Zhcms v1.0 SQL injection + Arbitrary Code Execution

Zhcms v1.0 SQL injection + Arbitrary Code Execution

I. background login bypass caused by SQL Injection

Check UserAction. class. php to process the Login method in the code.

Public function login () {if (! Empty ($ _ POST ['code']) {if ((! Empty ($ _ POST ['user']) & (! Empty ($ _ POST ['passwd']) {$ rs = $ this-> user-> login ($ _ POST ['user'], $ _ POST ['passwd']); if ($ rs = 1) {$ this-> redirect ("admin. php "," index "," index ");} else {val: mess (" the user name or password is incorrect. Please try again "); $ this-> display ("admin/login.html") ;}} else {val: mess ("username or password cannot be blank") ;}} else {val :: mess ("Verification Code cannot be blank ");}}

We can see that the POST user and passwd are determined to be empty, and then the login method is passed in directly with the login method in the model.

 

Public function login ($ user, $ passwd) {if (strtoupper ($ _ POST ['code']) =$ _ SESSION ['code']) {$ passwd = substr (md5 ($ passwd), 5, 20); $ result = $ this-> one ($ find = array ("id "), $ where = "WHERE user = '{$ user}' AND passwd = '{$ passwd}'"); if (! Empty ($ result) {$ _ SESSION ['is _ login'] = true; $ _ SESSION ['uid'] = $ result ['id']; $ _ SESSION ['uname'] = $ user; return 1 ;}else {return 0 ;}} else {val: mess ("Incorrect verification code ");}}

After determining the verification code, the md5 encrypted password is intercepted, and the user is directly included in the query, the user can be constructed.

 

User = admin' or '1' = '1 successfully bypassed

 

Ii. Unconditional code execution on the front-end

require_once("config.php");if(!is_file(dirname(__FILE__)."/install/install_lock.txt")){header ( 'Location: install/index.php' );exit ();}eval('$action=new '.ucfirst(isset($_GET['m'])?$_GET['m']:"index")."Action();");$action->run();

We can see that there is an eval code execution, get m, and then synthesize a xxAction (), new, so okay.