Yi Si espcms backend functions bypass [Background SQL injection can be used directly]

Background function bypass. SQL injection and bypass vulnerability exist in the background for SQL injection.
In the local test, the default adminsoft directory is used as the background directory, and the class constructor is used to verify that the user's background access permissions are all templates important. The constructor of this class is as follows: function important () {$ this-> softbase (true);} the class is an inheritance class, followed up with the parent class, and the file/public/class_connector.php contains row 14th

function softbase($admin_purview = false) {header("Content-Type: text/html; charset=utf-8");$this->dbmysql();$this->commandinc();$this->systemfile();$this->cachedb();if ($admin_purview) {$this->admin_purview();$this->sitelng = $this->getlng();$action = $this->fun->accept('action', 'R');if (in_array($action, $this->esp_powerlist) && !in_array('all', $this->esp_powerlist)) {exit('Permissions errors');}}…………………………

 

Determine the management permission mainly for the code $ this-> admin_purview ();, follow up on the file line 330th as follows:

function admin_purview() {if ($this->fun->accept('archive', 'R') == 'filemanage' && $this->fun->accept('action', 'R') == 'batupfilesave') {$ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'G');$esp_powerlist = $this->fun->accept('esp_powerlist', 'G');$gettype = false;} else {$ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'C');$esp_powerlist = $this->fun->accept('esp_powerlist', 'C');$gettype = true;}$arr_purview = explode('|', $this->fun->eccode($ecisp_admininfo, 'DECODE', db_pscode));$this->esp_powerlist = explode('|', $this->fun->eccode($esp_powerlist, 'DECODE', db_pscode));list($this->esp_adminuserid, $this->esp_username, $this->esp_password, $this->esp_useragent, $this->esp_powerid, $this->esp_inputclassid, $this->esp_softurl) = $arr_purview;if ($gettype) {if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_AGENT) != $this->esp_useragent || md5(admin_ClassURL) != $this->esp_softurl) {$condition = 0;} else {$condition = 1;}} else {if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_ClassURL) != $this->esp_softurl) {$condition = 0;} else {$condition = 1;}}if ($condition == 0) {if ($this->fun->accept('archive', 'R') != 'adminuser' && $this->fun->accept('action', 'R') != 'login') {header('location: index.php?archive=adminuser&action=login');exit();}} else {if ($condition == 1 && $this->fun->accept('point', 'R') == '' && $this->fun->accept('archive', 'R') == '' && $this->fun->accept('action', 'R') == '') {header('location: index.php?archive=management&action=tab&loadfun=mangercenter&out=tabcenter');exit();}}}

 

Get the ecisp_admininfo field in the cookie and decrypt the value, that is, to ensure that the Code if (empty ($ this-> esp_username) | empty ($ this-> esp_adminuserid) | md5 (admin_AGENT )! = $ This-> esp_useragent | md5 (admin_ClassURL )! = $ This-> esp_softurl) is not true, you can bypass logical verification and access background functions. Admin_AGENT and admin_ClassURL are pre-defined data. define ('admin _ agent', $ _ SERVER ['HTTP _ USER_AGENT ']); define ('admin _ ClassURL', 'HTTP: //'. $ _ SERVER ['HTTP _ host']. substr ($ _ SERVER ['php _ SELF '], 0, strrpos ($ _ SERVER ['php _ SELF'], '/'); therefore, the corresponding cookie field ecisp_admininfo can be forged. Here I use Firefox browser, before encryption: 1 | 2 | 3 | encrypted | 5 | 6 | fae169abd4e73eb55567e2a202526274 built-in encryption function to encrypt: after adding this cookie field, the attacker can bypass the restriction and access any function. The following shows how to exploit this vulnerability to exploit the background file adminsoft/control/acmessagemain. php SQL Injection file/adminsoft/control/acmessagemain. php lines 52nd to 63

$limitkey = $this->fun->accept('limitkey', 'R');$limitkey = empty($limitkey) ? 'dmid' : $limitkey;$limitclass = $this->fun->accept('limitclass', 'R');$limitclass = empty($limitclass) ? 'DESC' : $limitclass;$db_table = db_prefix . 'document_message';if (!empty($countnum)) {$countnum = $this->db_numrows($db_table, $db_where);exit($countnum);}$sql = 'SELECT * FROM ' . $db_table . $db_where . ' ORDER BY ' . $limitkey . ' ' . $limitclass . ' LIMIT ' . $MinPageid . ',' . $MaxPerPage;$rs = $this->db->query($sql);

 

$ Limitkey directly uses $ this-> fun-> accept ('limitkey', 'R'); to obtain the information that is not processed. this function performs gpc and htmlspecial filtering by default, because the process described above is not enclosed in quotation marks, you can ignore it directly. After adding the cookie field directly without logging in, print the SQL statement, Solution:

Fix and judge before fix SQL Injection