<>YXcms(MVC)
YXcms 1.4.7
<> be familiar with MVC framework
Routing mode
Through a r File pointer for routing
Parameter transfer
in($_GET[])
...... public function test() { $param=in($_GET['a']); var_dump($param); } ....
..
$_GET Received value , adopt in Filter
in function
// Data filtering function library /* function : Used to filter strings and string arrays , Prevent being hanged and sql injection parameter $data, String or array of strings to filter ,
$force by true, ignore get_magic_quotes_gpc */ function in($data,$force=false){ if(
is_string($data)){ $data=trim(htmlspecialchars($data));// Prevent being hanged , Cross site attack if(($force==
true)||(!get_magic_quotes_gpc())) { $data = addslashes($data);// prevent sql injection } return
$data; } else if(is_array($data)) { foreach($data as $key=>$value){ $data[$key]=
in($value,$force); } return $data; } else { return $data; } }
You can see that functions don't prevent int Type injection , The keys of the array are not filtered
<> Add, delete, change and search
check
# default/indexController.php <?php class indexController extends
commonController { public function test() { $id = in($_GET['id']); $result =
model('user')->find("id={$id}"); var_dump($result); } ......
increase
public function test() { $data=['username'=>'ocean2','password'=>'ocean2'];
$result=model('user')->insert($data); var_dump($result); }
change
public function test() { $id = in($_GET['id']); $data=['username'=>'nc000eee',
'password'=>'nce000ee']; $result=model('user')->update("id={$id}",$data);
var_dump($result); }
Delete
public function test() { $id = in($_GET['id']); $result=model('user')->delete(
"id={$id}"); var_dump($result); }
<> loophole
Digital injection
insert injection
Background arbitrary file deletion
<> Arbitrary file write
XSS
There is a problem at the front desk xss
It will be filtered when it is saved
But the background Audit Office will restore it
…(img-lpIJx1y6-1617631219454)]
It will be filtered when it is saved
But the background Audit Office will restore it
[ Picture transfer in external chain …(img-6LOyjGnD-1617631219455)]
[ Picture transfer in external chain …(img-nZ2k7yOy-1617631219456)]
Technology