Home > CMS Tutorial > PHPCMS > Collection of phpcms security vulnerabilities

Collection of phpcms security vulnerabilities

coldplay.xixi
Release: 2020-12-04 16:53:18
forward
14301 people have browsed it

phpcms tutorialIntroducing common phpcms security vulnerabilities

Collection of phpcms security vulnerabilities

Recommended (free): phpcms Tutorial

1. Wide byte injection vulnerability

/phpcms/modules/pay /respond.php is located about 16 lines

##The original code

$payment = $this->get_by_code($_GET['code']);
Copy after login

is replaced with

$payment = $this->get_by_code(mysql_real_escape_string($_GET['code']));
Copy after login

2. phpcms injection vulnerability

#/phpcms/modules/poster/poster.php is located at line 221

if ($_GET['group']) {
Copy after login

Then add

$_GET['group'] = preg_replace('#`#', '', $_GET['group']);
Copy after login

3, phpcms front-end injection leading to arbitrary file reading vulnerability patch

/phpcms/modules /content/down.php

(1) Replace line 17

parse_str($a_k);
Copy after login

with

$a_k = safe_replace($a_k); parse_str($a_k);
Copy after login
Copy after login

(2) Position about 89 lines

parse_str($a_k);
Copy after login

is replaced with

$a_k = safe_replace($a_k); parse_str($a_k);
Copy after login
Copy after login

[The above two problems have been fixed in version 6.3]

(3) Add

$filename = date('Ymd_his').random(3).'.'.$ext;
Copy after login

## after

$fileurl = str_replace(array(&#39;<&#39;,&#39;>&#39;), &#39;&#39;,$fileurl);
Copy after login

at about 120 lines #4. phpcms injection vulnerability

##/phpcms/modules/member/index.php is located at line 615

Original code:

$password = isset($_POST[&#39;password&#39;]) && trim($_POST[&#39;password&#39;]) ? trim($_POST[&#39;password&#39;]) : showmessage(L(&#39;password_empty&#39;),HTTP_REFERER);
Copy after login

is replaced by:

$password = isset($_POST[&#39;password&#39;]) && trim($_POST[&#39;password&#39;]) ? addslashes(urldecode(trim($_POST[&#39;password&#39;]))) : showmessage(L(&#39;password_empty&#39;), HTTP_REFERER);
Copy after login

5. PHPCMS V9.6.2 SQL injection vulnerability

(1) phpcms/libs/classes/param.class.php is located at about 109 lines

original code

$value = isset($_COOKIE[$var]) ? sys_auth($_COOKIE[$var], &#39;DECODE&#39;) : $default;
Copy after login

Replace with

$value = isset($_COOKIE[$var])?addslashes(sys_auth($_COOKIE[$var],&#39;DECODE&#39;)):$default;
Copy after login

(2)/phpsso_server/phpcms/libs/classes/param.class.php location is about 108 lines

Original Code

return isset($_COOKIE[$var]) ? sys_auth($_COOKIE[$var], &#39;DECODE&#39;) : $default;
Copy after login

is replaced with

return isset($_COOKIE[$var]) ? addslashes(sys_auth($_COOKIE[$var],&#39;DECODE&#39;)) : $default;
Copy after login

6. A logical problem somewhere in phpcms causes getshell

/phpcms/libs/classes/attachment.class.php is located at about line 143 of

function download($field, $value,$watermark = &#39;0&#39;,$ext = &#39;gif|jpg|jpeg|bmp|png&#39;, $absurl = &#39;&#39;, $basehref = &#39;&#39;){
Copy after login

followed by

// 此处增加类型的判断
         if($ext !== &#39;gif|jpg|jpeg|bmp|png&#39;){
             if(!in_array(strtoupper($ext),array(&#39;JPG&#39;,&#39;GIF&#39;,&#39;BMP&#39;,&#39;PNG&#39;,&#39;JPEG&#39;))) exit(&#39;附加扩展名必须为gif、jpg、jpeg、bmp、png&#39;);
         }
Copy after login

7. phpcms injection vulnerability

##/api/phpsso.php is located at about 128 lines

Original code

$arr[&#39;uid&#39;] = intval($arr[&#39;uid&#39;]);
$phpssouid = $arr[&#39;uid&#39;];
Copy after login

is replaced with, two-in-one code

$phpssouid = intval($arr[&#39;uid&#39;]);
Copy after login

8. phpcms authkey generation algorithm problem leads to authkey leakage

1. In /caches/configs/system.php, add the first parameter:

'alivulfix' => 'yes',

After modification, the code screenshot is as follows:



2. Find and modify auth_key, a 20-digit string; just customize what you write.

&#39;auth_key&#39; => &#39;2qKYgs0PgHWWtaFVb3KP&#39;, //密钥
Copy after login

3. Find and modify auth_key, a 32-bit string; just customize what you write.

&#39;phpsso_auth_key&#39; => &#39;hjor66pewop_3qooeamtbiprooteqein&#39;, //加密密钥
Copy after login

Note: At this step, it is the same as Alibaba Cloud’s Cloud Knight one-click repair.

It’s just that website users can’t log in for the time being. The most important step remains.

4. Log in to the phpsso management center in the background. In the navigation menu phpsso ——> Application Management ——> Edit, edit the “communication key” to the value of ‘phpsso_auth_key’ set in step 3, and then click Submit.

Screenshots of the key steps are as follows:


After submission, the page shows successful communication, as shown below.



If you want to learn more about programming, please pay attention to php trainingColumn!

The above is the detailed content of Collection of phpcms security vulnerabilities. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:csdn.net
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template