text); 172} 173 return $ text; 174 175} God logic, remove the magic quotation marks from the beginning, why is it still in _ addslashs to determine whether it uses gpc, directly remove if got .... when gpc is enabled and the database is mysql, The safeword can be used to filter injection statements. Therefore, if you find any signature parameter, the injection can be performed. For example, in the message: name: a ',' B ', (select @ version), 'C', '123'), ('26 ', in the same way, 'c content can also be injected... result another injection: In include/Model/Base. php: 34 static function realip () {35 If (getenv ('HTTP _ CLIENT_IP ') {36 $ ip = getenv ('HTTP _ CLIENT_IP'); 37} elseif (getenv ('HTTP _ X_FORWARDED_FOR ')) {38 $ ip = getenv ('HTTP _ X_FORWARDED_FOR '); 39} elseif (getenv ('remote _ ADDR ')) {40 $ ip = getenv ('remote _ ADDR '); 41} else {42 $ ip = $ HTTP_SERVER_VARS ['remote _ ADDR']; 43} 44 return $ ip; 45} realip is called in two places. php calls realip: 25 if ($ mobile) {26 if ($ name = ''| $ comment ='') die ('Please input yo Ur name and comment correctly! <A href = "? Id = '. $ article_id. '"> Back </a>'); 27 $ tmp ['Article _ id'] = $ article_id; 28 $ tmp ['name'] = Base :: safeword ($ name, 4); 29 $ tmp ['elastic'] = 'OK @ OK .com'; 30 $ tmp ['content'] = Base: safeword ($ comment, 5); 31 $ tmp ['ips '] = Base: realip (); 32 $ tmp ['times'] = Base: getnowtime (); 33 $ data ['status'] = 1; 34 $ addstatus = $ dbit-> add_one (TB. "comment", $ tmp); 35 $ dbit-> updatelist (TB. "cms", "cmtcount = cmtcount + 1", $ tmp ['Article _ id']); 36 Die ('employee _^ Submit Succefully! <A href = "? Id = '. $ article_id.' "> go on! </A> '); 37. The last $ tmp ['ips'] entered the SQL statement without filtering. $ tmp ['ips'] can also be xss to the background. POST/taocms/wap /? Id = 26 HTTP/1.1 Host: 192.168.100.100Client-ip: <script> alert (1) </script>
A bunch of background vulnerabilities: directory traversal: admin/admin. php? Action = file & ctrl = lists & path =.../Arbitrary file Download: admin/admin. php? Action = file & ctrl = download & path =..././test.txt get shell in the background is to directly edit the file .... Let's talk about adding a person: the person with the same name can be added, for example, adding another admin, and then retrieving only one row at the login, this directly causes another person with the same name to be unable to log on ..... what logic !!! 44 public function checkUser () {45 $ this-> db = new Dbclass (SYS_ROOT.DB_NAME); 46 $ user = $ this-> db-> get_one (TB. "admin", "name = '". base: safeword ($ _ POST ['name'], 6 ). "'"); 47 if (strlen ($ user ['passwd']) = 30) {48 $ autoOk = substr (md5 ($ _ POST ['pwd']),) = $ user ['passwd']; 49} else {50 $ autoOk = $ _ POST ['pwd'] = $ user ['passwd']; 51} Can you set maxlen for the added user name, I used admin (number of spaces> 30) hello and it was truncated by mysql... If you can register a user at the front-end, you will be miserable.... Really uncomfortable. The most interesting _ autoload was first found by kobin97Solution:Medicine! Chek! One set of pancake fruit! One egg for one dollar! I like to put more crispy noodles! Chopped chopped green onion with chili sauce! Iron shovel small Wood brush! Medicine! Chek! Some sweet sauce! It's like a fairy! Irebadi! Black enough! Come with me! Verb CI verb! I said pancake, you said yes! "Pancake", and "shard! Golden fragrance is delicious!