Shulou(Shulou.com)06/02 Report--

This article mainly introduces the common phpcms security vulnerabilities, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

The phpcms tutorial introduces common phpcms security vulnerabilities

1. Wide byte injection vulnerability

/ phpcms/modules/pay/respond.php position is about 16 lines

Original code

$payment = $this- > get_by_code ($_ GET ['code'])

Replace with

$payment = $this- > get_by_code (mysql_real_escape_string ($_ GET ['code']))

2. Phpcms injection vulnerability

/ phpcms/modules/poster/poster.php position is about 221 lines

If ($_ GET ['group']) {

After that, add

$_ GET ['group'] = preg_replace (' # `#','', $_ GET ['group'])

3. Patch for arbitrary file reading vulnerabilities caused by phpcms foreground injection

/ phpcms/modules/content/down.php

(1) position is about 17 lines

Parse_str ($aqk)

Replace with

$aqik = safe_replace ($aqk); parse_str ($aqik)

(2) position is about 89 lines

Parse_str ($aqk)

Replace with

$aqik = safe_replace ($aqk); parse_str ($aqik)

[version 6.3 has fixed the above two problems]

(3) position is about 120 lines

$filename = date ('Ymd_his'). Random (3).'. $ext

After that, add

$fileurl = str_replace (array ('),'', $fileurl)

4. Phpcms injection vulnerability

/ phpcms/modules/member/index.php position is about 615 lines

Original code:

$password = isset ($_ POST ['password']) & & trim ($_ POST [' password'])? Trim ($_ POST ['password']): showmessage (L (' password_empty'), HTTP_REFERER)

To be replaced by:

$password = isset ($_ POST ['password']) & & trim ($_ POST [' password'])? Addslashes (urldecode (trim ($_ POST ['password']): showmessage (L (' password_empty'), HTTP_REFERER)

5. PHPCMS V9.6.2 SQL injection vulnerability

(1) phpcms/libs/classes/param.class.php position is about 109th lines.

Original code

$value = isset ($_ COOKIE [$var])? Sys_auth ($_ COOKIE [$var], 'DECODE'): $default

Replace with

$value = isset ($_ COOKIE [$var])? addslashes (sys_auth ($_ COOKIE [$var], 'DECODE')): $default

(2) / phpsso_server/phpcms/libs/classes/param.class.php position is about 108lines

Original code

Return isset ($_ COOKIE [$var])? Sys_auth ($_ COOKIE [$var], 'DECODE'): $default

Replace with

Return isset ($_ COOKIE [$var])? Addslashes (sys_auth ($_ COOKIE [$var], 'DECODE')): $default

6. Some logic problem in phpcms leads to getshell.

/ phpcms/libs/classes/attachment.class.php position is about 143lines

Function download ($field, $value,$watermark = '0century narrative ext =' gif | jpg | jpeg | bmp | png', $absurl ='', $basehref ='') {

After that, add

/ / add if ($ext! = = 'gif | jpg | jpeg | bmp | png') {if (! in_array (strtoupper ($ext), array (' JPG','GIF','BMP','PNG','JPEG') exit ('additional extension must be gif, jpg, jpeg, bmp, png');}

7. Phpcms injection vulnerability

/ api/phpsso.php position is about 128lines

Original code

$arr ['uid'] = intval ($arr [' uid']); $phpssouid = $arr ['uid']

Replace with, two-in-one code

$phpssouid = intval ($arr ['uid'])

8. Problems with phpcms authkey generation algorithm lead to authkey leakage

1. In / caches/configs/system.php, add the first parameter:

'alivulfix' = >' yes'

After modification, the screenshot of the code is as follows:

two。 Find and modify the auth_key,20 bit string; customize what you write.

'auth_key' = >' 2qKYgs0PgHWWtaFVb3KPcards, / / key

3. Find and modify the auth_key,32 bit string; customize what you write.

'phpsso_auth_key' = >' hjor66pewop_3qooeamtbiprooteqein', / / encryption key

Note: at this point, it is the same as Ali Cloud's Cloud Knight with one click to repair.

It's just that none of the users of the site can log in for the time being, and then there is the most important step.

4. Log in to the phpsso Management Center at the background, and in the navigation menu phpsso-> Application Management-> Edit, edit the value of 'phpsso_auth_key'' set by "Communication key" for step 3, and then click submit.

Screenshots of the key steps are as follows:

After submission, the page shows that the communication is successful, as shown in the following figure.

Thank you for reading this article carefully. I hope the article "what are the common phpcms security vulnerabilities" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.