DamiCMS any control of voting number of votes-vulnerability warning-the black bar safety net

2015-04-11T00:00:00
ID MYHACK58:62201561057
Type myhack58
Reporter 佚名
Modified 2015-04-11T00:00:00

Description

DamiCMS any control of voting number of votes

Vote the key code is as follows.

foreach($_POST['vote'] as $v) { var_dump($v); $v = str_replace("\n","",$v); $s = explode("=",$v); var_dump($s); $data['vote'] = str_replace($v,$s[0]."=". (intval($s[1]) + 1),$data['vote']); } var_dump($data); if($vote->where('id='. intval($_POST['id']))->save($data)) Incoming data with the equal sign, dividing, similar to Option 1=3 will turn into an array(Option 1,3), If the only incoming Option A, will become the array(Option 1,null), intval(null)will become zero, and written to the database.

POC:

Start a 1-0 of 0 votes

Submit the following to such a request

You can see the number of votes turns 1 vote

If you want to increase the number of votes you can use the x-forwarded-for to brush ticket. Official Demo test

Solution:

Do not use str_replace this weird realization that...