CmsEasy the latest version 5. 5_UTF-8_20140802 bypass the four patches continue to SQL injection-vulnerability warning-the black bar safety net

2014-11-04T00:00:00
ID MYHACK58:62201455450
Type myhack58
Reporter 佚名
Modified 2014-11-04T00:00:00

Description

CmsEasy the latest version 5. 5_UTF-8_20140802, the front is the rain God to spare the three

Tick: cmseasy bypass patchSQL injectionone

Tick: continue to bypass cmseasy patches continue to inject

Tick: continuous bypass cmseasy two patches continue to inject

The latest inside also repair, but the repair is not complete, this is the fourth patch.

Continue to bypassSQL injection

来看 看 文件 :archive_act.php

code area

function respond_action() {

the include_once ROOT . '/lib/plugins/pay/' . front::$get['code'] . '. php';

$payclassname = front::$get['code'];

$payobj = new $payclassname();

$uri = $_SERVER["REQUEST_URI"];

$__uriget = strstr($uri, '?');

$__uriget = str_replace('?', ", $__uriget);

$__uriget = explode('&', $__uriget);

$_GET = array();

foreach ($__uriget as $key => $val) {

$tmp = explode('=', $val);

$_GET[$tmp[0]] = $tmp[1];

if(preg_match('/\'|select|union|"/i', $tmp1)){

exit('illegal parameters');

}

}

file_put_contents('logs11.txt', var_export($_GET,true));

$status = $payobj->respond();

if ($status) {

echo '<script type="text/javascript">alert("' . lang('payment has been made, jump to the orders query') . '")</script>';

front::refresh(url('archive/orders/oid/' . front::get('subject'), true));

} else {

echo '<script type="text/javascript">alert("' . lang('jump to the orders query') . '")</script>';

front::refresh(url('archive/orders/oid/' . front::get('subject'), true));

}

}

Here called$status = $payobj->respond();

Into the respond function to see:

文件 alipay.php to:

code area

function respond() {

if (! empty($_POST)) {

foreach($_POST as $key =>$data) {

if(preg_match('/(=|<|>|\')/', $data)){

return false;

}

$_GET[$key] = $data;

}

}

$payment = pay::get_payment($_GET['code']);

$seller_email = rawurldecode($_GET['seller_email']);

$order_sn = str_replace($_GET['subject'],",$_GET['out_trade_no']);

$order_sn = trim($order_sn);

if (! pay::check_money($order_sn,$_GET['total_fee'])) {

return false;

}

if($_GET['trade_status'] == "WAIT_SELLER_SEND_GOODS"||$_GET['trade_status'] == "TRADE_FINISHED" || $_GET['trade_status'] == "TRADE_SUCCESS") {

pay::changeorders($order_sn,$_GET);

return true;

}else {

return false;

}

}

Here taken directly into the$_POST content

Filtered=,<,>,'these

Then when trade_status=WAIT_SELLER_SEND_GOODS, enter the pay::changeorders($order_sn,$_GET);

Continue to follow up to see changeorders function:

code area

public static function changeorders($id,$orderlog) {

//file_put_contents('logs.txt', $id);

$where=array();

$where['id']=$id;

$where['status']=4;

//$where['orderlog']=serialize($orderlog);

$update=orders::getInstance()->rec_update($where,$id);

if($update<1) {

exit('changing the order status an error occurred, please contact administrator');

}

Here$where['id']=$id=$order_sn=str_replace($_GET['subject'],",$_GET['out_trade_no']);

Finally into the rec_update($where,$id)

[1] [2] [3] next