macCMS full version through the kill SQL injection(including the latest 7. x)-vulnerability warning-the black bar safety net

2014-02-11T00:00:00
ID MYHACK58:62201442322
Type myhack58
Reporter BugSec
Modified 2014-02-11T00:00:00

Description

The times for the official website the latest 7. 7 version of the maccms test, and before the 6. x injection there are some differences refactoring the code, and with the 3 6 0 give protection script

Prior to binding of unclaimed legacy injection, you can achieve full version of injection /user/index.php line:6 1 5

| 1 | functiontg() //promote function, tucao a bit before 6. x version with English popularize, it becomes phonics. ---|---

2 | ---|---

3 | { ---|---

4 | ---|---

5 | global$db; ---|---

6 | ---|---

7 | $userid= be("get","uid"); $userid=chkSql($userid,true); //completely uncontrollable ---|---

8 | ---|---

9 | if(! chkGlobalCache("tjlastdate")){ setGlobalCache ("tjlastdate", date('Y-m-d'),0); } ---|---

1 0 | ---|---

1 1 | if(isNum($userid)){ ---|---

1 2 | ---|---

1 3 | $ip= getIP(); //I thought with the 3 6 0 filter scripts ---|---

1 4 | ---|---

1 5 | $ly= getReferer(); //I thought with the 3 6 0 filter scripts, see the back tracking ---|---

1 6 | ---|---

1 7 | $row= $db->getRow("select * from {pre}user where u_id=". $userid.""); ---|---

1 8 | ---|---

1 9 | if($row){ //here don't get me wrong, not require you to login after the injection, but you fill a legitimate“promoters”id can, fill 1 absolutely feasible, unless the entire site no membership ---|---

2 0 | ---|---

2 1 | $sql="Select * From {pre}user_visit where uv_uid = ".$ userid." and uv_ip ='".$ ip."' and STR_TO_DATE(uv_time,'%Y-%m-%d')='". date("Y-m-d")."'"; //Not here exploit, the control the referer is easy to point ---|---

2 2 | ---|---

2 3 | $row1 table= $db->getRow($sql); ---|---

2 4 | ---|---

2 5 | if(!$ the row1 table){ ---|---

2 6 | ---|---

2 7 | $db->Add ("{pre}user_visit",array("uv_uid","uv_ip","uv_ly","uv_time"), array($userid,$ip,$ly, date("Y-m-d H:i:s"))); ---|---

2 8 | ---|---

2 9 | //ly variable into the query, be careful back there is a date, after the configured time can not forget ---|---

3 0 | ---|---

3 1 | //and the following code is independent ---|---

3 2 | ---|---

3 3 | $db->query ("update {pre}user set u_tj=u_tj+1,u_points=u_points+". app_popularize . " where u_id=". $userid); ---|---

3 4 | ---|---

3 5 | if( strpos( ",". date('Y-m-d H:i:s',time()), getGlobalCache("tjlastdate") ) <=0 ) { ---|---

3 6 | ---|---

3 7 | $sql="delete from {pre}user_visit whereSTR_TO_DATE(uv_time,'%Y-%m-%d')<'". date("Y-m-d")."'"; ---|---

3 8 | ---|---

3 9 | $db->query($sql); ---|---

4 0 | ---|---

4 1 | setGlobalCache ("tjlastdate", date('Y-m-d') , 0); ---|---

4 2 | ---|---

4 3 | } ---|---

4 4 | ---|---

4 5 | } ---|---

4 6 | ---|---

4 7 | unset($row1 table); ---|---

4 8 | ---|---

4 9 | } ---|---

5 0 | ---|---

5 1 | unset($row); ---|---

5 2 | ---|---

5 3 | } ---|---

5 4 | ---|---

5 5 | redirect ("../"); ---|---

5 6 | ---|---

5 7 | } ---|---

[1] [2] [3] [4] next