Home > CMS Tutorial > PHPCMS > PHPCMS various injection vulnerability patches

PHPCMS various injection vulnerability patches

爱喝马黛茶的安东尼
Release: 2019-11-21 10:24:52
forward
6086 people have browsed it

PHPCMS various injection vulnerability patches

1. Wide byte injection vulnerability

/phpcms/modules/pay/respond.php Location is about 16 Line

original code

$payment = $this->get_by_code($_GET['code']);
Copy after login

is replaced with

$payment = $this->get_by_code(mysql_real_escape_string($_GET['code']));
Copy after login

2. phpcms injection vulnerability

/phpcms/modules/poster/poster .php position is about 221 lines after

if ($_GET['group']) {
Copy after login

, add

$_GET['group'] = preg_replace('#`#', '', $_GET['group']);
Copy after login

3, phpcms front-end injection leads to arbitrary file reading vulnerability patch

/phpcms/ modules/content/down.php

(1) Replace line 17

parse_str($a_k);
Copy after login
Copy after login

with

$a_k = safe_replace($a_k); parse_str($a_k);
Copy after login
Copy after login

(2) Line 89

parse_str($a_k);
Copy after login
Copy after login

Replace with

$a_k = safe_replace($a_k); parse_str($a_k);
Copy after login
Copy after login

(3) and add

$filename = date('Ymd_his').random(3).'.'.$ext;
Copy after login

# after line 120 of position 3.

$fileurl = str_replace(array(&#39;<&#39;,&#39;>&#39;), &#39;&#39;,$fileurl);
Copy after login

4, phpcms injection vulnerability

/phpcms/modules/member/index.php is located at about 615 lines

Original code:

$password = isset($_POST[&#39;password&#39;]) && trim($_POST[&#39;password&#39;]) ? trim($_POST[&#39;password&#39;]) : 
showmessage(L(&#39;password_empty&#39;),HTTP_REFERER);
Copy after login

Replaced with:

$password = isset($_POST[&#39;password&#39;]) && trim($_POST[&#39;password&#39;]) ? addslashes(urldecode(trim($_POST[&#39;password&#39;]
))) : showmessage(L(&#39;password_empty&#39;), HTTP_REFERER);
Copy after login

5, PHPCMS V9.6.2 SQL Injection vulnerability

(1) phpcms/libs/classes/param.class.php is located at about line 109

The original code

$value = isset($_COOKIE[$var]) ? sys_auth($_COOKIE[$var], &#39;DECODE&#39;) : $default;
Copy after login

is replaced with

$value = isset($_COOKIE[$var])?addslashes(sys_auth($_COOKIE[$var],&#39;DECODE&#39;)):$default;
Copy after login

(2)/phpsso_server/phpcms/libs/classes/param.class.php is located at about 108 lines

The original code

return isset($_COOKIE[$var]) ? sys_auth($_COOKIE[$var], &#39;DECODE&#39;) : $default;
Copy after login

is replaced with

return isset($_COOKIE[$var]) ? addslashes(sys_auth($_COOKIE[$var],&#39;DECODE&#39;)) : $default;
Copy after login

6. A logical problem somewhere in phpcms caused getshell

/phpcms/libs/classes/attachment.class.php to be located at line 143 of

function download($field, $value,$watermark = &#39;0&#39;,$ext = &#39;gif|jpg|jpeg|bmp|png&#39;, $absurl = &#39;&#39;, $basehref = &#39;&#39;){
Copy after login

followed by

   $extArray=explode(&#39;|&#39;,$ext); 
     if(!empty($extArray) && is_array($extArray)){ 
         foreach($extArray as $k => $v){ 
           if(!in_array(strtolower($v), array(&#39;gif&#39;,&#39;jpg&#39;,&#39;jpeg&#39;,&#39;bmp&#39;,&#39;png&#39;))); exit(&#39;0&#39;);//循环判断如果
           有一个不符合,直接返回 0 
         } 
      }
Copy after login

In this way, add a judgment. If the allowed file formats are 'gif', 'jpg', 'jpeg', 'bmp', 'png', continue, otherwise it will jump out. Of course, the formats here can be increased as needed. several.

7. phpcms injection vulnerability

/api/phpsso.php is located at about 128 lines

The original code

$arr[&#39;uid&#39;] = intval($arr[&#39;uid&#39;]);
$phpssouid = $arr[&#39;uid&#39;];
Copy after login

is replaced by , two-in-one code

$phpssouid = intval($arr[&#39;uid&#39;]);
Copy after login

8. phpcms authkey generation algorithm problem leads to authkey leakage

Follow the following function to regenerate the key value, and then find caches/configs Just replace the two parameters in /system.php and it will be ok

<?php 
     function random($length, $chars = &#39;0123456789&#39;) { 
       
        $hash = &#39;&#39;; 
        $max = strlen($chars) - 1; 
        for($i = 0; $i < $length; $i++) { 
            $hash .= $chars[mt_rand(0, $max)]; 
        } 
        return $hash; 
    }
    
    echo random(20, &#39;authkey&#39;).&#39;<br/>&#39;;    
    echo random(32, &#39;phpssoauthkey&#39;);exit; 
?>
Copy after login

PHP Chinese website, a large number of free PHPCMS tutorials, welcome to learn online!

The above is the detailed content of PHPCMS various injection vulnerability patches. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:aliyun.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template