2013 年 2 月 4 日 by lanu
文章题目:[漏洞分析]PHPCMS v9 SQL注入
作 者:L.N. && n3w1yb1r7h
时 间:2013-02-03
声 明:此漏洞非本人首发,在此只作代码分析。
漏洞分析:
漏洞文件:/phpcms/modules/member/index.php
[php]
public function account_manage_info() {
if(isset($_POST['dosubmit'])) {
//更新用户昵称
$nickname = isset($_POST['nickname']) && trim($_POST['nickname']) ? trim($_POST['nickname']) : '';
if($nickname) {
$this->db->update(array('nickname'=>$nickname), array('userid'=>$this->memberinfo['userid']));
if(!isset($cookietime)) {
$get_cookietime = param::get_cookie('cookietime');
}
$_cookietime = $cookietime ? intval($cookietime) : ($get_cookietime ? $get_cookietime : 0);
$cookietime = $_cookietime ? TIME + $_cookietime : 0;
param::set_cookie('_nickname', $nickname, $cookietime);
}
require_once CACHE_MODEL_PATH.'member_input.class.php';
require_once CACHE_MODEL_PATH.'member_update.class.php';
$member_input = new member_input($this->memberinfo['modelid']);
$modelinfo = $member_input->get($_POST['info']);//数据传入get函数,进入下面的漏洞文件。
$this->db->set_model($this->memberinfo['modelid']);
$membermodelinfo = $this->db->get_one(array('userid'=>$this->memberinfo['userid']));
if(!empty($membermodelinfo)) {
$this->db->update($modelinfo, array('userid'=>$this->memberinfo['userid'])); //进入sql语句形成注入
} else {
$modelinfo['userid'] = $this->memberinfo['userid'];
$this->db->insert($modelinfo);
}[/php]
漏洞文件:/phpcms/modules/member/fields/member_input.class.php
[php]
function get($data) {
$this->data = $data = trim_script($data);//过滤数据,此处过滤的是